From 69d4481b5d1b4723bac3ed241f3a4f0b780df831 Mon Sep 17 00:00:00 2001 From: Marcin Rataj Date: Thu, 27 Feb 2020 19:10:31 +0100 Subject: [PATCH] wip: macOS notarizing This runs electron-notarize as additional step on darvin runtime, loosly following https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/ This is work in progress (I have no Mac, so we need to use CI) Context: https://github.com/ipfs-shipyard/ipfs-desktop/issues/1211 License: MIT Signed-off-by: Marcin Rataj --- .gitignore | 1 + electron-builder.yml | 6 ++++++ package-lock.json | 12 +++++++++++- package.json | 2 ++ pkgs/macos/entitlements.mac.plist | 8 ++++++++ pkgs/macos/notarize.js | 20 ++++++++++++++++++++ 6 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 pkgs/macos/entitlements.mac.plist create mode 100644 pkgs/macos/notarize.js diff --git a/.gitignore b/.gitignore index 6030f87f4..33c342e5e 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ node_modules out dist .cache +.env config.gypi assets/webui *.nupkg diff --git a/electron-builder.yml b/electron-builder.yml index c7368086e..2e96d3154 100644 --- a/electron-builder.yml +++ b/electron-builder.yml @@ -6,9 +6,15 @@ directories: asarUnpack: 'out/**/scripts/**/*' +afterSign: './pkgs/macos/notarize.js' + mac: category: public.app-category.utilities darkModeSupport: true + hardenedRuntime: true + gatekeeperAssess: false + entitlements: './pkgs/macos/entitlements.mac.plist' + entitlementsInherit: './pkgs/macos/entitlements.mac.plist' dmg: iconSize: 160 diff --git a/package-lock.json b/package-lock.json index 020317081..83297dac1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "ipfs-desktop", - "version": "0.10.2", + "version": "0.10.3", "lockfileVersion": 1, "requires": true, "dependencies": { @@ -4563,6 +4563,16 @@ } } }, + "electron-notarize": { + "version": "0.2.1", + "resolved": "https://registry.npmjs.org/electron-notarize/-/electron-notarize-0.2.1.tgz", + "integrity": "sha512-oZ6/NhKeXmEKNROiFmRNfytqu3cxqC95sjooG7kBXQVEUSQkZnbiAhxVh5jXngL881G197pbwpeVPJyM7Ikmxw==", + "dev": true, + "requires": { + "debug": "^4.1.1", + "fs-extra": "^8.1.0" + } + }, "electron-publish": { "version": "22.3.2", "resolved": "https://registry.npmjs.org/electron-publish/-/electron-publish-22.3.2.tgz", diff --git a/package.json b/package.json index 83c5e4dbb..4590ea14f 100644 --- a/package.json +++ b/package.json @@ -58,8 +58,10 @@ "cross-env": "^6.0.3", "delay": "^4.3.0", "dirty-chai": "^2.0.1", + "dotenv": "^8.2.0", "electron": "^7.1.11", "electron-builder": "^22.3.2", + "electron-notarize": "^0.2.1", "mocha": "^6.2.2", "npm-run-all": "^4.1.5", "pre-commit": "^1.2.2", diff --git a/pkgs/macos/entitlements.mac.plist b/pkgs/macos/entitlements.mac.plist new file mode 100644 index 000000000..d6b93bc0b --- /dev/null +++ b/pkgs/macos/entitlements.mac.plist @@ -0,0 +1,8 @@ + + + + + com.apple.security.cs.allow-unsigned-executable-memory + + + diff --git a/pkgs/macos/notarize.js b/pkgs/macos/notarize.js new file mode 100644 index 000000000..68618eae8 --- /dev/null +++ b/pkgs/macos/notarize.js @@ -0,0 +1,20 @@ +require('dotenv').config() +const { notarize } = require('electron-notarize') + +exports.default = async function notarizing (context) { + const { electronPlatformName, appOutDir } = context + if (electronPlatformName !== 'darwin') return + // TODO: ensure we notarize only master and release tags + + const appName = context.packager.appInfo.productFilename + + return notarize({ + appBundleId: 'io.ipfs.desktop', + appPath: `${appOutDir}/${appName}.app`, + // TODO: figure out how to get credentials ( https://github.com/electron/electron-notarize#method-notarizeopts-promisevoid) + // Q: use user & pass (below) or appleApiKey & appleApiIssuer? + appleId: process.env.APPLEID, // TODO: set this on CI? + appleIdPassword: process.env.APPLEIDPASS // TODO: set this on CI? it needs to be app-specific, generated on https://appleid.apple.com/ + + }) +}