diff --git a/.env.example b/.env.example
index ea127aaf..9f778853 100644
--- a/.env.example
+++ b/.env.example
@@ -4,3 +4,10 @@ IS_DEV_ENV=0
IS_AUTO_UPDATE_DISABLED=0
EP_GH_IGNORE_TIME=true
GH_TOKEN=
+
+NOTARIZE=0
+APPLE_TEAM_ID=
+APPLE_ID=
+APPLE_APP_SPECIFIC_PASSWORD=
+CSC_LINK=
+CSC_KEY_PASSWORD=
diff --git a/.github/workflows/build-electron-app.yml b/.github/workflows/build-electron-app.yml
index 0f07009b..392d1613 100644
--- a/.github/workflows/build-electron-app.yml
+++ b/.github/workflows/build-electron-app.yml
@@ -19,6 +19,9 @@ on:
isBfxApiStaging:
description: 'Is it necessary to use BFX API Staging? (true / 1)?'
required: false
+ isNotarizeDisabled:
+ description: 'Is notarize disabled (true / 1)?'
+ required: false
env:
DOCKER_BUILDKIT: 1
@@ -118,6 +121,10 @@ jobs:
name: Turn off auto-update
run: |
echo "IS_AUTO_UPDATE_DISABLED=1" >> $GITHUB_ENV
+ - if: ${{ !contains(fromJson('["true", "1", true, 1]'), github.event.inputs.isNotarizeDisabled) }}
+ name: Turn on notarize
+ run: |
+ echo "NOTARIZE=1" >> $GITHUB_ENV
- if: contains(fromJson('["true", "1", true, 1]'), github.event.inputs.isBfxApiStaging)
name: Use BFX API Staging for queries
run: |
@@ -141,6 +148,12 @@ jobs:
uses: nick-fields/retry@v2
continue-on-error: false
env:
+ NOTARIZE: true
+ APPLE_TEAM_ID: ${{ secrets.BFX_APPLE_TEAM_ID }}
+ APPLE_ID: ${{ secrets.BFX_APPLE_ID_USERNAME }}
+ APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.BFX_APPLE_ID_REPORT_PASSWORD }}
+ CSC_LINK: ${{ secrets.BFX_APPLE_BUILD_CERTIFICATE_B64 }}
+ CSC_KEY_PASSWORD: ${{ secrets.BFX_APPLE_BUILD_CERTIFICATE_PASSWORD }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ELECTRON_CACHE: ~/Library/Caches/electron
with:
diff --git a/build/entitlements.mac.plist b/build/entitlements.mac.plist
index 34d93599..5a5f39bc 100644
--- a/build/entitlements.mac.plist
+++ b/build/entitlements.mac.plist
@@ -4,6 +4,8 @@
com.apple.security.app-sandbox
+ com.apple.security.inherit
+
com.apple.security.network.client
com.apple.security.network.server
@@ -22,5 +24,13 @@
com.apple.security.cs.disable-library-validation
+ com.apple.security.cs.allow-jit
+
+ com.apple.security.cs.allow-dyld-environment-variables
+
+ com.apple.security.cs.debugger
+
+ com.apple.security.automation.apple-events
+
diff --git a/build/entitlements.mas.inherit.plist b/build/entitlements.mas.inherit.plist
index 4b8d65fa..5a5f39bc 100644
--- a/build/entitlements.mas.inherit.plist
+++ b/build/entitlements.mas.inherit.plist
@@ -24,5 +24,13 @@
com.apple.security.cs.disable-library-validation
+ com.apple.security.cs.allow-jit
+
+ com.apple.security.cs.allow-dyld-environment-variables
+
+ com.apple.security.cs.debugger
+
+ com.apple.security.automation.apple-events
+
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 71f96c1b..c2741927 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -74,6 +74,12 @@ services:
IS_DEV_ENV: ${IS_DEV_ENV:-0}
IS_AUTO_UPDATE_DISABLED: ${IS_AUTO_UPDATE_DISABLED:-0}
IS_PUBLISHED: ${IS_PUBLISHED:-0}
+ NOTARIZE: ${NOTARIZE:-}
