[MAS Rejection]:Private APIs in Electron Framework (NSAppendToKillRing, _toolbarView, etc.) #49386
Description
Preflight Checklist
- I have read the Contributing Guidelines for this project.
- I agree to follow the Code of Conduct that this project adheres to.
Electron Version
37.0.0
Rejection Email
Apple's Rejection Message
Guideline 2.5.1 - Performance - Software Requirements
Additionally, we found your app uses or references the following non-public or deprecated APIs:
_toolbarView
_menuImpl
_removeFromGroups:
_isConsideredOpenForPersistentState
_boundsIfOpen
_resizeDirectionForMouseLocation:
NSAppendToKillRing
kCFBundleNumericVersionKey
__NSNewKillRingSequence
_CGSSetWindowCaptureExcludeShape
_CGRegionCreateWithRect
__NSInitializeKillRing
_CTFontCopyVariationAxesInternal
NSYankFromKillRing
NSSetKillRingToYankedState
The use of non-public or deprecated APIs is not permitted on the App Store,
as they can lead to a poor user experience should these APIs change and are
otherwise not supported on Apple platforms.
Additional Information
Investigation Results
I have verified that these APIs are NOT in my application code, but exist in the Electron Framework itself.
Evidence 1: APIs found in Electron Framework
Using nm to check symbols in Electron Framework:
# Check for undefined symbols (U type) - these are external references
$ nm -arch arm64 -gU "MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework" \
| grep -E "(KillRing|CGSSetWindow|CTFont|toolbarView|menuImpl)"
U _CGSSetWindowCaptureExcludeShape
U _CTFontCopyVariationAxesInternal
U __NSAppendToKillRing
U __NSSetKillRingToYankedState
U __NSYankFromKillRing
U __NSNewKillRingSequence
U __NSInitializeKillRingNote: The U type indicates "undefined" symbols that need to be imported from external libraries. This confirms these APIs are being referenced by Electron Framework.
Evidence 2: Using strings to find API names
$ strings "MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework" \
| grep -E "(_toolbarView|_menuImpl|_removeFromGroups|_isConsideredOpenForPersistentState|_boundsIfOpen|_resizeDirectionForMouseLocation|kCFBundleNumericVersionKey|_CGRegionCreateWithRect)"
_toolbarView
_menuImpl
_removeFromGroups:
_isConsideredOpenForPersistentState
_boundsIfOpen
_resizeDirectionForMouseLocation:
kCFBundleNumericVersionKey
_CGRegionCreateWithRectEvidence 3: My application binary is clean
# Scanned my app binary
$ nm -gU "MyApp.app/Contents/MacOS/MyApp" | grep -E "(KillRing|CGSSetWindow|CTFont|toolbarView|menuImpl)"
# (No results - my code doesn't use these APIs)
$ strings "MyApp.app/Contents/MacOS/MyApp" | grep -E "(KillRing|CGSSetWindow|CTFont|toolbarView|menuImpl)"
# (No results)File Structure Analysis
MyApp.app/
├── Contents/
│ ├── Frameworks/
│ │ └── Electron Framework.framework/ ← Private APIs HERE (Chromium/Electron code)
│ ├── MacOS/
│ │ └── MyApp ← My app binary (clean)
│ └── Resources/
│ └── app.asar ← My application code (JavaScript/TypeScript)
API Categories
Text Editing APIs (Kill Ring)
These are used by Chromium's text editing engine for clipboard operations:
NSAppendToKillRing,NSYankFromKillRing,__NSInitializeKillRing,__NSNewKillRingSequence,NSSetKillRingToYankedState
Window Management APIs
_toolbarView,_menuImpl,_removeFromGroups:,_isConsideredOpenForPersistentState,_boundsIfOpen,_resizeDirectionForMouseLocation:
Graphics APIs
_CGSSetWindowCaptureExcludeShape,_CGRegionCreateWithRect
Font Rendering
_CTFontCopyVariationAxesInternal
Deprecated
kCFBundleNumericVersionKey(should use CFBundleVersion/CFBundleShortVersionString)
Build Configuration
// electron-builder config
{
"mac": {
"target": ["mas"],
"hardenedRuntime": false,
"gatekeeperAssess": false,
"entitlements": "build/entitlements.mas.plist",
"entitlementsInherit": "build/entitlements.mas.inherit.plist"
},
"mas": {
"identity": "...",
"provisioningProfile": "...",
"type": "distribution"
}
}Build Command
I use a custom build script (scripts/package_macos_mas.sh) to build MAS packages:
# Build universal MAS package
./scripts/package_macos_mas.sh universalThe script performs:
npm install- Install dependenciesnode scripts/beforeBuild.js- Pre-build stepsnpx electron-vite build- Build applicationelectron-builder --mac mas --universal- Build MAS package with:CSC_IDENTITY_AUTO_DISCOVERY=false
Environment
- macOS: 14.1 Sonoma
- Xcode: 15.0
- Electron: 37.0.0
- electron-builder: 26.0.12
- Node.js: 18.x
Questions
- Is this a known issue with Electron 37.0.0 (and other versions) for MAS builds?
- Are there build flags or configuration options to disable these private APIs for MAS targets?
- Has anyone successfully passed App Store review with these APIs present in Electron Framework?
- Should I try a different Electron version? (I've seen reports that newer versions may have addressed some of these)
- Are these APIs coming from Chromium itself, and if so, is there a way to configure Chromium to avoid them?
Impact
This blocks Mac App Store distribution for any Electron app. Other Electron-based apps (VS Code, Slack, Discord) are on the MAS - how did they resolve this?
Additional Context
- I've verified these APIs are not in my application code (checked with
nmandstrings) - The APIs appear in Electron Framework binary itself
- Some APIs show as undefined symbols (
Utype innmoutput), indicating they're being referenced but may be dynamically linked - Some APIs only appear as strings, which could be false positives, but Apple's scanner still flags them
Note: I'm willing to provide more debugging info, test patches, or try different approaches if needed. I can also provide the full output of nm and otool commands if that would be helpful.