From 36c834ea269178fc993f55693744a814bcc8c1de Mon Sep 17 00:00:00 2001 From: Scott Nonnenberg Date: Tue, 23 Jan 2024 17:31:49 -0800 Subject: [PATCH] macOS: Prepare for code-signing outside of electron-builder --- .github/workflows/ci.yml | 2 + patches/.prettierignore | 1 + patches/app-builder-lib+24.6.3.patch | 67 ++++++++++++++++++++++++++++ ts/scripts/sign-macos.ts | 28 ++++++++++++ 4 files changed, 98 insertions(+) create mode 100644 patches/.prettierignore create mode 100644 ts/scripts/sign-macos.ts diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 294e34fa1..231ecda78 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -95,9 +95,11 @@ jobs: env: ARTIFACTS_DIR: artifacts/macos timeout-minutes: 5 + - run: touch noop.sh && chmod +x noop.sh - run: yarn build env: DISABLE_INSPECT_FUSE: on + SIGN_MACOS_SCRIPT: noop.sh - name: Rebuild native modules for x64 run: yarn electron:install-app-deps - run: yarn test-release diff --git a/patches/.prettierignore b/patches/.prettierignore new file mode 100644 index 000000000..1d085cacc --- /dev/null +++ b/patches/.prettierignore @@ -0,0 +1 @@ +** diff --git a/patches/app-builder-lib+24.6.3.patch b/patches/app-builder-lib+24.6.3.patch index abd314286..4bcd900ca 100644 --- a/patches/app-builder-lib+24.6.3.patch +++ b/patches/app-builder-lib+24.6.3.patch @@ -1,3 +1,48 @@ +diff --git a/node_modules/app-builder-lib/out/macPackager.js b/node_modules/app-builder-lib/out/macPackager.js +index 9df12c4..fd48a4f 100644 +--- a/node_modules/app-builder-lib/out/macPackager.js ++++ b/node_modules/app-builder-lib/out/macPackager.js +@@ -194,7 +194,8 @@ class MacPackager extends platformPackager_1.PlatformPackager { + builder_util_1.log.warn("Mac Developer is used to sign app — it is only for development and testing, not for production"); + } + } +- if (identity == null) { ++ const customSign = await (0, platformPackager_1.resolveFunction)(options.sign, "sign"); ++ if (!customSign && identity == null) { + await (0, macCodeSign_1.reportError)(isMas, certificateTypes, qualifier, keychainFile, this.forceCodeSigning); + return false; + } +@@ -261,11 +262,11 @@ class MacPackager extends platformPackager_1.PlatformPackager { + }; + builder_util_1.log.info({ + file: builder_util_1.log.filePath(appPath), +- identityName: identity.name, +- identityHash: identity.hash, ++ identityName: identity ? identity.name : undefined, ++ identityHash: identity ? identity.hash : undefined, + provisioningProfile: signOptions.provisioningProfile || "none", + }, "signing"); +- await this.doSign(signOptions); ++ await this.doSign(signOptions, masOptions); + // https://github.com/electron-userland/electron-builder/issues/1196#issuecomment-312310209 + if (masOptions != null && !isDevelopment) { + const certType = isDevelopment ? "Mac Developer" : "3rd Party Mac Developer Installer"; +@@ -332,7 +333,14 @@ class MacPackager extends platformPackager_1.PlatformPackager { + return optionsForFile; + } + //noinspection JSMethodCanBeStatic +- doSign(opts) { ++ doSign(opts, masOptions) { ++ const options = masOptions == null ? this.platformSpecificBuildOptions : masOptions; ++ ++ const customSign = (0, platformPackager_1.resolveFunction)(options.sign, "sign"); ++ if (customSign) { ++ return Promise.resolve(customSign(opts)); ++ } ++ + return (0, osx_sign_1.signAsync)(opts); + } + //noinspection JSMethodCanBeStatic diff --git a/node_modules/app-builder-lib/out/targets/LinuxTargetHelper.js b/node_modules/app-builder-lib/out/targets/LinuxTargetHelper.js index fcb7f54..3f27bf3 100644 --- a/node_modules/app-builder-lib/out/targets/LinuxTargetHelper.js @@ -11,6 +56,28 @@ index fcb7f54..3f27bf3 100644 } } const desktopMeta = { +diff --git a/node_modules/app-builder-lib/scheme.json b/node_modules/app-builder-lib/scheme.json +index 1d45055..0d0cb9c 100644 +--- a/node_modules/app-builder-lib/scheme.json ++++ b/node_modules/app-builder-lib/scheme.json +@@ -2784,6 +2784,17 @@ + "string" + ] + }, ++ "sign": { ++ "anyOf": [ ++ { ++ "type": [ ++ "null", ++ "string" ++ ] ++ } ++ ], ++ "description": "The custom function (or path to file or module id) to sign macOS files." ++ }, + "signIgnore": { + "anyOf": [ + { diff --git a/node_modules/app-builder-lib/templates/linux/after-install.tpl b/node_modules/app-builder-lib/templates/linux/after-install.tpl index 0f541f9..d1e77a0 100644 --- a/node_modules/app-builder-lib/templates/linux/after-install.tpl diff --git a/ts/scripts/sign-macos.ts b/ts/scripts/sign-macos.ts new file mode 100644 index 000000000..7e3a2c988 --- /dev/null +++ b/ts/scripts/sign-macos.ts @@ -0,0 +1,28 @@ +// Copyright 2019 Signal Messenger, LLC +// SPDX-License-Identifier: AGPL-3.0-only + +import { execSync } from 'child_process'; + +import { realpath } from 'fs-extra'; + +// eslint-disable-next-line max-len +// eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types, @typescript-eslint/no-explicit-any +export async function sign(configuration: any): Promise { + const scriptPath = process.env.SIGN_MACOS_SCRIPT; + if (!scriptPath) { + throw new Error( + 'path to macos sign script must be provided in environment variable SIGN_MACOS_SCRIPT' + ); + } + + const target = await realpath(configuration.app); + + // The script will update the file in-place + const returnCode = execSync(`bash "${scriptPath}" "${target}"`, { + stdio: [null, process.stdout, process.stderr], + }); + + if (returnCode) { + throw new Error(`sign-macos: Script returned code ${returnCode}`); + } +}