+ APPLE_TEAM_ID: ${APPLE_TEAM_ID:-}
+ APPLE_ID: ${APPLE_ID:-}
+ APPLE_APP_SPECIFIC_PASSWORD: ${APPLE_APP_SPECIFIC_PASSWORD:-}
+ CSC_LINK: ${CSC_LINK:-}
+ CSC_KEY_PASSWORD: ${CSC_KEY_PASSWORD:-}
GH_TOKEN: ${GH_TOKEN:-}
GITHUB_TOKEN: ${GITHUB_TOKEN:-}
EP_GH_IGNORE_TIME: ${EP_GH_IGNORE_TIME:-true}
diff --git a/electron-builder-config.js b/electron-builder-config.js
index 3b970ca7..92f7cb87 100644
--- a/electron-builder-config.js
+++ b/electron-builder-config.js
@@ -1,5 +1,6 @@
'use strict'
+require('dotenv').config()
const fs = require('fs')
const path = require('path')
const zlib = require('zlib')
@@ -9,8 +10,25 @@ const exec = promisify(require('child_process').exec)
let version
let zippedAppImageArtifactPath
+let zippedMacArtifactPath
const appOutDirs = new Map()
+// Notarize can be done only on MacOS
+const macNotarize = (
+ process.platform === 'darwin' &&
+ process.env.NOTARIZE
+)
+ ? {
+ notarize: {
+ teamId: process.env.APPLE_TEAM_ID
+ }
+ }
+ : {}
+// DMG can be built only on MacOS
+const macSpecificTargets = process.platform === 'darwin'
+ ? ['dmg']
+ : []
+
/* eslint-disable no-template-curly-in-string */
const nodeModulesFilter = [
@@ -91,16 +109,23 @@ module.exports = {
verifyUpdateCodeSignature: false
},
mac: {
- type: 'development',
+ type: 'distribution',
hardenedRuntime: true,
gatekeeperAssess: false,
entitlements: 'build/entitlements.mac.plist',
entitlementsInherit: 'build/entitlements.mas.inherit.plist',
category: 'public.app-category.finance',
+ minimumSystemVersion: '11',
+ darkModeSupport: true,
+ ...macNotarize,
target: [
- 'dir'
+ 'dir',
+ ...macSpecificTargets
]
},
+ dmg: {
+ sign: false
+ },
files: [
'**/*',
'build/icons',
@@ -205,24 +230,25 @@ module.exports = {
!targets.has('zip')
) {
targets.set('zip', {})
- artifactPaths.push(path.join(
- outDir,
- `BitfinexReport-${version}-x64-${targetPlatform}.zip`
- ))
}
for (const [targetName] of targets) {
const ext = targetName === 'nsis'
? 'exe'
: targetName
- const appFilePath = artifactPaths.find((path) => (
+ const foundAppFilePath = artifactPaths.find((path) => (
new RegExp(`${targetPlatform}.*${ext}$`, 'i').test(path)
))
+ const appFilePath = foundAppFilePath ?? path.join(
+ outDir,
+ `BitfinexReport-${version}-x64-${targetPlatform}.${ext}`
+ )
if (
targetPlatform === 'mac' &&
targetName === 'zip'
) {
+ zippedMacArtifactPath = appFilePath
macBlockmapFilePaths.push(
`${appFilePath}.blockmap`,
path.join(outDir, `${channel}-mac.yml`)
@@ -299,7 +325,7 @@ module.exports = {
}
const macFiles = macBlockmapFilePaths.length > 0
- ? [...artifactPaths, ...macBlockmapFilePaths]
+ ? [zippedMacArtifactPath, ...macBlockmapFilePaths]
: []
const linuxFiles = zippedAppImageArtifactPath
? [zippedAppImageArtifactPath]
diff --git a/package.json b/package.json
index 0c594f1b..38ea92cc 100644
--- a/package.json
+++ b/package.json
@@ -42,6 +42,7 @@
"@wdio/spec-reporter": "8.21.0",
"app-builder-bin": "4.2.0",
"cross-env": "7.0.3",
+ "dotenv": "16.3.1",
"electron": "27.2.0",
"electron-builder": "24.10.0",
"mocha": "10.2.0",