Merge branch 'release/1.9.1' into develop

 - Support for notarizing macOS builds

.circleci/config.yml

@@ -41,6 +41,8 @@ jobs:
             openssl aes-256-cbc -md md5 -d -in ./resources/secrets/config.json.enc -out ./config.json -k ${SECRETS_ENCRYPTION_KEY}
       - *npm_restore_cache
       - run: npm ci
+      - run: patch -p1 < ./resources/macos/macPackager-patch.diff
+      - run: patch -p1 < ./resources/macos/scheme-patch.diff
       - run: make build
       - run: make test
       - persist_to_workspace:
@@ -58,6 +60,8 @@ jobs:
       - *npm_restore_cache
       - *install_linux_deps
       - run: npm ci
+      - run: patch -p1 < ./resources/macos/macPackager-patch.diff
+      - run: patch -p1 < ./resources/macos/scheme-patch.diff
       - *npm_save_cache
       - run: make package-linux SKIP_BUILD=true
       - run:
@@ -73,7 +77,7 @@ jobs:
 
   mac:
     macos:
-      xcode: '9.4.1'
+      xcode: '10.0.0'
     shell: /bin/bash --login
     working_directory: /Users/distiller/simplenote
     steps:
@@ -82,6 +86,8 @@ jobs:
           at: /Users/distiller/simplenote
       - *npm_restore_cache
       - run: npm ci
+      - run: patch -p1 < ./resources/macos/macPackager-patch.diff
+      - run: patch -p1 < ./resources/macos/scheme-patch.diff
       - *npm_save_cache
       - run:
           name: Build Mac

RELEASE-NOTES.txt

@@ -11,6 +11,11 @@
 ### Fixes
 
  - Rework WordPress.com signin to prevent infinite looping and login failures [#1627](https://github.com/Automattic/simplenote-electron/pull/1627)
+
+## [v1.9.1]
+
+### Fixes
+
  - Prevent ulimited duplication of changes after signing out and signing in [#1664](https://github.com/Automattic/simplenote-electron/pull/1664)
 
 ## [v1.9.0]

after_sign_hook.js

@@ -0,0 +1,46 @@
+const fs = require('fs');
+const path = require('path');
+var electron_notarize = require('electron-notarize');
+
+module.exports = async function(params) {
+  // Only notarize the app on Mac OS only.
+  if (process.platform !== 'darwin') {
+    return;
+  }
+  console.log('afterSign hook triggered', params);
+
+  if (!process.env.CIRCLE_TAG || process.env.CIRCLE_TAG.length === 0) {
+    console.log('Not on a tag. Skipping notarization');
+    return;
+  }
+
+  // Same appId in electron-builder.
+  let appId = 'com.automattic.simplenote';
+
+  let appPath = params.appOutDir
+    ? path.join(
+        params.appOutDir,
+        `${params.packager.appInfo.productFilename}.app`
+      )
+    : params.artifactPaths[0].replace(new RegExp('.blockmap'), '');
+
+  if (!fs.existsSync(appPath)) {
+    throw new Error(`Cannot find application at: ${appPath}`);
+  }
+
+  console.log(`Notarizing ${appId} found at ${appPath}`);
+
+  try {
+    await electron_notarize.notarize({
+      appBundleId: appId,
+      appPath: appPath,
+      appleId: process.env.NOTARIZATION_ID,
+      appleIdPassword: process.env.NOTARIZATION_PWD,
+      ascProvider: 'AutomatticInc',
+    });
+  } catch (error) {
+    console.error(error);
+  }
+
+  console.log(`Done notarizing ${appId}`);
+};

appveyor.yml

@@ -20,6 +20,8 @@ install:
   - ps: Install-Product node 10
   - cinst make
   - npm ci
+  - patch -p1 < ./resources/macos/macPackager-patch.diff
+  - patch -p1 < ./resources/macos/scheme-patch.diff
 
