feat: integrating @electron/notarize into mac signing flow (#7310)

Author: mmaietta

.changeset/healthy-walls-peel.md

@@ -0,0 +1,5 @@
+---
+"app-builder-lib": minor
+---
+
+feat: integrating @electron/notarize into mac signing flow

.github/workflows/test.yaml

@@ -69,7 +69,7 @@ jobs:
       - name: Test
         run: pnpm ci:test
         env:
-          TEST_FILES: masTest,dmgTest,protonTest,filesTest
+          TEST_FILES: masTest,dmgTest,protonTest,filesTest,macPackagerTest
           FORCE_COLOR: 1
 
   # Need to separate from other tests because logic is specific to when TOKEN env vars are set

docs/configuration/mac.md

@@ -97,13 +97,17 @@ The top-level [mac](configuration.md#Configuration-mac) key contains set of opti
 <p>This option has no effect unless building for “universal” arch.</p>
 </li>
 <li>
-<p><code id="MacConfiguration-singleArchFiles">singleArchFiles</code> String - Minimatch pattern of paths that are allowed to be present in one of the ASAR files, but not in the other.</p>
+<p><code id="MacConfiguration-singleArchFiles">singleArchFiles</code> String | “undefined” - Minimatch pattern of paths that are allowed to be present in one of the ASAR files, but not in the other.</p>
 <p>This option has no effect unless building for “universal” arch and applies only if <code>mergeASARs</code> is <code>true</code>.</p>
 </li>
 <li>
-<p><code id="MacConfiguration-x64ArchFiles">x64ArchFiles</code> String - Minimatch pattern of paths that are allowed to be x64 binaries in both ASAR files</p>
+<p><code id="MacConfiguration-x64ArchFiles">x64ArchFiles</code> String | “undefined” - Minimatch pattern of paths that are allowed to be x64 binaries in both ASAR files</p>
 <p>This option has no effect unless building for “universal” arch and applies only if <code>mergeASARs</code> is <code>true</code>.</p>
 </li>
+<li>
+<p><code id="MacConfiguration-notarize">notarize</code> module:app-builder-lib/out/options/macOptions.NotarizeOptions | Boolean | “undefined” - Options to use for @electron/notarize (ref: <a href="https://github.com/electron/notarize">https://github.com/electron/notarize</a>). Supports both <code>legacy</code> and <code>notarytool</code> notarization tools. Use <code>false</code> to explicitly disable</p>
+<p>Note: You MUST specify <code>APPLE_ID</code> and <code>APPLE_APP_SPECIFIC_PASSWORD</code> via environment variables to activate notarization step</p>
+</li>
 </ul>
 
 <!-- end of generated block -->

packages/app-builder-lib/package.json

@@ -49,9 +49,10 @@
   "dependencies": {
     "7zip-bin": "~5.1.1",
     "@develar/schema-utils": "~2.6.5",
+    "@electron/notarize": "^1.2.3",
     "@electron/osx-sign": "^1.0.4",
     "@electron/rebuild": "^3.2.10",
-    "@electron/universal": "1.3.3",
+    "@electron/universal": "1.3.4",
     "@malept/flatpak-bundler": "^0.4.0",
     "async-exit-hook": "^2.0.1",
     "bluebird-lst": "^1.0.9",

