Use the new notarization tool from Apple (#8192)

This commit is contained in:
Michał Wawrzyniec Urbańczyk 2023-11-01 20:58:28 +01:00 committed by GitHub
parent b5d6628c57
commit a9118ee0c3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 68 additions and 30 deletions

View File

@ -821,6 +821,7 @@ jobs:
env: env:
APPLEID: ${{ secrets.APPLE_NOTARIZATION_USERNAME }} APPLEID: ${{ secrets.APPLE_NOTARIZATION_USERNAME }}
APPLEIDPASS: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }} APPLEIDPASS: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }}
APPLETEAMID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }}
CSC_IDENTITY_AUTO_DISCOVERY: "true" CSC_IDENTITY_AUTO_DISCOVERY: "true"
CSC_KEY_PASSWORD: ${{ secrets.APPLE_CODE_SIGNING_CERT_PASSWORD }} CSC_KEY_PASSWORD: ${{ secrets.APPLE_CODE_SIGNING_CERT_PASSWORD }}
CSC_LINK: ${{ secrets.APPLE_CODE_SIGNING_CERT }} CSC_LINK: ${{ secrets.APPLE_CODE_SIGNING_CERT }}
@ -1008,6 +1009,7 @@ jobs:
env: env:
APPLEID: ${{ secrets.APPLE_NOTARIZATION_USERNAME }} APPLEID: ${{ secrets.APPLE_NOTARIZATION_USERNAME }}
APPLEIDPASS: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }} APPLEIDPASS: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }}
APPLETEAMID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }}
CSC_IDENTITY_AUTO_DISCOVERY: "true" CSC_IDENTITY_AUTO_DISCOVERY: "true"
CSC_KEY_PASSWORD: ${{ secrets.APPLE_CODE_SIGNING_CERT_PASSWORD }} CSC_KEY_PASSWORD: ${{ secrets.APPLE_CODE_SIGNING_CERT_PASSWORD }}
CSC_LINK: ${{ secrets.APPLE_CODE_SIGNING_CERT }} CSC_LINK: ${{ secrets.APPLE_CODE_SIGNING_CERT }}

