From 1304373fb5164ac6a441dbed090e3ebb79483653 Mon Sep 17 00:00:00 2001 From: Meadowsys Date: Wed, 15 Feb 2023 16:55:14 -0800 Subject: [PATCH] implement signing (monterey, xcode 14) --- .cirrus.yml | 16 +++++++++++-- package.json | 1 + script/electron-builder.js | 7 ++++++ script/mac-notarise.js | 48 ++++++++++++++++++++++++++++++++++++++ yarn.lock | 8 +++++++ 5 files changed, 78 insertions(+), 2 deletions(-) create mode 100644 script/mac-notarise.js diff --git a/.cirrus.yml b/.cirrus.yml index 09fd61cbb..3bf07e482 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -99,8 +99,14 @@ arm_linux_task: silicon_mac_task: alias: mac macos_instance: - image: ghcr.io/cirruslabs/macos-monterey-base:latest + image: ghcr.io/cirruslabs/macos-monterey-xcode:14 memory: 8G + env: + CSC_LINK: ENCRYPTED[0078015a03bb6cfdbd80113ae5bbb6f448fd4bbbc40efd81bf2cb1554373046b475a4d7c77e3e3e82ac1ce2f7e3d2da5] + CSC_KEY_PASSWORD: ENCRYPTED[82bb72653d39578035ed1860ab4978703d50bd326d925a146ff08782f987ceb37ac2d8dbace52dec2b0e2ef92debf097] + APPLEID: ENCRYPTED[549ce052bd5666dba5245f4180bf93b74ed206fe5e6e7c8f67a8596d3767c1f682b84e347b326ac318c62a07c8844a57] + APPLEID_PASSWORD: ENCRYPTED[774c3307fd3b62660ecf5beb8537a24498c76e8d90d7f28e5bc816742fd8954a34ffed13f9aa2d1faf66ce08b4496e6f] + TEAM_ID: ENCRYPTED[11f3fedfbaf4aff1859bf6c105f0437ace23d84f5420a2c1cea884fbfa43b115b7834a463516d50cb276d4c4d9128b49] test_script: - brew install node@16 yarn git python@$PYTHON_VERSION - git submodule init @@ -128,8 +134,14 @@ silicon_mac_task: intel_mac_task: alias: mac macos_instance: - image: ghcr.io/cirruslabs/macos-monterey-base:latest + image: ghcr.io/cirruslabs/macos-monterey-xcode:14 memory: 8G + env: + CSC_LINK: ENCRYPTED[0078015a03bb6cfdbd80113ae5bbb6f448fd4bbbc40efd81bf2cb1554373046b475a4d7c77e3e3e82ac1ce2f7e3d2da5] + CSC_KEY_PASSWORD: ENCRYPTED[82bb72653d39578035ed1860ab4978703d50bd326d925a146ff08782f987ceb37ac2d8dbace52dec2b0e2ef92debf097] + APPLEID: ENCRYPTED[549ce052bd5666dba5245f4180bf93b74ed206fe5e6e7c8f67a8596d3767c1f682b84e347b326ac318c62a07c8844a57] + APPLEID_PASSWORD: ENCRYPTED[774c3307fd3b62660ecf5beb8537a24498c76e8d90d7f28e5bc816742fd8954a34ffed13f9aa2d1faf66ce08b4496e6f] + TEAM_ID: ENCRYPTED[11f3fedfbaf4aff1859bf6c105f0437ace23d84f5420a2c1cea884fbfa43b115b7834a463516d50cb276d4c4d9128b49] dist_script: - sudo rm -rf /Library/Developer/CommandLineTools - echo A | softwareupdate --install-rosetta diff --git a/package.json b/package.json index 729f26f62..02705f584 100644 --- a/package.json +++ b/package.json @@ -277,6 +277,7 @@ "private-js-docs": "jsdoc2md --private ./src/**/*.js ./packages/**/*.js > ./docs/Source-Code-Documentation.md" }, "devDependencies": { + "@electron/notarize": "^1.2.3", "@playwright/test": "1.22.2", "electron": "12.2.3", "electron-builder": "23.3.1", diff --git a/script/electron-builder.js b/script/electron-builder.js index 8fdc5faf1..0c3d194fb 100644 --- a/script/electron-builder.js +++ b/script/electron-builder.js @@ -182,6 +182,9 @@ let options = { "icon": icnsIcon, "category": "public.app-category.developer-tools", "minimumSystemVersion": "10.8", + "hardenedRuntime": true, + "entitlements": "resources/mac/entitlements.plist", + "entitlementsInherit": "resources/mac/entitlements.plist", "extendInfo": { // This contains extra values that will be inserted into the App's plist "CFBundleExecutable": "Pulsar", @@ -195,6 +198,9 @@ let options = { ] }, }, + "dmg": { + "sign": false + }, "win": { "icon": icoIcon, "extraResources": [ @@ -227,6 +233,7 @@ let options = { }, "extraMetadata": { }, + "afterSign": "script/mac-notarise.js", "asarUnpack": [ "node_modules/github/bin/*", "node_modules/github/lib/*", // Resolves Error in console diff --git a/script/mac-notarise.js b/script/mac-notarise.js new file mode 100644 index 000000000..349f0ad6e --- /dev/null +++ b/script/mac-notarise.js @@ -0,0 +1,48 @@ +const { notarize } = require("@electron/notarize"); + +// https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/ + +/** + * @param {import("electron-builder").AfterPackContext} ctx + */ +exports.default = async function notarizing(ctx) { + if (ctx.electronPlatformName !== "darwin") return; + + const appleId = process.env.APPLEID; + const appleIdPassword = process.env.APPLEID_PASSWORD; + const teamId = process.env.TEAM_ID; + const appname = ctx.packager.appInfo.productFilename; + + if (!appleId || !appleIdPassword) { + console.error("environment variables APPLEID and APPLEID_PASSWORD are not both present, skipping notarisation"); + return; + } + + /** @type {Parameters[0]} */ + let notarise_args = { + appBundleId: "dev.pulsar-edit.pulsar", + appPath: `${ctx.appOutDir}/${appname}.app`, + appleId, + appleIdPassword + }; + + if (!teamId) { + console.log("no TEAM_ID, using (legacy) altool"); + notarise_args = { + ...notarise_args, + tool: "legacy" + } + } else { + console.log("using notarytool"); + + notarise_args = { + ...notarise_args, + tool: "notarytool", + teamId + }; + } + + require("debug").enable("electron-notarize"); + + return await notarize(notarise_args); +} diff --git a/yarn.lock b/yarn.lock index bc574eb0c..88082dd86 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1393,6 +1393,14 @@ global-agent "^3.0.0" global-tunnel-ng "^2.7.1" +"@electron/notarize@^1.2.3": + version "1.2.3" + resolved "https://registry.yarnpkg.com/@electron/notarize/-/notarize-1.2.3.tgz#38056a629e5a0b5fd56c975c4828c0f74285b644" + integrity sha512-9oRzT56rKh5bspk3KpAVF8lPKHYQrBnRwcgiOeR0hdilVEQmszDaAu0IPCPrwwzJN0ugNs0rRboTreHMt/6mBQ== + dependencies: + debug "^4.1.1" + fs-extra "^9.0.1" + "@electron/universal@1.2.1": version "1.2.1" resolved "https://registry.yarnpkg.com/@electron/universal/-/universal-1.2.1.tgz#3c2c4ff37063a4e9ab1e6ff57db0bc619bc82339"