packages/app-builder-lib/scheme.json

@@ -2637,6 +2637,20 @@
             "string"
           ]
         },
+        "notarize": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/NotarizeOptions"
+            },
+            {
+              "type": [
+                "null",
+                "boolean"
+              ]
+            }
+          ],
+          "description": "Options to use for @electron/notarize (ref: https://github.com/electron/notarize).\nSupports both `legacy` and `notarytool` notarization tools. Use `false` to explicitly disable\n\nNote: You MUST specify `APPLE_ID` and `APPLE_APP_SPECIFIC_PASSWORD` via environment variables to activate notarization step"
+        },
         "protocols": {
           "anyOf": [
             {
@@ -2756,7 +2770,10 @@
         },
         "singleArchFiles": {
           "description": "Minimatch pattern of paths that are allowed to be present in one of the\nASAR files, but not in the other.\n\nThis option has no effect unless building for \"universal\" arch and applies\nonly if `mergeASARs` is `true`.",
-          "type": "string"
+          "type": [
+            "null",
+            "string"
+          ]
         },
         "strictVerify": {
           "anyOf": [
@@ -2856,7 +2873,10 @@
         },
         "x64ArchFiles": {
           "description": "Minimatch pattern of paths that are allowed to be x64 binaries in both\nASAR files\n\nThis option has no effect unless building for \"universal\" arch and applies\nonly if `mergeASARs` is `true`.",
-          "type": "string"
+          "type": [
+            "null",
+            "string"
+          ]
         }
       },
       "type": "object"
@@ -3255,6 +3275,20 @@
             "string"
           ]
         },
+        "notarize": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/NotarizeOptions"
+            },
+            {
+              "type": [
+                "null",
+                "boolean"
+              ]
+            }
+          ],
+          "description": "Options to use for @electron/notarize (ref: https://github.com/electron/notarize).\nSupports both `legacy` and `notarytool` notarization tools. Use `false` to explicitly disable\n\nNote: You MUST specify `APPLE_ID` and `APPLE_APP_SPECIFIC_PASSWORD` via environment variables to activate notarization step"
+        },
         "protocols": {
           "anyOf": [
             {
@@ -3374,7 +3408,10 @@
         },
         "singleArchFiles": {
           "description": "Minimatch pattern of paths that are allowed to be present in one of the\nASAR files, but not in the other.\n\nThis option has no effect unless building for \"universal\" arch and applies\nonly if `mergeASARs` is `true`.",
-          "type": "string"
+          "type": [
+            "null",
+            "string"
+          ]
         },
         "strictVerify": {
           "anyOf": [
@@ -3474,7 +3511,10 @@
         },
         "x64ArchFiles": {
           "description": "Minimatch pattern of paths that are allowed to be x64 binaries in both\nASAR files\n\nThis option has no effect unless building for \"universal\" arch and applies\nonly if `mergeASARs` is `true`.",
-          "type": "string"
+          "type": [
+            "null",
+            "string"
+          ]
         }
       },
       "type": "object"
@@ -3659,6 +3699,33 @@
       },
       "type": "object"
     },
+    "NotarizeOptions": {
+      "additionalProperties": false,
+      "properties": {
+        "appBundleId": {
+          "description": "The app bundle identifier your Electron app is using. E.g. com.github.electron. Useful if notarization ID differs from app ID (unlikely).\nOnly used by `legacy` notarization tool",
+          "type": [
+            "null",
+            "string"
+          ]
+        },
+        "ascProvider": {
+          "description": "Your Team Short Name. Only used by `legacy` notarization tool",
+          "type": [
+            "null",
+            "string"
+          ]
+        },
+        "teamId": {
+          "description": "The team ID you want to notarize under. Only needed if using `notarytool`",
+          "type": [
+            "null",
+            "string"
+          ]
+        }
+      },
+      "type": "object"
+    },
     "NsisOptions": {
       "additionalProperties": false,
       "properties": {

packages/app-builder-lib/src/macPackager.ts

@@ -1,5 +1,5 @@
 import BluebirdPromise from "bluebird-lst"
-import { deepAssign, Arch, AsyncTaskManager, exec, InvalidConfigurationError, log, use, getArchSuffix } from "builder-util"
+import { deepAssign, Arch, AsyncTaskManager, exec, InvalidConfigurationError, log, use, getArchSuffix, spawn } from "builder-util"
 import { signAsync } from "@electron/osx-sign"
 import { SignOptions } from "@electron/osx-sign/dist/cjs/types"
 import { mkdir, readdir } from "fs/promises"
@@ -20,6 +20,7 @@ import { createCommonTarget, NoOpTarget } from "./targets/targetFactory"
 import { isMacOsHighSierra } from "./util/macosVersion"
 import { getTemplatePath } from "./util/pathManager"
 import * as fs from "fs/promises"
+import { notarize, NotarizeOptions } from "@electron/notarize"
 
 export default class MacPackager extends PlatformPackager<MacConfiguration> {
   readonly codeSigningInfo = new Lazy<CodeSigningInfo>(() => {
@@ -336,6 +337,8 @@ export default class MacPackager extends PlatformPackager<MacConfiguration> {
       await this.doFlat(appPath, artifactPath, masInstallerIdentity, keychainFile)
       await this.dispatchArtifactCreated(artifactPath, null, Arch.x64, this.computeSafeArtifactName(artifactName, "pkg", arch, true, this.platformSpecificBuildOptions.defaultArch))
     }
+
+    await this.notarizeIfProvided(appPath)
   }
 
   private async adjustSignOptions(signOptions: any, masOptions: MasConfiguration | null) {
@@ -443,9 +446,10 @@ export default class MacPackager extends PlatformPackager<MacConfiguration> {
   protected async signApp(packContext: AfterPackContext, isAsar: boolean): Promise<any> {
     const appFileName = `${this.appInfo.productFilename}.app`
 
