diff --git a/packages/app-builder-lib/src/codeSign/macCodeSign.ts b/packages/app-builder-lib/src/codeSign/macCodeSign.ts index 8efd8509b60..42455bdbff0 100644 --- a/packages/app-builder-lib/src/codeSign/macCodeSign.ts +++ b/packages/app-builder-lib/src/codeSign/macCodeSign.ts @@ -9,7 +9,6 @@ import { homedir } from "os" import * as path from "path" import { getTempName } from "temp-file" import { isAutoDiscoveryCodeSignIdentity } from "../util/flags" -import { isMacOsSierra } from "../util/macosVersion" import { downloadCertificate } from "./codesign" export const appleCertificatePrefixes = ["Developer ID Application:", "Developer ID Installer:", "3rd Party Mac Developer Application:", "3rd Party Mac Developer Installer:"] @@ -186,9 +185,7 @@ async function importCerts(keychainName: string, paths: Array, keyPasswo // https://stackoverflow.com/questions/39868578/security-codesign-in-sierra-keychain-ignores-access-control-settings-and-ui-p // https://github.com/electron-userland/electron-packager/issues/701#issuecomment-322315996 - if (await isMacOsSierra()) { - await exec("security", ["set-key-partition-list", "-S", "apple-tool:,apple:", "-s", "-k", password, keychainName]) - } + await exec("security", ["set-key-partition-list", "-S", "apple-tool:,apple:", "-s", "-k", password, keychainName]) } return { diff --git a/packages/app-builder-lib/src/macPackager.ts b/packages/app-builder-lib/src/macPackager.ts index e6bf0ccf59a..9255a17e4c8 100644 --- a/packages/app-builder-lib/src/macPackager.ts +++ b/packages/app-builder-lib/src/macPackager.ts @@ -1,7 +1,7 @@ import BluebirdPromise from "bluebird-lst" import { deepAssign, Arch, AsyncTaskManager, exec, InvalidConfigurationError, log, use } from "builder-util" import { signAsync, SignOptions } from "electron-osx-sign" -import { ensureDir, readdir } from "fs-extra-p" +import { mkdirs, readdir } from "fs-extra" import { Lazy } from "lazy-val" import * as path from "path" import { copyFile, unlinkIfExists } from "builder-util/out/fs" @@ -16,6 +16,8 @@ import { chooseNotNull, PlatformPackager } from "./platformPackager" import { ArchiveTarget } from "./targets/ArchiveTarget" import { PkgTarget, prepareProductBuildArgs } from "./targets/pkg" import { createCommonTarget, NoOpTarget } from "./targets/targetFactory" +import { isMacOsHighSierra } from "./util/macosVersion" +import { getTemplatePath } from "./util/pathManager" export default class MacPackager extends PlatformPackager { readonly codeSigningInfo = new Lazy(() => { @@ -156,6 +158,10 @@ export default class MacPackager extends PlatformPackager { } } + if (!isMacOsHighSierra()) { + throw new InvalidConfigurationError("macOS High Sierra 10.13.6 is required to sign") + } + const signOptions: any = { "identity-validation": false, // https://github.com/electron-userland/electron-builder/issues/1699 @@ -175,8 +181,8 @@ export default class MacPackager extends PlatformPackager { requirements: isMas || macOptions.requirements == null ? undefined : await this.getResource(macOptions.requirements), // https://github.com/electron-userland/electron-osx-sign/issues/196 // will fail on 10.14.5+ because a signed but unnotarized app is also rejected. - "gatekeeper-assess": macOptions.gatekeeperAssess, - "hardened-runtime": macOptions.hardenedRuntime, + "gatekeeper-assess": macOptions.gatekeeperAssess === true, + hardenedRuntime: macOptions.hardenedRuntime !== false, } await this.adjustSignOptions(signOptions, masOptions) @@ -206,34 +212,32 @@ export default class MacPackager extends PlatformPackager { private async adjustSignOptions(signOptions: any, masOptions: MasConfiguration | null) { const resourceList = await this.resourceList - if (resourceList.includes(`entitlements.osx.plist`)) { - throw new InvalidConfigurationError("entitlements.osx.plist is deprecated name, please use entitlements.mac.plist") - } - if (resourceList.includes(`entitlements.osx.inherit.plist`)) { - throw new InvalidConfigurationError("entitlements.osx.inherit.plist is deprecated name, please use entitlements.mac.inherit.plist") - } - const customSignOptions = masOptions || this.platformSpecificBuildOptions const entitlementsSuffix = masOptions == null ? "mac" : "mas" - if (customSignOptions.entitlements == null) { + + let entitlements = customSignOptions.entitlements + if (entitlements == null) { const p = `entitlements.${entitlementsSuffix}.plist` if (resourceList.includes(p)) { - signOptions.entitlements = path.join(this.info.buildResourcesDir, p) + entitlements = path.join(this.info.buildResourcesDir, p) + } + else { + entitlements = getTemplatePath("entitlements.mac.plist") } } - else { - signOptions.entitlements = customSignOptions.entitlements - } + signOptions.entitlements = entitlements - if (customSignOptions.entitlementsInherit == null) { + let entitlementsInherit = customSignOptions.entitlementsInherit + if (entitlementsInherit == null) { const p = `entitlements.