diff --git a/.gitignore b/.gitignore index 6030f87f4..33c342e5e 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ node_modules out dist .cache +.env config.gypi assets/webui *.nupkg diff --git a/README.md b/README.md index ab76f8a0c..56f8ba6b8 100644 --- a/README.md +++ b/README.md @@ -119,6 +119,9 @@ Other languages are periodically pulled from [Transifex](https://www.transifex.c - Publish local changes and the tag to GitHub repo: `git push && git push origin vA.B.C` - Wait for the CI to upload the binaries to the draft release (a new one will be created if you haven't drafted one). - The `latest.yml, latest-mac.yml, latest-linux.yml` files on the release are used by the app to determine when an app update is available. Once a release is published, users should recieve the app update. See: https://www.electron.build/auto-update. +- Notarize `.dmg` at Apple (context: [#1365](https://github.com/ipfs-shipyard/ipfs-desktop/issues/1211)) + 1. Download `.dmg` from `https://github.com/ipfs-shipyard/ipfs-desktop/releases/vA.B.C` + 2. Run `node pkgs/macos/notarize-cli.js ./IPFS-Desktop-A.B.C.dmg` - Update [Homebrew Cask](https://github.com/Homebrew/homebrew-cask/blob/master/CONTRIBUTING.md#updating-a-cask). - Update Chocolatey package: 1. Update the version number on [ipfs-desktop.nuspec](./pkgs/chocolatey/ipfs-desktop.nuspec#L5) diff --git a/electron-builder.yml b/electron-builder.yml index c7368086e..dbcd7bcf6 100644 --- a/electron-builder.yml +++ b/electron-builder.yml @@ -6,9 +6,15 @@ directories: asarUnpack: 'out/**/scripts/**/*' +afterSign: './pkgs/macos/notarize-build.js' + mac: category: public.app-category.utilities darkModeSupport: true + hardenedRuntime: true + gatekeeperAssess: false + entitlements: './pkgs/macos/entitlements.mac.plist' + entitlementsInherit: './pkgs/macos/entitlements.mac.plist' dmg: iconSize: 160 diff --git a/package-lock.json b/package-lock.json index 020317081..83297dac1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "ipfs-desktop", - "version": "0.10.2", + "version": "0.10.3", "lockfileVersion": 1, "requires": true, "dependencies": { @@ -4563,6 +4563,16 @@ } } }, + "electron-notarize": { + "version": "0.2.1", + "resolved": "https://registry.npmjs.org/electron-notarize/-/electron-notarize-0.2.1.tgz", + "integrity": "sha512-oZ6/NhKeXmEKNROiFmRNfytqu3cxqC95sjooG7kBXQVEUSQkZnbiAhxVh5jXngL881G197pbwpeVPJyM7Ikmxw==", + "dev": true, + "requires": { + "debug": "^4.1.1", + "fs-extra": "^8.1.0" + } + }, "electron-publish": { "version": "22.3.2", "resolved": "https://registry.npmjs.org/electron-publish/-/electron-publish-22.3.2.tgz", diff --git a/package.json b/package.json index 83c5e4dbb..4590ea14f 100644 --- a/package.json +++ b/package.json @@ -58,8 +58,10 @@ "cross-env": "^6.0.3", "delay": "^4.3.0", "dirty-chai": "^2.0.1", + "dotenv": "^8.2.0", "electron": "^7.1.11", "electron-builder": "^22.3.2", + "electron-notarize": "^0.2.1", "mocha": "^6.2.2", "npm-run-all": "^4.1.5", "pre-commit": "^1.2.2", diff --git a/pkgs/macos/entitlements.mac.plist b/pkgs/macos/entitlements.mac.plist new file mode 100644 index 000000000..55f37a696 --- /dev/null +++ b/pkgs/macos/entitlements.mac.plist @@ -0,0 +1,10 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + + diff --git a/pkgs/macos/notarize-build.js b/pkgs/macos/notarize-build.js new file mode 100644 index 000000000..89bcb956e --- /dev/null +++ b/pkgs/macos/notarize-build.js @@ -0,0 +1,22 @@ +require('dotenv').config() +const { notarize } = require('electron-notarize') + +// electron-build hook to be used in electron-build pipeline in the future +// =========================================================================== +// Note: for now we don't use this at the moment. +// Run ./notarize-cli.js instead +exports.default = async function notarizing (context) { + const { electronPlatformName, appOutDir } = context + if (electronPlatformName !== 'darwin') return + // skip notarization if secrets are not present in env + if (!process.env.APPLEID || !process.env.APPLEIDPASS) return + + const appName = context.packager.appInfo.productFilename + + return notarize({ + appBundleId: 'io.ipfs.desktop', + appPath: `${appOutDir}/${appName}.app`, + appleId: process.env.APPLEID, + appleIdPassword: process.env.APPLEIDPASS + }) +} diff --git a/pkgs/macos/notarize-cli.js b/pkgs/macos/notarize-cli.js new file mode 100644 index 000000000..1093d37ae --- /dev/null +++ b/pkgs/macos/notarize-cli.js @@ -0,0 +1,28 @@ +require('dotenv').config() +const { notarize } = require('electron-notarize') + +// Manual online notarization (no stapling) via CLI +// ================================================ +// Note: this assumes APPLEID and APPLEIDPASS to be +// set as env variables or set in .env file +// +// Usage: +// 1. Define APPLEID and APPLEIDPASS +// 2. node ./notarize.js path/to/IPFS-Desktop.dmg +;(async () => { + const artifactPath = process.argv[2] + if (!artifactPath) { + console.log('Missing artifact path: pass it as CLI argument') + process.exit(1) + } + if (!process.env.APPLEID || !process.env.APPLEIDPASS) { + console.log('Define APPLEID and APPLEIDPASS as env variables or in .env file') + process.exit(1) + } + await notarize({ + appBundleId: 'io.ipfs.desktop', + appPath: artifactPath, + appleId: process.env.APPLEID, + appleIdPassword: process.env.APPLEIDPASS + }) +})()