feat(mac): Add option to enable hardened-runtime #3858
Conversation
|
I would recommend defaulting it to https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution |
loremattei
force-pushed
the
feat-add-macos-hardened-runtime
branch
from
ee62a89 to
1de725c
Compare
loremattei
force-pushed
the
feat-add-macos-hardened-runtime
branch
from
1de725c to
9fcf8af
Compare
Yep! It's true that it will be required for everyone, though I defaulted it to false because:
Does it make sense? |
|
Thanks @loremattei, I'll be using this as soon as it gets released! |
|
This is both excellent and exciting @loremattei |
|
This feature is a must. Without it, Please consider merging this feature soon to continue enabling awesome cross platform packaging tools. |
|
Thanks for this @loremattei 💯 What's holding up merging? Keen to start using this... |
|
Thanks @loremattei, sorry for delay. |
|
Setting this flag to true causes the app to crash on startup. It's mentioned above that this could be the case of the proper entitlements are not set. I'm not setting any, are there examples of what entitlements need to be set to use this flag? Thanks. |
|
Hi @martani! You can find some info about the Hardened Runtime Entitlements here: https://developer.apple.com/documentation/security/hardened_runtime_entitlements. I'd suggest to start with looking at |
|
Thanks @loremattei. Adding those entitlements did the trick when Hardened Runtime is enabled. |
|
hi I see you said you added a option, is electron-osx-sign?, Where should I use it. |
|
Hey @1009466147! It's |
that adds an option to use hardened Mac OS, which is necessary for code notarization later. See https://github.com/electron-userland/electron-builder/releases/tag/v20.41.0 and electron-userland/electron-builder#3858
* [email protected] * node12.8.1-chrome78-ff70 * Revert "node12.8.1-chrome78-ff70" for now This reverts commit db2d521. * update sendCommand to log on all sendcommands * promisification in 6.x * Revert "Revert "node12.8.1-chrome78-ff70" for now" This reverts commit 57fe764. * fix sendcommand * fix cdp in electron * fix desktop-gui test * skip tests that will be fixed by #4973 * bump MAX_ALLOWED_FILE_SIZE :/ * update electron browser spec * make new dialog code null-proof * add failing e2e test for issue 5475 * bump electron packager * add e2e snapshot * update deprecated electron getters/setters https://github.com/electron/electron/blob/7-1-x/docs/api/modernization/property-updates.md * build and test on Mac * use electron-builder 20.41.0 that adds an option to use hardened Mac OS, which is necessary for code notarization later. See https://github.com/electron-userland/electron-builder/releases/tag/v20.41.0 and electron-userland/electron-builder#3858 * electron-builder and pass hardenedRuntime: true * uncomment build * upload built binary on mac * back to 20.41.0, trying after sign hook without success * use current electron-builder alias instead of build * retry smoke test on first failure * testing * trying to notarize signed app (that does not have node_modules yet) * env variable names * copy node_modules ourselves * build and bundle binary on mac on circle, inject new context * enable build steps before electron build * increase mac build timeout * update build folder on mac * uncomment actual electron build command * set linux target to zip * set zip as target for all platforms * updated steps * put notarization hook back * tweaks for icons * remove dist electron before code sign * icons per platform * make node_modules copy path platform-specific * fix linux build unpacked folder * build mac * fix lint * test new mac binary against kitchensink * working on Linux build * try building entire thing on Linux * removing correct electron dist folder * increase zip size limit for now * add folder rename on Linux from linux-unpacked to Cypress * print file sizes before zipping * move linux-unpacked to build dir function * try deleting second electron file, but code signing probably would not work * test windows build [build binary] * ignore tsc errors * windows build path * windows [build binary] * update windows build folder * increase binary build timeout on Mac * no need to pass our dist folder * adding explicit list of additional binaries to code sign on mac * yarn lock * uncomment necessary build steps * electron dir for Linux * yarn lock again * back to execa v3 * use execa v4 in packages launcher * yarn lock again and again * updated tests that use execa * print build folder * add executable name on Linux * get rid of execa.shell in build scripts * remove old and commented out code * need to test building binary on Windows * throw error from after sign hook if fails * use execa to zip * yarn lock * fix after merge variable * update test * add nohoist ffmpeg installer * patch * yarn types pass * yarn lock has binary Co-authored-by: Zach Bloomquist <[email protected]> Co-authored-by: Brian Mann <[email protected]>
This PR adds the option to enable the hardened runtime option during code sign for Mac builds.
The option is already supported by electron-osx-sign, so it's just a matter of passing the flag down.
Hardened runtime is a requirement for app notarization.