fix: implement signApp function for macPackager #3912
Conversation
afterSign hook now is called after sign instead of before sign on Mac.
|
I'm interested in testing this, how can I fork a local version of electron builder and reference in from my app? It doesn't seem to work when I simply reference the package this way in package.json: |
|
I tried this and I am still receiving "Unnotarized Developer ID" from this line https://github.com/electron-userland/electron-builder/pull/3912/files#diff-2f245a25ceda557ecf2530ec7e88c805R315, before it even runs the afterSign hook. Maybe I am doing something wrong here. |
I believe this might be due to the "hardenedRuntime": true functionality here: #3858 |
|
@delusive how were you able to test this? I can notarize my app manually but need to test doing it in the afterSign step. |
I cloned Kilian:patch-1, and then compiled the code, I then replaced packages/app-builder-lib/src/macPackager.ts in my local node_modules with the new one. There is probably a better way, but for some reason I could yarn add the package from my local directory where I had it compiled, it wouldn't build the node_modules/.bin/electron-builder in my case. I was probably doing something wrong. |
@delusive You will need to use the pre-released version of electron-builder which is version 20.41.0 and add the Thanks |
|
Explanation: |
|
Our code sign tests not executed locally due to security reasons, buy I set Thank you! I will prepare release today. |
|
Hey @Kilian may I ask you to show your /Users/zaher/Sites/electron/my app.app: rejected
source=Unnotarized Developer ID |
|
I built the newest version from master and installed from the local filesystem into my project. I have added "afterSign": "./after_sign_hook.js" in the build section of package.json along with "hardenedRuntime": true under the mac build section of package.json. My after_sign hook contains the following code: When I run electron-builder I get the Unnotarized Developer ID error. The interesting thing is that I don't get my output message "Notarizing application: " in the output, meaning it hasn't tried to notorize the application before returning the error. Any help/example would be greatly appreciated. Thanks. |
|
@delusive your app path needs the actual app in addition to the directory! so something like |
|
This is the const fs = require('fs');
const path = require('path');
var electron_notarize = require('electron-notarize');
module.exports = async function (params) {
// Only notarize the app on Mac OS only.
if (process.platform !== 'darwin') {
return;
}
console.log('afterSign hook triggered', params);
// Same appId in electron-builder.
let appId = '<Change this to your appId ad defined in your electron-builder config>'
let appPath = path.join(params.appOutDir, `${params.packager.appInfo.productFilename}.app`);
if (!fs.existsSync(appPath)) {
throw new Error(`Cannot find application at: ${appPath}`);
}
console.log(`Notarizing ${appId} found at ${appPath}`);
try {
await electron_notarize.notarize({
appBundleId: appId,
appPath: appPath,
appleId: process.env.appleId,
appleIdPassword: process.env.appleIdPassword,
});
} catch (error) {
console.error(error);
}
console.log(`Done notarizing ${appId}`);
}; |
|
@martani it does, but I don't think it staples the .app, which means it can't be verified offline. So notarizing the app and stapling it before packaging it into the dmg (and then notarizing that) is probably best. |
|
Thanks @Kilian, that's what I ended up doing. This adds a lot of latency to the build process, notarizing the app takes ~10 minutes + an extra ~10 minutes for the dmg. Unfortunately, that does not seem to fully solve the issue of users not able to open the dmg on macOS 10.14.5 as I reported here: #3828 (comment) |
|
I think this has broken our use case of passing electron-builder a pre-built but unsigned .app and turning it into a .pkg, signing both the .app and .pkg. It no longer signs the .app at all now. I guess this is a bit of a dumb use case anyway, I can just run |
As per #3504, afterSign was called before the sign function was called on mac. I tracked this down to a logic error where signApp wasn't implemented for macPackager and thus immediately resolved. Mac then called the sign function directly, leading to the incorrect behaviour.
I was able to successfully build with this, and have the afterSign function called at the right time, with the changes below. I'm however not familiar with typescript (or electron-builders code standards) so likely I'll need to make some changes. This can serve as a first setup.