View File

@ -628,6 +628,7 @@ jobs:
env: env:
APPLEID: ${{ secrets.APPLE_NOTARIZATION_USERNAME }} APPLEID: ${{ secrets.APPLE_NOTARIZATION_USERNAME }}
APPLEIDPASS: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }} APPLEIDPASS: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }}
APPLETEAMID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }}
CSC_IDENTITY_AUTO_DISCOVERY: "true" CSC_IDENTITY_AUTO_DISCOVERY: "true"
CSC_KEY_PASSWORD: ${{ secrets.APPLE_CODE_SIGNING_CERT_PASSWORD }} CSC_KEY_PASSWORD: ${{ secrets.APPLE_CODE_SIGNING_CERT_PASSWORD }}
CSC_LINK: ${{ secrets.APPLE_CODE_SIGNING_CERT }} CSC_LINK: ${{ secrets.APPLE_CODE_SIGNING_CERT }}
@ -725,7 +726,7 @@ jobs:
steps: steps:
- if: startsWith(runner.name, 'GitHub Actions') || startsWith(runner.name, 'Hosted Agent') - if: startsWith(runner.name, 'GitHub Actions') || startsWith(runner.name, 'Hosted Agent')
name: Setup conda (GH runners only) name: Setup conda (GH runners only)
uses: s-weigand/setup-conda@v1.0.6 uses: s-weigand/setup-conda@v1.2.1
with: with:
update-conda: false update-conda: false
conda-channels: anaconda, conda-forge conda-channels: anaconda, conda-forge
@ -747,7 +748,7 @@ jobs:
run: "git checkout -f $(git -c user.name=x -c user.email=x@x commit-tree $(git hash-object -t tree /dev/null) < /dev/null) || :" run: "git checkout -f $(git -c user.name=x -c user.email=x@x commit-tree $(git hash-object -t tree /dev/null) < /dev/null) || :"
shell: bash shell: bash
- name: Checking out the repository - name: Checking out the repository
uses: actions/checkout@v2 uses: actions/checkout@v4
with: with:
clean: false clean: false
submodules: recursive submodules: recursive
@ -787,7 +788,7 @@ jobs:
steps: steps:
- if: startsWith(runner.name, 'GitHub Actions') || startsWith(runner.name, 'Hosted Agent') - if: startsWith(runner.name, 'GitHub Actions') || startsWith(runner.name, 'Hosted Agent')
name: Setup conda (GH runners only) name: Setup conda (GH runners only)
uses: s-weigand/setup-conda@v1.0.6 uses: s-weigand/setup-conda@v1.2.1
with: with:
update-conda: false update-conda: false
conda-channels: anaconda, conda-forge conda-channels: anaconda, conda-forge
@ -809,7 +810,7 @@ jobs:
run: "git checkout -f $(git -c user.name=x -c user.email=x@x commit-tree $(git hash-object -t tree /dev/null) < /dev/null) || :" run: "git checkout -f $(git -c user.name=x -c user.email=x@x commit-tree $(git hash-object -t tree /dev/null) < /dev/null) || :"
shell: bash shell: bash
- name: Checking out the repository - name: Checking out the repository
uses: actions/checkout@v2 uses: actions/checkout@v4
with: with:
clean: false clean: false
submodules: recursive submodules: recursive
@ -826,6 +827,7 @@ jobs:
env: env:
APPLEID: ${{ secrets.APPLE_NOTARIZATION_USERNAME }} APPLEID: ${{ secrets.APPLE_NOTARIZATION_USERNAME }}
APPLEIDPASS: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }} APPLEIDPASS: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }}
APPLETEAMID: ${{ secrets.APPLE_NOTARIZATION_TEAM_ID }}
CSC_IDENTITY_AUTO_DISCOVERY: "true" CSC_IDENTITY_AUTO_DISCOVERY: "true"
CSC_KEY_PASSWORD: ${{ secrets.APPLE_CODE_SIGNING_CERT_PASSWORD }} CSC_KEY_PASSWORD: ${{ secrets.APPLE_CODE_SIGNING_CERT_PASSWORD }}
CSC_LINK: ${{ secrets.APPLE_CODE_SIGNING_CERT }} CSC_LINK: ${{ secrets.APPLE_CODE_SIGNING_CERT }}
@ -856,7 +858,7 @@ jobs:
steps: steps:
- if: startsWith(runner.name, 'GitHub Actions') || startsWith(runner.name, 'Hosted Agent') - if: startsWith(runner.name, 'GitHub Actions') || startsWith(runner.name, 'Hosted Agent')
name: Setup conda (GH runners only) name: Setup conda (GH runners only)
uses: s-weigand/setup-conda@v1.0.6 uses: s-weigand/setup-conda@v1.2.1
with: with:
update-conda: false update-conda: false
conda-channels: anaconda, conda-forge conda-channels: anaconda, conda-forge
@ -878,7 +880,7 @@ jobs:
run: "git checkout -f $(git -c user.name=x -c user.email=x@x commit-tree $(git hash-object -t tree /dev/null) < /dev/null) || :" run: "git checkout -f $(git -c user.name=x -c user.email=x@x commit-tree $(git hash-object -t tree /dev/null) < /dev/null) || :"
shell: bash shell: bash
- name: Checking out the repository - name: Checking out the repository
uses: actions/checkout@v2 uses: actions/checkout@v4
with: with:
clean: false clean: false
submodules: recursive submodules: recursive

View File

@ -10,7 +10,7 @@ import * as childProcess from 'node:child_process'
import * as fs from 'node:fs/promises' import * as fs from 'node:fs/promises'
import * as electronBuilder from 'electron-builder' import * as electronBuilder from 'electron-builder'
import * as electronNotarize from 'electron-notarize' import * as electronNotarize from '@electron/notarize'
import type * as macOptions from 'app-builder-lib/out/options/macOptions' import type * as macOptions from 'app-builder-lib/out/options/macOptions'
import yargs from 'yargs' import yargs from 'yargs'
@ -230,8 +230,6 @@ export function createElectronBuilderConfig(passedArgs: Arguments): electronBuil
) { ) {
const { const {
packager: { packager: {
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
platformSpecificBuildOptions: buildOptions,
appInfo: { productFilename: appName }, appInfo: { productFilename: appName },
config: { mac: macConfig }, config: { mac: macConfig },
}, },
@ -250,20 +248,17 @@ export function createElectronBuilderConfig(passedArgs: Arguments): electronBuil
}) })
console.log(' • Notarizing.') console.log(' • Notarizing.')
// The type-cast is safe because this is only executes
// when `platform === electronBuilder.Platform.MAC`.
// eslint-disable-next-line no-restricted-syntax
const macBuildOptions = buildOptions as macOptions.MacConfiguration
await electronNotarize.notarize({ await electronNotarize.notarize({
// This will always be defined since we set it at the top of this object. tool: 'notarytool',
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
appBundleId: macBuildOptions.appId!,
appPath: `${appOutDir}/${appName}.app`, appPath: `${appOutDir}/${appName}.app`,
// It is a mistake for either of these to be undefined. // It is a mistake for either of these to be undefined.
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
appleId: process.env.APPLEID!, appleId: process.env.APPLEID!,
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
appleIdPassword: process.env.APPLEIDPASS!, appleIdPassword: process.env.APPLEIDPASS!,
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
teamId: process.env.APPLETEAMID!,
}) })
} }
}, },

