feat(project): notarize macos distro

Closes #1572
camunda · Nov 14, 2019 · c2ea52a · c2ea52a
1 parent d1c26cb
commit c2ea52a
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 0 deletions.
diff --git a/build/entitlements.mac.inherit.plist b/build/entitlements.mac.inherit.plist
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+  </dict>
+</plist>
diff --git a/electron-builder.json b/electron-builder.json
@@ -12,6 +12,7 @@
     }
   ],
   "afterPack": "./tasks/after-pack.js",
+  "afterSign": "./tasks/after-sign.js",
   "afterAllArtifactBuild": "./tasks/after-all-artifact-build.js",
   "win": {
     "target": [
@@ -31,6 +32,8 @@
     ]
   },
   "mac": {
+    "hardenedRuntime": true,
+    "entitlements": "./build/entitlements.mac.inherit.plist",
     "target": "dmg"
   },
   "fileAssociations": [

diff --git a/tasks/after-sign.js b/tasks/after-sign.js
@@ -0,0 +1,20 @@
+/**
+ * Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership.
+ *
+ * Camunda licenses this file to you under the MIT; you may not use this file
+ * except in compliance with the MIT License.
+ */
+
+module.exports = async function(context) {
+
+  const handlers = [
+    require('./after-sign/notarize')
+  ];
+
+  for (const handler of handlers) {
+    await handler(context);
+  }
+};
diff --git a/tasks/after-sign/notarize.js b/tasks/after-sign/notarize.js
@@ -0,0 +1,54 @@
+/**
+ * Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership.
+ *
+ * Camunda licenses this file to you under the MIT; you may not use this file
+ * except in compliance with the MIT License.
+ */
+
+const { notarize } = require('electron-notarize');
+
+module.exports = async function(context) {
+  const {
+    electronPlatformName,
+    appOutDir
+  } = context;
+
+  if (electronPlatformName !== 'darwin') {
+    return;
+  }
+
+  const {
+    APPLE_DEVELOPER_ID: appleId,
+    APPLE_DEVELOPER_ID_PASSWORD: appleIdPassword
+  } = process.env;
+
+  // skip notarization if credentials weren't provided
+  if (!appleId || !appleIdPassword) {
+    console.log('  • skipping notarization due to missing credentials');
+
+    return;
+  }
+
+  const {
+    productFilename: appName,
+    info: {
+      config: {
+        appId
+      }
+    }
+  } = context.packager.appInfo;
+
+  const appPath = `${appOutDir}/${appName}.app`;
+
+  console.log(`  • notarizing app from path: ${appPath}`);
+
+  return await notarize({
+    appBundleId: appId,
+    appPath,
+    appleId,
+    appleIdPassword
+  });
+};