Merge pull request #19 from ZIMkaRU/feature/add-apple-signing-and-not…

…arization-workflow

Add apple signing and notarization workflow

.env.example

@@ -4,3 +4,10 @@ IS_DEV_ENV=0
 IS_AUTO_UPDATE_DISABLED=0
 EP_GH_IGNORE_TIME=true
 GH_TOKEN=
+
+NOTARIZE=0
+APPLE_TEAM_ID=
+APPLE_ID=
+APPLE_APP_SPECIFIC_PASSWORD=
+CSC_LINK=
+CSC_KEY_PASSWORD=

.github/workflows/build-electron-app.yml

@@ -19,6 +19,9 @@ on:
       isBfxApiStaging:
         description: 'Is it necessary to use BFX API Staging? (true / 1)?'
         required: false
+      isNotarizeDisabled:
+        description: 'Is notarize disabled (true / 1)?'
+        required: false
 
 env:
   DOCKER_BUILDKIT: 1
@@ -118,6 +121,10 @@ jobs:
       name: Turn off auto-update
       run: |
         echo "IS_AUTO_UPDATE_DISABLED=1" >> $GITHUB_ENV
+    - if: ${{ !contains(fromJson('["true", "1", true, 1]'), github.event.inputs.isNotarizeDisabled) }}
+      name: Turn on notarize
+      run: |
+        echo "NOTARIZE=1" >> $GITHUB_ENV
     - if: contains(fromJson('["true", "1", true, 1]'), github.event.inputs.isBfxApiStaging)
       name: Use BFX API Staging for queries
       run: |
@@ -141,6 +148,12 @@ jobs:
       uses: nick-fields/retry@v2
       continue-on-error: false
       env:
+        NOTARIZE: true
+        APPLE_TEAM_ID: ${{ secrets.BFX_APPLE_TEAM_ID }}
+        APPLE_ID: ${{ secrets.BFX_APPLE_ID_USERNAME }}
+        APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.BFX_APPLE_ID_REPORT_PASSWORD }}
+        CSC_LINK: ${{ secrets.BFX_APPLE_BUILD_CERTIFICATE_B64 }}
+        CSC_KEY_PASSWORD: ${{ secrets.BFX_APPLE_BUILD_CERTIFICATE_PASSWORD }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         ELECTRON_CACHE: ~/Library/Caches/electron
       with:

build/entitlements.mac.plist

@@ -4,6 +4,8 @@
   <dict>
     <key>com.apple.security.app-sandbox</key>
     <true/>
+    <key>com.apple.security.inherit</key>
+    <true/>
     <key>com.apple.security.network.client</key>
     <true/>
     <key>com.apple.security.network.server</key>
@@ -22,5 +24,13 @@
     <true/>
     <key>com.apple.security.cs.disable-library-validation</key>
     <true/>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+    <key>com.apple.security.automation.apple-events</key>
+    <true/>
   </dict>
 </plist>

build/entitlements.mas.inherit.plist

@@ -24,5 +24,13 @@
     <true/>
     <key>com.apple.security.cs.disable-library-validation</key>
     <true/>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+    <key>com.apple.security.automation.apple-events</key>
+    <true/>
   </dict>
 </plist>

docker-compose.yaml

@@ -74,6 +74,12 @@ services:
       IS_DEV_ENV: ${IS_DEV_ENV:-0}
       IS_AUTO_UPDATE_DISABLED: ${IS_AUTO_UPDATE_DISABLED:-0}
       IS_PUBLISHED: ${IS_PUBLISHED:-0}
+      NOTARIZE: ${NOTARIZE:-}
+      APPLE_TEAM_ID: ${APPLE_TEAM_ID:-}
+      APPLE_ID: ${APPLE_ID:-}
+      APPLE_APP_SPECIFIC_PASSWORD: ${APPLE_APP_SPECIFIC_PASSWORD:-}
+      CSC_LINK: ${CSC_LINK:-}
+      CSC_KEY_PASSWORD: ${CSC_KEY_PASSWORD:-}
       GH_TOKEN: ${GH_TOKEN:-}
       GITHUB_TOKEN: ${GITHUB_TOKEN:-}
       EP_GH_IGNORE_TIME: ${EP_GH_IGNORE_TIME:-true}

electron-builder-config.js

@@ -1,5 +1,6 @@
 'use strict'
 
+require('dotenv').config()
 const fs = require('fs')
 const path = require('path')
 const zlib = require('zlib')
@@ -9,8 +10,25 @@ const exec = promisify(require('child_process').exec)
 
 let version
 let zippedAppImageArtifactPath
+let zippedMacArtifactPath
 const appOutDirs = new Map()
 
+// Notarize can be done only on MacOS
+const macNotarize = (
+  process.platform === 'darwin' &&
+  process.env.NOTARIZE
+)
+  ? {
+      notarize: {
+        teamId: process.env.APPLE_TEAM_ID
+      }
+    }
+  : {}
+// DMG can be built only on MacOS
+const macSpecificTargets = process.platform === 'darwin'
+  ? ['dmg']
+  : []
+
 /* eslint-disable no-template-curly-in-string */
 
 const nodeModulesFilter = [
@@ -91,16 +109,23 @@ module.exports = {
     verifyUpdateCodeSignature: false
   },
   mac: {
-    type: 'development',
+    type: 'distribution',
     hardenedRuntime: true,
     gatekeeperAssess: false,
     entitlements: 'build/entitlements.mac.plist',
     entitlementsInherit: 'build/entitlements.mas.inherit.plist',
     category: 'public.app-category.finance',
+    minimumSystemVersion: '11',
+    darkModeSupport: true,
+    ...macNotarize,
     target: [
-      'dir'
+      'dir',
+      ...macSpecificTargets
     ]
   },
+  dmg: {
+    sign: false
+  },
   files: [
     '**/*',
     'build/icons',
@@ -205,24 +230,25 @@ module.exports = {
         !targets.has('zip')
       ) {
         targets.set('zip', {})
-        artifactPaths.push(path.join(
-          outDir,
-          `BitfinexReport-${version}-x64-${targetPlatform}.zip`
-        ))
       }
 
       for (const [targetName] of targets) {
         const ext = targetName === 'nsis'
           ? 'exe'
           : targetName
-        const appFilePath = artifactPaths.find((path) => (
+        const foundAppFilePath = artifactPaths.find((path) => (
           new RegExp(`${targetPlatform}.*${ext}$`, 'i').test(path)
         ))
+        const appFilePath = foundAppFilePath ?? path.join(
+          outDir,
+          `BitfinexReport-${version}-x64-${targetPlatform}.${ext}`
+        )
 
         if (
           targetPlatform === 'mac' &&
           targetName === 'zip'
         ) {
+          zippedMacArtifactPath = appFilePath
           macBlockmapFilePaths.push(
             `${appFilePath}.blockmap`,
             path.join(outDir, `${channel}-mac.yml`)
@@ -299,7 +325,7 @@ module.exports = {
     }
 
     const macFiles = macBlockmapFilePaths.length > 0
-      ? [...artifactPaths, ...macBlockmapFilePaths]
+      ? [zippedMacArtifactPath, ...macBlockmapFilePaths]
       : []
     const linuxFiles = zippedAppImageArtifactPath
       ? [zippedAppImageArtifactPath]

package.json

@@ -42,6 +42,7 @@
     "@wdio/spec-reporter": "8.21.0",
     "app-builder-bin": "4.2.0",
     "cross-env": "7.0.3",
+    "dotenv": "16.3.1",
     "electron": "27.2.0",
     "electron-builder": "24.10.0",
     "mocha": "10.2.0",