View File

@ -36,7 +36,7 @@
"crypto-js": "4.1.1", "crypto-js": "4.1.1",
"electron": "25.7.0", "electron": "25.7.0",
"electron-builder": "^22.14.13", "electron-builder": "^22.14.13",
"electron-notarize": "1.2.2", "@electron/notarize": "2.1.0",
"enso-common": "^1.0.0", "enso-common": "^1.0.0",
"esbuild": "^0.19.3", "esbuild": "^0.19.3",
"fast-glob": "^3.2.12", "fast-glob": "^3.2.12",

View File

@ -81,6 +81,7 @@ declare global {
/* eslint-disable @typescript-eslint/naming-convention */ /* eslint-disable @typescript-eslint/naming-convention */
APPLEID?: string APPLEID?: string
APPLEIDPASS?: string APPLEIDPASS?: string
APPLETEAMID?: string
/* eslint-enable @typescript-eslint/naming-convention */ /* eslint-enable @typescript-eslint/naming-convention */
} }
} }

View File

@ -94,6 +94,7 @@ pub mod secret {
pub const APPLE_CODE_SIGNING_CERT_PASSWORD: &str = "APPLE_CODE_SIGNING_CERT_PASSWORD"; pub const APPLE_CODE_SIGNING_CERT_PASSWORD: &str = "APPLE_CODE_SIGNING_CERT_PASSWORD";
pub const APPLE_NOTARIZATION_USERNAME: &str = "APPLE_NOTARIZATION_USERNAME"; pub const APPLE_NOTARIZATION_USERNAME: &str = "APPLE_NOTARIZATION_USERNAME";
pub const APPLE_NOTARIZATION_PASSWORD: &str = "APPLE_NOTARIZATION_PASSWORD"; pub const APPLE_NOTARIZATION_PASSWORD: &str = "APPLE_NOTARIZATION_PASSWORD";
pub const APPLE_NOTARIZATION_TEAM_ID: &str = "APPLE_NOTARIZATION_TEAM_ID";
// === Windows Code Signing === // === Windows Code Signing ===
/// Name of the GitHub Actions secret that stores path to the Windows code signing certificate /// Name of the GitHub Actions secret that stores path to the Windows code signing certificate

View File

@ -232,6 +232,10 @@ pub fn expose_os_specific_signing_secret(os: OS, step: Step) -> Step {
secret::APPLE_NOTARIZATION_PASSWORD, secret::APPLE_NOTARIZATION_PASSWORD,
&crate::ide::web::env::APPLEIDPASS, &crate::ide::web::env::APPLEIDPASS,
) )
.with_secret_exposed_as(
secret::APPLE_NOTARIZATION_TEAM_ID,
&crate::ide::web::env::APPLETEAMID,
)
.with_env(&crate::ide::web::env::CSC_IDENTITY_AUTO_DISCOVERY, "true"), .with_env(&crate::ide::web::env::CSC_IDENTITY_AUTO_DISCOVERY, "true"),
_ => step, _ => step,
} }

View File

@ -85,6 +85,9 @@ pub mod env {
/// https://support.apple.com/HT204397 /// https://support.apple.com/HT204397
APPLEIDPASS, String; APPLEIDPASS, String;
/// Apple Team ID.
APPLETEAMID, String;
/// `true` or `false`. Defaults to `true` — on a macOS development machine valid and /// `true` or `false`. Defaults to `true` — on a macOS development machine valid and
/// appropriate identity from your keychain will be automatically used. /// appropriate identity from your keychain will be automatically used.
CSC_IDENTITY_AUTO_DISCOVERY, bool; CSC_IDENTITY_AUTO_DISCOVERY, bool;

