enso-org/enso
1
1
Fork 0
mirror of https://github.com/enso-org/enso.git synced 2024-12-22 22:21:40 +03:00
Code Issues Projects Releases Wiki Activity

Use the new notarization tool from Apple (#8192)

Browse Source
This commit is contained in:
Michał Wawrzyniec Urbańczyk 2023-11-01 20:58:28 +01:00 committed by GitHub
parent b5d6628c57
commit a9118ee0c3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 68 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/gui.yml vendored
View File

@ -821,6 +821,7 @@ jobs:
env:
APPLEID: ${{ secrets.APPLE_NOTARIZATION_USERNAME }}
APPLEIDPASS: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }}
APPLETEAMID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }}
CSC_IDENTITY_AUTO_DISCOVERY: "true"
CSC_KEY_PASSWORD: ${{ secrets.APPLE_CODE_SIGNING_CERT_PASSWORD }}
CSC_LINK: ${{ secrets.APPLE_CODE_SIGNING_CERT }}
@ -1008,6 +1009,7 @@ jobs:
env:
APPLEID: ${{ secrets.APPLE_NOTARIZATION_USERNAME }}
APPLEIDPASS: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }}
APPLETEAMID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }}
CSC_IDENTITY_AUTO_DISCOVERY: "true"
CSC_KEY_PASSWORD: ${{ secrets.APPLE_CODE_SIGNING_CERT_PASSWORD }}
CSC_LINK: ${{ secrets.APPLE_CODE_SIGNING_CERT }}

14
.github/workflows/release.yml vendored
View File

@ -628,6 +628,7 @@ jobs:
env:
APPLEID: ${{ secrets.APPLE_NOTARIZATION_USERNAME }}
APPLEIDPASS: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }}
APPLETEAMID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }}
CSC_IDENTITY_AUTO_DISCOVERY: "true"
CSC_KEY_PASSWORD: ${{ secrets.APPLE_CODE_SIGNING_CERT_PASSWORD }}
CSC_LINK: ${{ secrets.APPLE_CODE_SIGNING_CERT }}
@ -725,7 +726,7 @@ jobs:
steps:
- if: startsWith(runner.name, 'GitHub Actions') || startsWith(runner.name, 'Hosted Agent')
name: Setup conda (GH runners only)
uses: s-weigand/setup-conda@v1.0.6
uses: s-weigand/setup-conda@v1.2.1
with:
update-conda: false
conda-channels: anaconda, conda-forge
@ -747,7 +748,7 @@ jobs:
run: "git checkout -f $(git -c user.name=x -c user.email=x@x commit-tree $(git hash-object -t tree /dev/null) < /dev/null) || :"
shell: bash
- name: Checking out the repository
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
clean: false
submodules: recursive
@ -787,7 +788,7 @@ jobs:
steps:
- if: startsWith(runner.name, 'GitHub Actions') || startsWith(runner.name, 'Hosted Agent')
name: Setup conda (GH runners only)
uses: s-weigand/setup-conda@v1.0.6
uses: s-weigand/setup-conda@v1.2.1
with:
update-conda: false
conda-channels: anaconda, conda-forge
@ -809,7 +810,7 @@ jobs:
run: "git checkout -f $(git -c user.name=x -c user.email=x@x commit-tree $(git hash-object -t tree /dev/null) < /dev/null) || :"
shell: bash
- name: Checking out the repository
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
clean: false
submodules: recursive
@ -826,6 +827,7 @@ jobs:
env:
APPLEID: ${{ secrets.APPLE_NOTARIZATION_USERNAME }}
APPLEIDPASS: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }}
APPLETEAMID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }}
CSC_IDENTITY_AUTO_DISCOVERY: "true"
CSC_KEY_PASSWORD: ${{ secrets.APPLE_CODE_SIGNING_CERT_PASSWORD }}
CSC_LINK: ${{ secrets.APPLE_CODE_SIGNING_CERT }}
@ -856,7 +858,7 @@ jobs:
steps:
- if: startsWith(runner.name, 'GitHub Actions') || startsWith(runner.name, 'Hosted Agent')
name: Setup conda (GH runners only)
uses: s-weigand/setup-conda@v1.0.6
uses: s-weigand/setup-conda@v1.2.1
with:
update-conda: false
conda-channels: anaconda, conda-forge
@ -878,7 +880,7 @@ jobs:
run: "git checkout -f $(git -c user.name=x -c user.email=x@x commit-tree $(git hash-object -t tree /dev/null) < /dev/null) || :"
shell: bash
- name: Checking out the repository
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
clean: false
submodules: recursive

