Add macOS Notarization

Fixes: https://github.com/webtorrent/webtorrent-desktop/issues/1675
2020-07-15 22:26:29 -07:00
parent 8e89c0962b
commit 803cce808b
3 changed files with 37 additions and 2 deletions
--- a/bin/darwin-entitlements.plist
+++ b/bin/darwin-entitlements.plist
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+  </dict>
+</plist>
--- a/bin/package.js
+++ b/bin/package.js
@@ -266,6 +266,7 @@ function buildDarwin (cb) {

    function signApp (cb) {
      const sign = require('electron-osx-sign')
+      const { notarize } = require('electron-notarize')

      /*
       * Sign the app with Apple Developer ID certificates. We sign the app for 2 reasons:
@@ -281,16 +282,37 @@ function buildDarwin (cb) {
       *   - Membership in the Apple Developer Program
       */
      const signOpts = {
+        verbose: true,
        app: appPath,
        platform: 'darwin',
-        verbose: true
+        identity: 'Developer ID Application: WebTorrent, LLC (5MAMC8G3L8)',
+        hardenedRuntime: true,
+        entitlements: path.join(config.ROOT_PATH, 'bin', 'darwin-entitlements.plist'),
+        'entitlements-inherit': path.join(config.ROOT_PATH, 'bin', 'darwin-entitlements.plist'),
+        'signature-flags': 'library'
+      }
+
+      const notarizeOpts = {
+        appBundleId: darwin.appBundleId,
+        appPath,
+        appleId: 'feross@feross.org',
+        appleIdPassword: '@keychain:AC_PASSWORD'
      }

      console.log('Mac: Signing app...')
      sign(signOpts, function (err) {
        if (err) return cb(err)
        console.log('Mac: Signed app.')
-        cb(null)
+
+        console.log('Mac: Notarizing app...')
+        notarize(notarizeOpts).then(
+          function () {
+            console.log('Mac: Notarized app.')
+            cb(null)
+          },
+          function (err) {
+            cb(err)
+          })
      })
    }

--- a/package.json
+++ b/package.json
@@ -52,6 +52,7 @@
    "cross-zip": "^3.1.0",
    "depcheck": "^1.0.0",
    "electron": "~10.0.0-beta.11",
+    "electron-notarize": "^1.0.0",
    "electron-osx-sign": "^0.4.17",
    "electron-packager": "^15.0.0",
    "electron-winstaller": "^4.0.1",