implement signing (monterey, xcode 14)

2024-08-17 23:20:21 +03:00 · 2023-02-15 16:55:14 -08:00 · 2023-02-15 16:55:14 -08:00 · 1304373fb5
commit 1304373fb5
parent c78479b8d4
5 changed files with 78 additions and 2 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -99,8 +99,14 @@ arm_linux_task:
 silicon_mac_task:
  alias: mac
  macos_instance:
-    image: ghcr.io/cirruslabs/macos-monterey-base:latest
+    image: ghcr.io/cirruslabs/macos-monterey-xcode:14
    memory: 8G
+  env:
+    CSC_LINK: ENCRYPTED[0078015a03bb6cfdbd80113ae5bbb6f448fd4bbbc40efd81bf2cb1554373046b475a4d7c77e3e3e82ac1ce2f7e3d2da5]
+    CSC_KEY_PASSWORD: ENCRYPTED[82bb72653d39578035ed1860ab4978703d50bd326d925a146ff08782f987ceb37ac2d8dbace52dec2b0e2ef92debf097]
+    APPLEID: ENCRYPTED[549ce052bd5666dba5245f4180bf93b74ed206fe5e6e7c8f67a8596d3767c1f682b84e347b326ac318c62a07c8844a57]
+    APPLEID_PASSWORD: ENCRYPTED[774c3307fd3b62660ecf5beb8537a24498c76e8d90d7f28e5bc816742fd8954a34ffed13f9aa2d1faf66ce08b4496e6f]
+    TEAM_ID: ENCRYPTED[11f3fedfbaf4aff1859bf6c105f0437ace23d84f5420a2c1cea884fbfa43b115b7834a463516d50cb276d4c4d9128b49]
  test_script:
    - brew install node@16 yarn git python@$PYTHON_VERSION
    - git submodule init
@ -128,8 +134,14 @@ silicon_mac_task:
 intel_mac_task:
  alias: mac
  macos_instance:
-    image: ghcr.io/cirruslabs/macos-monterey-base:latest
+    image: ghcr.io/cirruslabs/macos-monterey-xcode:14
    memory: 8G
+  env:
+    CSC_LINK: ENCRYPTED[0078015a03bb6cfdbd80113ae5bbb6f448fd4bbbc40efd81bf2cb1554373046b475a4d7c77e3e3e82ac1ce2f7e3d2da5]
+    CSC_KEY_PASSWORD: ENCRYPTED[82bb72653d39578035ed1860ab4978703d50bd326d925a146ff08782f987ceb37ac2d8dbace52dec2b0e2ef92debf097]
+    APPLEID: ENCRYPTED[549ce052bd5666dba5245f4180bf93b74ed206fe5e6e7c8f67a8596d3767c1f682b84e347b326ac318c62a07c8844a57]
+    APPLEID_PASSWORD: ENCRYPTED[774c3307fd3b62660ecf5beb8537a24498c76e8d90d7f28e5bc816742fd8954a34ffed13f9aa2d1faf66ce08b4496e6f]
+    TEAM_ID: ENCRYPTED[11f3fedfbaf4aff1859bf6c105f0437ace23d84f5420a2c1cea884fbfa43b115b7834a463516d50cb276d4c4d9128b49]
  dist_script:
    - sudo rm -rf /Library/Developer/CommandLineTools
    - echo A | softwareupdate --install-rosetta
--- a/package.json
+++ b/package.json
@ -277,6 +277,7 @@
    "private-js-docs": "jsdoc2md --private ./src/**/*.js ./packages/**/*.js > ./docs/Source-Code-Documentation.md"
  },
  "devDependencies": {
+    "@electron/notarize": "^1.2.3",
    "@playwright/test": "1.22.2",
    "electron": "12.2.3",
    "electron-builder": "23.3.1",
--- a/script/electron-builder.js
+++ b/script/electron-builder.js
@ -182,6 +182,9 @@ let options = {
    "icon": icnsIcon,
    "category": "public.app-category.developer-tools",
    "minimumSystemVersion": "10.8",
+    "hardenedRuntime": true,
+    "entitlements": "resources/mac/entitlements.plist",
+    "entitlementsInherit": "resources/mac/entitlements.plist",
    "extendInfo": {
      // This contains extra values that will be inserted into the App's plist
      "CFBundleExecutable": "Pulsar",
@ -195,6 +198,9 @@ let options = {
      ]
    },
  },
+  "dmg": {
+    "sign": false
+  },
  "win": {
    "icon": icoIcon,
    "extraResources": [
@ -227,6 +233,7 @@ let options = {
  },
  "extraMetadata": {
  },
+  "afterSign": "script/mac-notarise.js",
  "asarUnpack": [
    "node_modules/github/bin/*",
    "node_modules/github/lib/*", // Resolves Error in console
--- a/script/mac-notarise.js
+++ b/script/mac-notarise.js
@ -0,0 +1,48 @@
+const { notarize } = require("@electron/notarize");
+
+// https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/
+
+/**
+ * @param {import("electron-builder").AfterPackContext} ctx
+ */
+exports.default = async function notarizing(ctx) {
+	if (ctx.electronPlatformName !== "darwin") return;
+
+	const appleId = process.env.APPLEID;
+	const appleIdPassword = process.env.APPLEID_PASSWORD;
+	const teamId = process.env.TEAM_ID;
+	const appname = ctx.packager.appInfo.productFilename;
+
+	if (!appleId || !appleIdPassword) {
+		console.error("environment variables APPLEID and APPLEID_PASSWORD are not both present, skipping notarisation");
+		return;
+	}
+
+	/** @type {Parameters<typeof notarize>[0]} */
+	let notarise_args = {
+		appBundleId: "dev.pulsar-edit.pulsar",
+		appPath: `${ctx.appOutDir}/${appname}.app`,
+		appleId,
+		appleIdPassword
+	};
+
+	if (!teamId) {
+		console.log("no TEAM_ID, using (legacy) altool");
+		notarise_args = {
+			...notarise_args,
+			tool: "legacy"
+		}
+	} else {
+		console.log("using notarytool");
+
+		notarise_args = {
+			...notarise_args,
+			tool: "notarytool",
+			teamId
+		};
+	}
+
+	require("debug").enable("electron-notarize");
+
+	return await notarize(notarise_args);
+}
--- a/yarn.lock
+++ b/yarn.lock
@ -1393,6 +1393,14 @@
    global-agent "^3.0.0"
    global-tunnel-ng "^2.7.1"

+"@electron/notarize@^1.2.3":
+  version "1.2.3"
+  resolved "https://registry.yarnpkg.com/@electron/notarize/-/notarize-1.2.3.tgz#38056a629e5a0b5fd56c975c4828c0f74285b644"
+  integrity sha512-9oRzT56rKh5bspk3KpAVF8lPKHYQrBnRwcgiOeR0hdilVEQmszDaAu0IPCPrwwzJN0ugNs0rRboTreHMt/6mBQ==
+  dependencies:
+    debug "^4.1.1"
+    fs-extra "^9.0.1"
+
 "@electron/universal@1.2.1":
  version "1.2.1"
  resolved "https://registry.yarnpkg.com/@electron/universal/-/universal-1.2.1.tgz#3c2c4ff37063a4e9ab1e6ff57db0bc619bc82339"