15
app/ide-desktop/lib/client/electron-builder-config.ts
View File

@ -10,7 +10,7 @@ import * as childProcess from 'node:child_process'
import * as fs from 'node:fs/promises'
import * as electronBuilder from 'electron-builder'
import * as electronNotarize from 'electron-notarize'
import * as electronNotarize from '@electron/notarize'
import type * as macOptions from 'app-builder-lib/out/options/macOptions'
import yargs from 'yargs'
@ -230,8 +230,6 @@ export function createElectronBuilderConfig(passedArgs: Arguments): electronBuil
) {
const {
packager: {
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
platformSpecificBuildOptions: buildOptions,
appInfo: { productFilename: appName },
config: { mac: macConfig },
},
@ -250,20 +248,17 @@ export function createElectronBuilderConfig(passedArgs: Arguments): electronBuil
})
console.log(' • Notarizing.')
// The type-cast is safe because this is only executes
// when `platform === electronBuilder.Platform.MAC`.
// eslint-disable-next-line no-restricted-syntax
const macBuildOptions = buildOptions as macOptions.MacConfiguration
await electronNotarize.notarize({
// This will always be defined since we set it at the top of this object.
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
appBundleId: macBuildOptions.appId!,
tool: 'notarytool',
appPath: `${appOutDir}/${appName}.app`,
// It is a mistake for either of these to be undefined.
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
appleId: process.env.APPLEID!,
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
appleIdPassword: process.env.APPLEIDPASS!,
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
teamId: process.env.APPLETEAMID!,
})
}
},

2
app/ide-desktop/lib/client/package.json
View File

@ -36,7 +36,7 @@
"crypto-js": "4.1.1",
"electron": "25.7.0",
"electron-builder": "^22.14.13",
"electron-notarize": "1.2.2",
"@electron/notarize": "2.1.0",
"enso-common": "^1.0.0",
"esbuild": "^0.19.3",
"fast-glob": "^3.2.12",

1
app/ide-desktop/lib/types/globals.d.ts vendored
View File

@ -81,6 +81,7 @@ declare global {
/* eslint-disable @typescript-eslint/naming-convention */
APPLEID?: string
APPLEIDPASS?: string
APPLETEAMID?: string
/* eslint-enable @typescript-eslint/naming-convention */
}
}

1
build/build/src/ci_gen.rs
View File

@ -94,6 +94,7 @@ pub mod secret {
pub const APPLE_CODE_SIGNING_CERT_PASSWORD: &str = "APPLE_CODE_SIGNING_CERT_PASSWORD";
pub const APPLE_NOTARIZATION_USERNAME: &str = "APPLE_NOTARIZATION_USERNAME";
pub const APPLE_NOTARIZATION_PASSWORD: &str = "APPLE_NOTARIZATION_PASSWORD";
pub const APPLE_NOTARIZATION_TEAM_ID: &str = "APPLE_NOTARIZATION_TEAM_ID";
// === Windows Code Signing ===
/// Name of the GitHub Actions secret that stores path to the Windows code signing certificate

4
build/build/src/ci_gen/job.rs
View File

@ -232,6 +232,10 @@ pub fn expose_os_specific_signing_secret(os: OS, step: Step) -> Step {
secret::APPLE_NOTARIZATION_PASSWORD,
&crate::ide::web::env::APPLEIDPASS,
)
.with_secret_exposed_as(
secret::APPLE_NOTARIZATION_TEAM_ID,
&crate::ide::web::env::APPLETEAMID,
)
.with_env(&crate::ide::web::env::CSC_IDENTITY_AUTO_DISCOVERY, "true"),
_ => step,
}