 for:
   # default build / .exe / signed

electron-builder.json

@@ -13,7 +13,10 @@
   "mac": {
     "icon": "./resources/images/app-icon.icns",
     "category": "public.app-category.social-networking",
-    "artifactName": "Simplenote-macOS-${version}.${ext}"
+    "artifactName": "Simplenote-macOS-${version}.${ext}",
+    "entitlements": "./resources/macos/entitlements.mac.plist",
+    "entitlementsInherit": "./resources/macos/entitlements.mac.inherit.plist",
+    "hardenedRuntime": true
   },
   "dmg": {
     "title": "Simplenote Installer",
@@ -100,5 +103,7 @@
   },
   "deb": {
     "depends": ["gconf2"]
-  }
+  },
+  "afterSign": "./after_sign_hook.js",
+  "afterAllArtifactBuild": "./after_sign_hook.js"
 }

package.json

@@ -6,7 +6,7 @@
     "email": "[email protected]"
   },
   "productName": "Simplenote",
-  "version": "1.8.0-beta1",
+  "version": "1.9.1",
   "main": "desktop/index.js",
   "license": "GPL-2.0",
   "homepage": "https://simplenote.com",
@@ -55,6 +55,7 @@
     "debug": "4.1.1",
     "electron": "4.2.11",
     "electron-builder": "20.32.0",
+    "electron-notarize": "^0.1.1",
     "electron-rebuild": "1.8.6",
     "enzyme": "3.10.0",
     "enzyme-adapter-react-16": "1.14.0",

resources/macos/entitlements.mac.inherit.plist

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-executable-page-protection</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+        <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+        <true/>
+    </dict>
+</plist>

resources/macos/entitlements.mac.plist

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-executable-page-protection</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+        <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+        <true/>
+    </dict>
+</plist>

resources/macos/macPackager-patch.diff

@@ -0,0 +1,22 @@
+--- ./node_modules/app-builder-lib/out/macPackager.js	1985-10-26 09:15:00.000000000 +0100
++++ ./node_modules/app-builder-lib/new/macPackager.js	2019-10-14 12:50:02.000000000 +0200
+@@ -315,7 +315,8 @@
+         keychain: keychainName || undefined,
+         binaries: (isMas && masOptions != null ? masOptions.binaries : macOptions.binaries) || undefined,
+         requirements: isMas || macOptions.requirements == null ? undefined : yield _this3.getResource(macOptions.requirements),
+-        "gatekeeper-assess": _codeSign().appleCertificatePrefixes.find(it => identity.name.startsWith(it)) != null
++        "gatekeeper-assess": _codeSign().appleCertificatePrefixes.find(it => identity.name.startsWith(it)) != null,
++        "hardened-runtime": macOptions.hardenedRuntime
+       };
+       yield _this3.adjustSignOptions(signOptions, masOptions);
+
+@@ -471,6 +472,6 @@
+   }
+
+   return isMas ? "3rd Party Mac Developer Application" : "Developer ID Application";
+-} 
++}
+ // [email protected]
+-//# sourceMappingURL=macPackager.js.map
+\ No newline at end of file
++//# sourceMappingURL=macPackager.js.map

resources/macos/scheme-patch.diff

@@ -0,0 +1,14 @@
+--- ./node_modules/app-builder-lib/scheme.json	1985-10-26 09:15:00.000000000 +0100
++++ ./node_modules/app-builder-new/scheme.json	2019-10-14 12:54:44.000000000 +0200
+@@ -1819,6 +1819,11 @@
+                     "description": "Whether to infer update channel from application version pre-release components. e.g. if version `0.12.1-alpha.1`, channel will be set to `alpha`. Otherwise to `latest`.",
+                     "type": "boolean"
+                 },
++                "hardenedRuntime": {
++                    "default": false,
++                    "description": "Whether your app has to be signed with hardened runtime.",
++                    "type": "boolean"
++                },
+                 "electronLanguages": {
+                     "anyOf": [
+                         {