56
package-lock.json generated
View File

@ -146,10 +146,10 @@
"yargs": "17.6.2" "yargs": "17.6.2"
}, },
"devDependencies": { "devDependencies": {
"@electron/notarize": "2.1.0",
"crypto-js": "4.1.1", "crypto-js": "4.1.1",
"electron": "25.7.0", "electron": "25.7.0",
"electron-builder": "^22.14.13", "electron-builder": "^22.14.13",
"electron-notarize": "1.2.2",
"enso-common": "^1.0.0", "enso-common": "^1.0.0",
"esbuild": "^0.19.3", "esbuild": "^0.19.3",
"fast-glob": "^3.2.12", "fast-glob": "^3.2.12",
@ -1753,6 +1753,20 @@
"node": ">= 4.0.0" "node": ">= 4.0.0"
} }
}, },
"node_modules/@electron/notarize": {
"version": "2.1.0",
"resolved": "https://registry.npmjs.org/@electron/notarize/-/notarize-2.1.0.tgz",
"integrity": "sha512-Q02xem1D0sg4v437xHgmBLxI2iz/fc0D4K7fiVWHa/AnW8o7D751xyKNXgziA6HrTOme9ul1JfWN5ark8WH1xA==",
"dev": true,
"dependencies": {
"debug": "^4.1.1",
"fs-extra": "^9.0.1",
"promise-retry": "^2.0.1"
},
"engines": {
"node": ">= 10.0.0"
}
},
"node_modules/@electron/universal": { "node_modules/@electron/universal": {
"version": "1.0.5", "version": "1.0.5",
"dev": true, "dev": true,
@ -7543,18 +7557,6 @@
"url": "https://github.com/sponsors/sindresorhus" "url": "https://github.com/sponsors/sindresorhus"
} }
}, },
"node_modules/electron-notarize": {
"version": "1.2.2",
"dev": true,
"license": "MIT",
"dependencies": {
"debug": "^4.1.1",
"fs-extra": "^9.0.1"
},
"engines": {
"node": ">= 10.0.0"
}
},
"node_modules/electron-osx-sign": { "node_modules/electron-osx-sign": {
"version": "0.5.0", "version": "0.5.0",
"dev": true, "dev": true,
@ -7803,6 +7805,12 @@
"node": ">=6" "node": ">=6"
} }
}, },
"node_modules/err-code": {
"version": "2.0.3",
"resolved": "https://registry.npmjs.org/err-code/-/err-code-2.0.3.tgz",
"integrity": "sha512-2bmlRpNKBxT/CRmPOlyISQpNj+qSeYvcym/uT0Jx2bMOlKLtSy1ZmLuVxSEKKyor/N5yhvp/ZiG1oE3DEYMSFA==",
"dev": true
},
"node_modules/errno": { "node_modules/errno": {
"version": "0.1.8", "version": "0.1.8",
"license": "MIT", "license": "MIT",
@ -13126,6 +13134,19 @@
"node": ">=0.4.0" "node": ">=0.4.0"
} }
}, },
"node_modules/promise-retry": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/promise-retry/-/promise-retry-2.0.1.tgz",
"integrity": "sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g==",
"dev": true,
"dependencies": {
"err-code": "^2.0.2",
"retry": "^0.12.0"
},
"engines": {
"node": ">=10"
}
},
"node_modules/prop-types": { "node_modules/prop-types": {
"version": "15.8.1", "version": "15.8.1",
"license": "MIT", "license": "MIT",
@ -13682,6 +13703,15 @@
"node": ">=0.12" "node": ">=0.12"
} }
}, },
"node_modules/retry": {
"version": "0.12.0",
"resolved": "https://registry.npmjs.org/retry/-/retry-0.12.0.tgz",
"integrity": "sha512-9LkiTwjUh6rT555DtE9rTX+BKByPfrMzEAtnlEtdEwr3Nkffwiihqe2bWADg+OQRjt9gl6ICdmB/ZFDCGAtSow==",
"dev": true,
"engines": {
"node": ">= 4"
}
},
"node_modules/reusify": { "node_modules/reusify": {
"version": "1.0.4", "version": "1.0.4",
"license": "MIT", "license": "MIT",