3
build/build/src/ide/web.rs
View File

@ -85,6 +85,9 @@ pub mod env {
/// https://support.apple.com/HT204397
APPLEIDPASS, String;
/// Apple Team ID.
APPLETEAMID, String;
/// `true` or `false`. Defaults to `true` — on a macOS development machine valid and
/// appropriate identity from your keychain will be automatically used.
CSC_IDENTITY_AUTO_DISCOVERY, bool;

56
package-lock.json generated
View File

@ -146,10 +146,10 @@
"yargs": "17.6.2"
},
"devDependencies": {
"@electron/notarize": "2.1.0",
"crypto-js": "4.1.1",
"electron": "25.7.0",
"electron-builder": "^22.14.13",
"electron-notarize": "1.2.2",
"enso-common": "^1.0.0",
"esbuild": "^0.19.3",
"fast-glob": "^3.2.12",
@ -1753,6 +1753,20 @@
"node": ">= 4.0.0"
}
},
"node_modules/@electron/notarize": {
"version": "2.1.0",
"resolved": "https://registry.npmjs.org/@electron/notarize/-/notarize-2.1.0.tgz",
"integrity": "sha512-Q02xem1D0sg4v437xHgmBLxI2iz/fc0D4K7fiVWHa/AnW8o7D751xyKNXgziA6HrTOme9ul1JfWN5ark8WH1xA==",
"dev": true,
"dependencies": {
"debug": "^4.1.1",
"fs-extra": "^9.0.1",
"promise-retry": "^2.0.1"
},
"engines": {
"node": ">= 10.0.0"
}
},
"node_modules/@electron/universal": {
"version": "1.0.5",
"dev": true,
@ -7543,18 +7557,6 @@
"url": "https://github.com/sponsors/sindresorhus"
}
},
"node_modules/electron-notarize": {
"version": "1.2.2",
"dev": true,
"license": "MIT",
"dependencies": {
"debug": "^4.1.1",
"fs-extra": "^9.0.1"
},
"engines": {
"node": ">= 10.0.0"
}
},
"node_modules/electron-osx-sign": {
"version": "0.5.0",
"dev": true,
@ -7803,6 +7805,12 @@
"node": ">=6"
}
},
"node_modules/err-code": {
"version": "2.0.3",
"resolved": "https://registry.npmjs.org/err-code/-/err-code-2.0.3.tgz",
"integrity": "sha512-2bmlRpNKBxT/CRmPOlyISQpNj+qSeYvcym/uT0Jx2bMOlKLtSy1ZmLuVxSEKKyor/N5yhvp/ZiG1oE3DEYMSFA==",
"dev": true
},
"node_modules/errno": {
"version": "0.1.8",
"license": "MIT",
@ -13126,6 +13134,19 @@
"node": ">=0.4.0"
}
},
"node_modules/promise-retry": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/promise-retry/-/promise-retry-2.0.1.tgz",
"integrity": "sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g==",
"dev": true,
"dependencies": {
"err-code": "^2.0.2",
"retry": "^0.12.0"
},
"engines": {
"node": ">=10"
}
},
"node_modules/prop-types": {
"version": "15.8.1",
"license": "MIT",
@ -13682,6 +13703,15 @@
"node": ">=0.12"
}
},
"node_modules/retry": {
"version": "0.12.0",
"resolved": "https://registry.npmjs.org/retry/-/retry-0.12.0.tgz",
"integrity": "sha512-9LkiTwjUh6rT555DtE9rTX+BKByPfrMzEAtnlEtdEwr3Nkffwiihqe2bWADg+OQRjt9gl6ICdmB/ZFDCGAtSow==",
"dev": true,
"engines": {
"node": ">= 4"
}
},
"node_modules/reusify": {
"version": "1.0.4",
"license": "MIT",