Notarize app with Apple (#390)

manosim · web-flow · commit 8d4442fdd015 · 2020-03-28T11:52:30.000Z
* Notarize app on the release workflow

* Remove pack step
diff --git a/.github/workflows/build-app.yml b/.github/workflows/build-app.yml
@@ -26,9 +26,6 @@ jobs:
       - name: Build
         run: yarn build
 
-      - name: Pack (electron-builder)
-        run: yarn pack
-
       - name: Make macOS (electron-builder)
         env:
           CSC_LINK: ${{ secrets.mac_certs }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -32,12 +32,12 @@ jobs:
           OAUTH_CLIENT_SECRET: ${{ secrets.oauth_client_secret }}
         run: yarn build
 
-      - name: Pack (electron-builder)
-        run: yarn pack
-
       - name: Publish macOS (electron-builder)
         env:
+          APPLEID_USERNAME: ${{ secrets.appleid_username }}
+          APPLEID_PASSWORD: ${{ secrets.appleid_password }}
           CSC_LINK: ${{ secrets.mac_certs }}
           CSC_KEY_PASSWORD: ${{ secrets.mac_certs_password }}
           GH_TOKEN: ${{ secrets.gh_token }}
+          NOTARIZE: true
         run: yarn electron-builder --publish onTagOrDraft
diff --git a/entitlements/entitlements.mac.plist b/entitlements/entitlements.mac.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+  </dict>
+</plist>
diff --git a/package.json b/package.json
@@ -6,7 +6,6 @@
   "scripts": {
     "build": "webpack --config webpack.prod.js",
     "watch": "webpack --config webpack.common.js --watch",
-    "pack": "electron-builder --dir",
     "make:macos": "electron-builder --mac",
     "prettier-check": "prettier --check 'src/**/*.{js,ts,tsx}'",
     "prettier": "prettier --single-quote --trailing-comma es5 --write 'src/**/*.{js,ts,tsx}'",
@@ -74,13 +73,19 @@
       "category": "public.app-category.developer-tools",
       "icon": "assets/images/app-icon.icns",
       "identity": "Emmanouil Konstantinidis (3YP8SXP3BF)",
+      "hardenedRuntime": true,
+      "gatekeeperAssess": false,
+      "entitlements": "./entitlements/entitlements.mac.plist",
+      "entitlementsInherit": "./entitlements/entitlements.mac.plist",
       "publish": [
         "github"
       ]
     },
     "dmg": {
-      "icon": "assets/images/app-icon.icns"
-    }
+      "icon": "assets/images/app-icon.icns",
+      "sign": false
+    },
+    "afterSign": "scripts/notarize.js"
   },
   "dependencies": {
     "@primer/octicons-react": "^9.6.0",
@@ -121,6 +126,7 @@
     "@types/styled-components": "^5.0.1",
     "electron": "^8.2.0",
     "electron-builder": "^22.4.1",
+    "electron-notarize": "^0.2.1",
     "jest": "^25.2.3",
     "nock": "^12.0.3",
     "prettier": "=2.0.2",
diff --git a/scripts/notarize.js b/scripts/notarize.js
@@ -0,0 +1,25 @@
+const { notarize } = require('electron-notarize');
+
+const packageJson = require('../package.json');
+const appBundleId = packageJson.build.appId;
+
+const notarizeApp = async (context) => {
+  const { electronPlatformName, appOutDir } = context;
+  const appName = context.packager.appInfo.productFilename;
+  const isMacOS = electronPlatformName === 'darwin';
+  const shouldNotarize = process.env.NOTARIZE === 'true';
+
+  if (!shouldNotarize || !isMacOS) {
+    console.log('Either should not notarize or not building for macOS.');
+    return;
+  }
+
+  return await notarize({
+    appBundleId,
+    appPath: `${appOutDir}/${appName}.app`,
+    appleId: process.env.APPLEID_USERNAME,
+    appleIdPassword: process.env.APPLEID_PASSWORD,
+  });
+};
+
+exports.default = notarizeApp;
diff --git a/yarn.lock b/yarn.lock
@@ -2366,6 +2366,14 @@ electron-builder@^22.4.1:
     update-notifier "^4.1.0"
     yargs "^15.1.0"
 
+electron-notarize@^0.2.1:
+  version "0.2.1"
+  resolved "https://registry.yarnpkg.com/electron-notarize/-/electron-notarize-0.2.1.tgz#759e8006decae19134f82996ed910db26d9192cc"
+  integrity sha512-oZ6/NhKeXmEKNROiFmRNfytqu3cxqC95sjooG7kBXQVEUSQkZnbiAhxVh5jXngL881G197pbwpeVPJyM7Ikmxw==
+  dependencies:
+    debug "^4.1.1"
+    fs-extra "^8.1.0"
+
 electron-positioner@^4.1.0:
   version "4.1.0"
   resolved "https://registry.yarnpkg.com/electron-positioner/-/electron-positioner-4.1.0.tgz#e158f8f6aabd6725a8a9b4f2279b9504bcbea1b0"
