Merge branch 'signing'

Thomsch · Oct 22, 2024 · 327e976 · 327e976
2 parents 1b4318e + 3f8ce3d
commit 327e976
Show file tree

Hide file tree

Showing 6 changed files with 67 additions and 3 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
+.env
 dist/
 target/
 
@@ -94,3 +95,5 @@ typings/
 .dynamodb/
 
 # End of https://www.gitignore.io/api/node
+
+.DS_Store
diff --git a/README.md b/README.md
@@ -23,11 +23,18 @@ Pause is available for Windows, MacOS and Linux.
 
 ### Releasing
 - Create a new release draft on GitHub. You can use any name.
-- Add tag 'vX.Y.Z', matching the `version` in package.json (but with a 'v' appended).
+  - Add tag 'vX.Y.Z', matching the `version` in package.json (but with a 'v' appended).
 - Run `GH_TOKEN=<Personal Access Token> yarn deploy`
+- Test signing conformance
+  - `spctl -a -t exec -vv dist/mac-universal/pause.app/Contents/MacOS/pause`
+  - `codesign --verify --deep --strict --verbose=2 dist/mac-universal/pause.app/Contents/MacOS/pause`
+  - Send the DMG to yourself from website, messages, or air drop. This will trigger the GateKeeper check during installation or first opening.
 
 ## Licensing
 
 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 3.
 
 See [LICENSE](LICENSE) for details.
+
+## Acknowledgements
+Thank you [Kilian Valkhof](https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/) for the resources on code signing and notarizing Electron apps.
diff --git a/build/entitlements.mac.plist b/build/entitlements.mac.plist
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+  </dict>
+</plist>
diff --git a/package.json b/package.json
@@ -1,7 +1,8 @@
 {
   "name": "pause",
-  "version": "0.9.2",
+  "version": "0.9.3",
   "description": "Healthy productivity companion",
+  "bundleId": "org.thomsch.pause",
   "author": {
     "name": "Thomsch",
     "email": "thms.sch@gmail.com",
@@ -31,11 +32,21 @@
     "tiny-timer": "^1.5.0"
   },
   "devDependencies": {
+    "dotenv": "^16.4.5",
     "electron": "^27.1.0",
-    "electron-builder": "^24.6.4"
+    "electron-builder": "^24.6.4",
+    "electron-notarize": "^1.2.2"
   },
   "build": {
+    "afterSign": "scripts/notarize.js",
+    "dmg": {
+      "sign": false
+    },
     "mac": {
+      "hardenedRuntime": true,
+      "entitlements": "build/entitlements.mac.plist",
+      "entitlementsInherit": "build/entitlements.mac.plist",
+      "gatekeeperAssess": false,
       "mergeASARs": false,
       "target": {
         "target": "default",

diff --git a/scripts/notarize.js b/scripts/notarize.js
@@ -0,0 +1,20 @@
+require('dotenv').config();
+const { notarize } = require('electron-notarize');
+
+exports.default = async function notarizing(context) {
+  const { electronPlatformName, appOutDir } = context;  
+  if (electronPlatformName !== 'darwin') {
+    return;
+  }
+
+  const appName = context.packager.appInfo.productFilename;
+
+  return await notarize({
+    tool: 'notarytool',
+    teamId: process.env.APPLETEAMID,
+    appBundleId: 'org.thomsch.pause',
+    appPath: `${appOutDir}/${appName}.app`,
+    appleId: process.env.APPLEID,
+    appleIdPassword: process.env.APPLEIDPASS,
+  });
+};
diff --git a/yarn.lock b/yarn.lock
@@ -867,6 +867,11 @@ dotenv-expand@^5.1.0:
   resolved "https://registry.yarnpkg.com/dotenv-expand/-/dotenv-expand-5.1.0.tgz#3fbaf020bfd794884072ea26b1e9791d45a629f0"
   integrity sha512-YXQl1DSa4/PQyRfgrv6aoNjhasp/p4qs9FjJ4q4cQk+8m4r6k4ZSiEyytKG8f8W9gi8WsQtIObNmKd+tMzNTmA==
 
+dotenv@^16.4.5:
+  version "16.4.5"
+  resolved "https://registry.yarnpkg.com/dotenv/-/dotenv-16.4.5.tgz#cdd3b3b604cb327e286b4762e13502f717cb099f"
+  integrity sha512-ZmdL2rui+eB2YwhsWzjInR8LldtZHGDoQ1ugH85ppHKwpUHL7j7rN0Ti9NCnGiQbhaZ11FpR+7ao1dNsmduNUg==
+
 dotenv@^9.0.2:
   version "9.0.2"
   resolved "https://registry.yarnpkg.com/dotenv/-/dotenv-9.0.2.tgz#dacc20160935a37dea6364aa1bef819fb9b6ab05"
@@ -909,6 +914,14 @@ electron-log@^5.0.0:
   resolved "https://registry.yarnpkg.com/electron-log/-/electron-log-5.0.1.tgz#2e4e9cca0eef853ef539d3af4d8b5d006d2e577a"
   integrity sha512-x4wnwHg00h/onWQgjmvcdLV7Mrd9TZjxNs8LmXVpqvANDf4FsSs5wLlzOykWLcaFzR3+5hdVEQ8ctmrUxgHlPA==
 
+electron-notarize@^1.2.2:
+  version "1.2.2"
+  resolved "https://registry.yarnpkg.com/electron-notarize/-/electron-notarize-1.2.2.tgz#ebf2b258e8e08c1c9f8ff61dc53d5b16b439daf4"
+  integrity sha512-ZStVWYcWI7g87/PgjPJSIIhwQXOaw4/XeXU+pWqMMktSLHaGMLHdyPPN7Cmao7+Cr7fYufA16npdtMndYciHNw==
+  dependencies:
+    debug "^4.1.1"
+    fs-extra "^9.0.1"
+
 electron-publish@24.5.0:
   version "24.5.0"
   resolved "https://registry.yarnpkg.com/electron-publish/-/electron-publish-24.5.0.tgz#492a4d7caa232e88ee3c18f5c3b4dc637e5e1b3a"