From 48a688a36e6e48e80a58c6a5a94c675809da994c Mon Sep 17 00:00:00 2001 From: Nathan22Miles Date: Mon, 26 Aug 2024 11:43:04 -0500 Subject: [PATCH] feat(sltt-app): sign and notarize macos application (#28) What issue(s) is this trying to resolve? * feat(sltt-app): Sign and notarize Mac application #9 How does it all work? * In order for a Mac application to be successfully installed, the app installer must be signed (with a certificate) and notarized (uploaded to Apple to be scanned for viruses, etc.). What particularly has changed? * Description of procedure [HERE](https://docs.google.com/document/d/1Qk-bz-uRPBThCXs2rRfNnr4QIxsC3yNlM_e7eMjGGHs/edit?usp=sharing) * Signing certificate created * .env file with notarization credentials created * package.json "build" object updated with Mac build config Steps for testing 1. yarn build:mac 2. Copy newly created .dmg file to another mac 3. Launch dmg file, drag application icon to Applications folder, launch application, smoke test. ticket: https://github.com/ubsicap/sltt-app/issues/9 commit-convention: https://www.conventionalcommits.org/en/v1.0.0/ --------- Co-authored-by: Eric Pyle --- .gitignore | 2 ++ README.md | 4 +++ build/entitlements.mac.plist | 2 ++ build/notarize.js | 48 ++++++++++++++++++------------------ electron-builder.yml | 4 +++ package.json | 14 +++++++++++ 6 files changed, 50 insertions(+), 24 deletions(-) diff --git a/.gitignore b/.gitignore index e7c3088..14c09ac 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,5 @@ node_modules dist out *.log* +.env +.DS_Store diff --git a/README.md b/README.md index e1a126c..f31de6d 100644 --- a/README.md +++ b/README.md @@ -152,3 +152,7 @@ vite v4.3.3 building for production... [====================] 100% 0.0s | sltt-app-Setup-1.0.6.exe to github Done in 55.90s. ``` + +# Building Releases for Mac + +Discussion of process [HERE](https://docs.google.com/document/d/1Qk-bz-uRPBThCXs2rRfNnr4QIxsC3yNlM_e7eMjGGHs/edit?usp=sharing) \ No newline at end of file diff --git a/build/entitlements.mac.plist b/build/entitlements.mac.plist index 38c887b..843456d 100644 --- a/build/entitlements.mac.plist +++ b/build/entitlements.mac.plist @@ -8,5 +8,7 @@ com.apple.security.cs.allow-dyld-environment-variables + com.apple.security.device.camera + diff --git a/build/notarize.js b/build/notarize.js index ea7a5d4..0058817 100644 --- a/build/notarize.js +++ b/build/notarize.js @@ -1,36 +1,36 @@ -const { notarize } = require('@electron/notarize') - -module.exports = async (context) => { - if (process.platform !== 'darwin') return +console.log('afterSign hook triggered') - console.log('aftersign hook triggered, start to notarize app.') +require('dotenv').config() - if (!process.env.CI) { - console.log(`skipping notarizing, not in CI.`) - return - } +const { notarize } = require('@electron/notarize') - if (!('APPLE_ID' in process.env && 'APPLE_ID_PASS' in process.env)) { - console.warn('skipping notarizing, APPLE_ID and APPLE_ID_PASS env variables must be set.') +exports.default = async function notarizing(context) { + const { electronPlatformName, appOutDir } = context + if (electronPlatformName !== 'darwin') { return } - const appId = 'net.sltt-bible.app' - - const { appOutDir } = context + console.log('notarizing...') const appName = context.packager.appInfo.productFilename - try { - await notarize({ - appBundleId: appId, - appPath: `${appOutDir}/${appName}.app`, - appleId: process.env.APPLE_ID, - appleIdPassword: process.env.APPLEIDPASS - }) - } catch (error) { - console.error(error) + // Get appleId and appleIdPassword from environment variables. + // These values are in the .env file. + // appleId: email address you use to login to App Store Connect + // appleIdPassword: app-specific password generated by appleid.apple.com + const { appleId, appleIdPassword, teamId } = process.env + + if (!appleId || !appleIdPassword || !teamId) { + console.error('Missing Apple ID or Apple ID password or Team ID') + return } - console.log(`done notarizing ${appId}.`) + return await notarize({ + appBundleId: 'net.sltt-bible.app', + appPath: `${appOutDir}/${appName}.app`, + appleId, + appleIdPassword, + tool: 'notarytool', + teamId, + }) } diff --git a/electron-builder.yml b/electron-builder.yml index 215f1d3..faee424 100644 --- a/electron-builder.yml +++ b/electron-builder.yml @@ -20,7 +20,11 @@ nsis: uninstallDisplayName: ${productName} createDesktopShortcut: always mac: + category: "public.app-category.business" + entitlements: build/entitlements.mac.plist entitlementsInherit: build/entitlements.mac.plist + hardenedRuntime: true + gatekeeperAssess: false extendInfo: - NSCameraUsageDescription: Application requests access to the device's camera. - NSMicrophoneUsageDescription: Application requests access to the device's microphone. diff --git a/package.json b/package.json index 089bef1..0901a9c 100644 --- a/package.json +++ b/package.json @@ -30,12 +30,26 @@ "build:win:prerelease": "npm run build && electron-builder --win --config --publish onTagOrDraft --prerelease", "build:win:draft": "npm run build && electron-builder --win --config --publish onTagOrDraft", "build:win:release": "npm run build && cross-env GH_TOKEN=%SLTT_APP_PAT% electron-builder --win --config --publish always", + "build:mac:norelease": "electron-vite build && electron-builder --mac --config --publish never", "build:mac": "electron-vite build && electron-builder --mac --config", + "build:mac:release": "electron-vite build && electron-builder --mac --config --publish always", "build:linux": "electron-vite build && electron-builder --linux --config" }, "build": { "appId": "net.sltt-bible.app", "productName": "sltt-app", + "forceCodeSigning": true, + "afterSign": "build/notarize.js", + "mac": { + "target": [ + { + "target": "dmg", + "arch": [ + "x64" + ] + } + ] + }, "directories": { "output": "dist" },