${entitlementsSuffix}.inherit.plist` if (resourceList.includes(p)) { - signOptions["entitlements-inherit"] = path.join(this.info.buildResourcesDir, p) + entitlementsInherit = path.join(this.info.buildResourcesDir, p) + } + else { + entitlementsInherit = getTemplatePath("entitlements.mac.plist") } } - else { - signOptions["entitlements-inherit"] = customSignOptions.entitlementsInherit - } + signOptions["entitlements-inherit"] = entitlementsInherit if (customSignOptions.provisioningProfile != null) { signOptions["provisioning-profile"] = customSignOptions.provisioningProfile @@ -248,7 +252,7 @@ export default class MacPackager extends PlatformPackager { //noinspection JSMethodCanBeStatic protected async doFlat(appPath: string, outFile: string, identity: Identity, keychain: string | null | undefined): Promise { // productbuild doesn't created directory for out file - await ensureDir(path.dirname(outFile)) + await mkdirs(path.dirname(outFile)) const args = prepareProductBuildArgs(identity, keychain) args.push("--component", appPath, "/Applications") diff --git a/packages/app-builder-lib/src/options/macOptions.ts b/packages/app-builder-lib/src/options/macOptions.ts index c75f9d6062d..332a61e0528 100644 --- a/packages/app-builder-lib/src/options/macOptions.ts +++ b/packages/app-builder-lib/src/options/macOptions.ts @@ -113,7 +113,7 @@ export interface MacConfiguration extends PlatformSpecificBuildOptions { /** * Whether your app has to be signed with hardened runtime. - * @default false + * @default true */ readonly hardenedRuntime?: boolean diff --git a/packages/app-builder-lib/src/util/macosVersion.ts b/packages/app-builder-lib/src/util/macosVersion.ts index 3045a8640ed..3d2e96ba57c 100644 --- a/packages/app-builder-lib/src/util/macosVersion.ts +++ b/packages/app-builder-lib/src/util/macosVersion.ts @@ -1,7 +1,8 @@ -import { readFile } from "fs-extra-p" +import { readFile } from "fs-extra" import { Lazy } from "lazy-val" import * as semver from "semver" import { log } from "builder-util/out/log" +import { release as osRelease } from "os" const macOsVersion = new Lazy(async () => { const file = await readFile("/System/Library/CoreServices/SystemVersion.plist", "utf8") @@ -21,8 +22,9 @@ async function isOsVersionGreaterThanOrEqualTo(input: string) { return semver.gte(await macOsVersion.value, clean(input)) } -export function getMacOsVersion() { - return macOsVersion.value +export function isMacOsHighSierra(): boolean { + // 17.7.0 === 10.13.6 + return process.platform === "darwin" && semver.gte(osRelease(), "17.7.0") } export async function isMacOsSierra() { diff --git a/packages/app-builder-lib/src/winPackager.ts b/packages/app-builder-lib/src/winPackager.ts index 453152eef7f..9960c71a12d 100644 --- a/packages/app-builder-lib/src/winPackager.ts +++ b/packages/app-builder-lib/src/winPackager.ts @@ -3,7 +3,7 @@ import { Arch, asArray, InvalidConfigurationError, log, use } from "builder-util import { parseDn } from "builder-util-runtime" import { CopyFileTransformer, FileTransformer, walk } from "builder-util/out/fs" import { createHash } from "crypto" -import { readdir } from "fs-extra-p" +import { readdir } from "fs-extra" import isCI from "is-ci" import { Lazy } from "lazy-val" import * as path from "path" diff --git a/packages/app-builder-lib/templates/entitlements.mac.plist b/packages/app-builder-lib/templates/entitlements.mac.plist new file mode 100644 index 00000000000..bb87459e76c --- /dev/null +++ b/packages/app-builder-lib/templates/entitlements.mac.plist @@ -0,0 +1,8 @@ + + + + + com.apple.security.cs.allow-unsigned-executable-memory + + + \ No newline at end of file diff --git a/packages/dmg-builder/src/dmg.ts b/packages/dmg-builder/src/dmg.ts index 66ef460d674..ab7ddcbb27f 100644 --- a/packages/dmg-builder/src/dmg.ts +++ b/packages/dmg-builder/src/dmg.ts @@ -64,7 +64,7 @@ export class DmgTarget extends Target { await packager.packagerOptions.effectiveOptionComputed({licenseData}) } - if (this.options.sign) { + if (this.options.sign === true) { await this.signDmg(artifactPath) } diff --git a/test/out/__snapshots__/BuildTest.js.snap b/test/out/__snapshots__/BuildTest.js.snap index 284b16d53dc..a397d33d49b 100644 --- a/test/out/__snapshots__/BuildTest.js.snap +++ b/test/out/__snapshots__/BuildTest.js.snap @@ -305,6 +305,23 @@ Object { "bl.js": Object { "size": 6400, }, + "node_modules": Object { + "files": Object { + "safe-buffer": Object { + "files": Object { + "LICENSE": Object { + "size": 1081, + }, + "index.js": Object { + "size": 1585, + }, + "package.json": Object { + "size": 500, + }, + }, + }, + }, + }, "package.json": Object { "size": 741, }, @@ -1565,6 +1582,23 @@ Object { "index.js": Object { "size": 6884, }, + "node_modules": Object { + "files": Object { + "safe-buffer": Object { + "files": Object { + "LICENSE": Object { + "size": 1081, + }, + "index.js": Object { + "size": 1585, + }, + "package.json": Object { + "size": 500, + }, + }, + }, + }, + }, "package.json": Object { "size": 542, },