-    await BluebirdPromise.map(readdir(packContext.appOutDir), (file: string): any => {
+    await BluebirdPromise.map(readdir(packContext.appOutDir), async (file: string): Promise<any> => {
       if (file === appFileName) {
-        return this.sign(path.join(packContext.appOutDir, file), null, null, null)
+        const appPath = path.join(packContext.appOutDir, file)
+        await this.sign(appPath, null, null, null)
       }
       return null
     })
@@ -463,6 +467,56 @@ export default class MacPackager extends PlatformPackager<MacConfiguration> {
       }
     })
   }
+
+  private async notarizeIfProvided(appPath: string) {
+    const notarizeOptions = this.platformSpecificBuildOptions.notarize
+    if (notarizeOptions === false) {
+      log.info({ reason: "`notarizeOptions` is explicitly set to false" }, "skipped macOS notarization")
+      return
+    }
+    const appleId = process.env.APPLE_ID
+    const appleIdPassword = process.env.APPLE_APP_SPECIFIC_PASSWORD
+    if (!appleId && !appleIdPassword) {
+      // if no credentials provided, skip silently
+      return
+    }
+    if (!appleId) {
+      throw new InvalidConfigurationError(`APPLE_ID env var needs to be set`)
+    }
+    if (!appleIdPassword) {
+      throw new InvalidConfigurationError(`APPLE_APP_SPECIFIC_PASSWORD env var needs to be set`)
+    }
+    const options = this.generateOptions(appPath, appleId, appleIdPassword)
+    await notarize(options)
+    // Verify
+    await spawn("spctl", ["-a", "-t", "open", "--context", "context:primary-signature", "-v", `"${appPath}"`])
+    log.info(null, "notarization successful")
+  }
+
+  private generateOptions(appPath: string, appleId: string, appleIdPassword: string): NotarizeOptions {
+    const baseOptions = { appPath, appleId, appleIdPassword }
+    const options = this.platformSpecificBuildOptions.notarize
+    if (typeof options === "boolean") {
+      return {
+        ...baseOptions,
+        tool: "legacy",
+        appBundleId: this.appInfo.id,
+      }
+    }
+    if (options?.teamId) {
+      return {
+        ...baseOptions,
+        tool: "notarytool",
+        teamId: options.teamId,
+      }
+    }
+    return {
+      ...baseOptions,
+      tool: "legacy",
+      appBundleId: options?.appBundleId || this.appInfo.id,
+      ascProvider: options?.ascProvider || undefined,
+    }
+  }
 }
 
 function getCertificateTypes(isMas: boolean, isDevelopment: boolean): CertType[] {

packages/app-builder-lib/src/options/macOptions.ts

@@ -194,7 +194,7 @@ export interface MacConfiguration extends PlatformSpecificBuildOptions {
    * This option has no effect unless building for "universal" arch and applies
    * only if `mergeASARs` is `true`.
    */
-  readonly singleArchFiles?: string
+  readonly singleArchFiles?: string | null
 
   /**
    * Minimatch pattern of paths that are allowed to be x64 binaries in both
@@ -203,7 +203,33 @@ export interface MacConfiguration extends PlatformSpecificBuildOptions {
    * This option has no effect unless building for "universal" arch and applies
    * only if `mergeASARs` is `true`.
    */
-  readonly x64ArchFiles?: string
+  readonly x64ArchFiles?: string | null
+
+  /**
+   * Options to use for @electron/notarize (ref: https://github.com/electron/notarize).
+   * Supports both `legacy` and `notarytool` notarization tools. Use `false` to explicitly disable
+   *
+   * Note: You MUST specify `APPLE_ID` and `APPLE_APP_SPECIFIC_PASSWORD` via environment variables to activate notarization step
+   */
+  readonly notarize?: NotarizeOptions | boolean | null
+}
+
+export interface NotarizeOptions {
+  /**
+   * The app bundle identifier your Electron app is using. E.g. com.github.electron. Useful if notarization ID differs from app ID (unlikely).
+   * Only used by `legacy` notarization tool
+   */
+  readonly appBundleId?: string | null
+
+  /**
+   * Your Team Short Name. Only used by `legacy` notarization tool
+   */
+  readonly ascProvider?: string | null
+
+  /**
+   * The team ID you want to notarize under. Only needed if using `notarytool`
+   */
+  readonly teamId?: string | null
 }
 
 export interface DmgOptions extends TargetSpecificOptions {