macOS: Prepare for code-signing outside of electron-builder

2024-01-23 17:31:49 -08:00 · 2024-01-23 17:31:49 -08:00 · 36c834ea26
commit 36c834ea26
parent 2bc0e4755c
4 changed files with 98 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -95,9 +95,11 @@ jobs:
      env:
        ARTIFACTS_DIR: artifacts/macos
      timeout-minutes: 5
+    - run: touch noop.sh && chmod +x noop.sh
    - run: yarn build
      env:
        DISABLE_INSPECT_FUSE: on
+        SIGN_MACOS_SCRIPT: noop.sh
    - name: Rebuild native modules for x64
      run: yarn electron:install-app-deps
    - run: yarn test-release
--- a/patches/.prettierignore
+++ b/patches/.prettierignore
@ -0,0 +1 @@
+**
--- a/patches/app-builder-lib+24.6.3.patch
+++ b/patches/app-builder-lib+24.6.3.patch
@ -1,3 +1,48 @@
+diff --git a/node_modules/app-builder-lib/out/macPackager.js b/node_modules/app-builder-lib/out/macPackager.js
+index 9df12c4..fd48a4f 100644
+--- a/node_modules/app-builder-lib/out/macPackager.js
+++ b/node_modules/app-builder-lib/out/macPackager.js
+@@ -194,7 +194,8 @@ class MacPackager extends platformPackager_1.PlatformPackager {
+                     builder_util_1.log.warn("Mac Developer is used to sign app — it is only for development and testing, not for production");
+                 }
+             }
+-            if (identity == null) {
+            const customSign = await (0, platformPackager_1.resolveFunction)(options.sign, "sign");
+            if (!customSign && identity == null) {
+                 await (0, macCodeSign_1.reportError)(isMas, certificateTypes, qualifier, keychainFile, this.forceCodeSigning);
+                 return false;
+             }
+@@ -261,11 +262,11 @@ class MacPackager extends platformPackager_1.PlatformPackager {
+         };
+         builder_util_1.log.info({
+             file: builder_util_1.log.filePath(appPath),
+-            identityName: identity.name,
+-            identityHash: identity.hash,
+            identityName: identity ? identity.name : undefined,
+            identityHash: identity ? identity.hash : undefined,
+             provisioningProfile: signOptions.provisioningProfile || "none",
+         }, "signing");
+-        await this.doSign(signOptions);
+        await this.doSign(signOptions, masOptions);
+         // https://github.com/electron-userland/electron-builder/issues/1196#issuecomment-312310209
+         if (masOptions != null && !isDevelopment) {
+             const certType = isDevelopment ? "Mac Developer" : "3rd Party Mac Developer Installer";
+@@ -332,7 +333,14 @@ class MacPackager extends platformPackager_1.PlatformPackager {
+         return optionsForFile;
+     }
+     //noinspection JSMethodCanBeStatic
+-    doSign(opts) {
+    doSign(opts, masOptions) {
+        const options = masOptions == null ? this.platformSpecificBuildOptions : masOptions;
+
+        const customSign = (0, platformPackager_1.resolveFunction)(options.sign, "sign");
+        if (customSign) {
+            return Promise.resolve(customSign(opts));
+        }
+
+         return (0, osx_sign_1.signAsync)(opts);
+     }
+     //noinspection JSMethodCanBeStatic
 diff --git a/node_modules/app-builder-lib/out/targets/LinuxTargetHelper.js b/node_modules/app-builder-lib/out/targets/LinuxTargetHelper.js
 index fcb7f54..3f27bf3 100644
 --- a/node_modules/app-builder-lib/out/targets/LinuxTargetHelper.js
@ -11,6 +56,28 @@ index fcb7f54..3f27bf3 100644
             }
         }
         const desktopMeta = {
+diff --git a/node_modules/app-builder-lib/scheme.json b/node_modules/app-builder-lib/scheme.json
+index 1d45055..0d0cb9c 100644
+--- a/node_modules/app-builder-lib/scheme.json
+++ b/node_modules/app-builder-lib/scheme.json
+@@ -2784,6 +2784,17 @@
+             "string"
+           ]
+         },
+        "sign": {
+          "anyOf": [
+            {
+              "type": [
+                "null",
+                "string"
+              ]
+            }
+          ],
+          "description": "The custom function (or path to file or module id) to sign macOS files."
+        },
+         "signIgnore": {
+           "anyOf": [
+             {
 diff --git a/node_modules/app-builder-lib/templates/linux/after-install.tpl b/node_modules/app-builder-lib/templates/linux/after-install.tpl
 index 0f541f9..d1e77a0 100644
 --- a/node_modules/app-builder-lib/templates/linux/after-install.tpl
--- a/ts/scripts/sign-macos.ts
+++ b/ts/scripts/sign-macos.ts
@ -0,0 +1,28 @@
+// Copyright 2019 Signal Messenger, LLC
+// SPDX-License-Identifier: AGPL-3.0-only
+
+import { execSync } from 'child_process';
+
+import { realpath } from 'fs-extra';
+
+// eslint-disable-next-line max-len
+// eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types, @typescript-eslint/no-explicit-any
+export async function sign(configuration: any): Promise<void> {
+  const scriptPath = process.env.SIGN_MACOS_SCRIPT;
+  if (!scriptPath) {
+    throw new Error(
+      'path to macos sign script must be provided in environment variable SIGN_MACOS_SCRIPT'
+    );
+  }
+
+  const target = await realpath(configuration.app);
+
+  // The script will update the file in-place
+  const returnCode = execSync(`bash "${scriptPath}" "${target}"`, {
+    stdio: [null, process.stdout, process.stderr],
+  });
+
+  if (returnCode) {
+    throw new Error(`sign-macos: Script returned code ${returnCode}`);
+  }
+}