From 89ba3b805dc44c283552d612f75ade7acda48bf9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fl=C3=A1vio=20F=20Lima?= <26871415+flavioislima@users.noreply.github.com> Date: Sat, 25 Mar 2023 10:46:35 +0100 Subject: [PATCH] =?UTF-8?q?=C2=A0[CI]=20Sign=20and=20Notarize=20macOS=20Bu?= =?UTF-8?q?ilds=20(#2553)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit *  [CI] Sign and Notarize macOS Builds * fix: variables and test with build * chore: skip sign during PR builds * fix: set Notarize to false on PRS --- .eslintignore | 1 + .github/workflows/build-prs-mac.yml | 1 + .github/workflows/draft-release-mac.yml | 19 ++++++++++++++----- .gitignore | 1 + .prettierignore | 3 ++- package.json | 12 +++++++++--- public/entitlements.mac.plist | 12 ++++++++++++ sign/notarize.js | 23 +++++++++++++++++++++++ tsconfig.json | 2 +- yarn.lock | 8 ++++++++ 10 files changed, 72 insertions(+), 10 deletions(-) create mode 100644 .eslintignore create mode 100644 public/entitlements.mac.plist create mode 100644 sign/notarize.js diff --git a/.eslintignore b/.eslintignore new file mode 100644 index 0000000000..3e12850f17 --- /dev/null +++ b/.eslintignore @@ -0,0 +1 @@ +sign/** \ No newline at end of file diff --git a/.github/workflows/build-prs-mac.yml b/.github/workflows/build-prs-mac.yml index 5e469cb913..7dd5595989 100644 --- a/.github/workflows/build-prs-mac.yml +++ b/.github/workflows/build-prs-mac.yml @@ -26,6 +26,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.WORKFLOW_TOKEN }} GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }} + NOTARIZE: false - name: Upload x64. uses: actions/upload-artifact@v3 with: diff --git a/.github/workflows/draft-release-mac.yml b/.github/workflows/draft-release-mac.yml index bdbe0844f9..e37c3e5f4b 100644 --- a/.github/workflows/draft-release-mac.yml +++ b/.github/workflows/draft-release-mac.yml @@ -6,6 +6,17 @@ on: - 'v*' workflow_dispatch: +env: + GITHUB_TOKEN: ${{ secrets.WORKFLOW_TOKEN }} + GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }} + CSC_IDENTITY_AUTO_DISCOVERY: true + CSC_LINK: ${{ secrets.CSC_LINK }} + CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} + APPLE_ID: ${{ secrets.APPLE_ID }} + APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} + TEAMID: ${{ secrets.TEAMID }} + NOTARIZE: true + jobs: draft-releases: runs-on: macos-latest @@ -14,8 +25,6 @@ jobs: - uses: actions/setup-node@v3 with: node-version: '18' - - run: npm install --legacy-peer-deps - - run: npm run release:mac - env: - GITHUB_TOKEN: ${{ secrets.WORKFLOW_TOKEN }} - GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }} + - run: npm install -g yarn + - run: yarn + - run: yarn release:mac diff --git a/.gitignore b/.gitignore index f0899136c0..5575e8520c 100644 --- a/.gitignore +++ b/.gitignore @@ -33,3 +33,4 @@ vite-plugin-electron.log #flatpak flatpak-build +.env diff --git a/.prettierignore b/.prettierignore index e98835a31c..64588fc9d5 100644 --- a/.prettierignore +++ b/.prettierignore @@ -4,4 +4,5 @@ build coverage public/locales/ flatpak -flatpak-build \ No newline at end of file +flatpak-build +sign/ \ No newline at end of file diff --git a/package.json b/package.json index c904d6152b..74fbbf2b4c 100644 --- a/package.json +++ b/package.json @@ -15,8 +15,9 @@ "email": "heroicgameslauncher@protonmail.com" }, "build": { - "appId": "com.electron.heroic", + "appId": "com.heroicgameslauncher.hgl", "productName": "Heroic", + "afterSign": "sign/notarize.js", "files": [ "build/**/*", "node_modules/**/*", @@ -55,9 +56,13 @@ }, "mac": { "artifactName": "${productName}-${version}-macOS-${arch}.${ext}", - "target": "dmg", "category": "public.app-category.games", "icon": "build/icon.icns", + "entitlements": "build/entitlements.mac.plist", + "entitlementsInherit": "build/entitlements.mac.plist", + "extendInfo": { + "com.apple.security.cs.allow-jit": true + }, "asarUnpack": [ "build/bin/darwin/legendary", "build/bin/darwin/gogdl" @@ -192,7 +197,7 @@ "release:win": "vite build && electron-builder -p always --win portable --x64 --arm64", "sign:win": "vite build && electron-builder -p never --win nsis --x64 --arm64", "dist:linux": "vite build && electron-builder --linux", - "dist:mac": "vite build && electron-builder --mac", + "dist:mac": "export CSC_IDENTITY_AUTO_DISCOVERY=false && vite build && electron-builder --mac", "dist:win": "vite build && electron-builder --win", "dist:flatpak": "yarn dist:linux appimage && yarn flatpak:prepare && yarn flatpak:build", "lint": "eslint --cache -c .eslintrc --ext .tsx,ts .", @@ -212,6 +217,7 @@ ] }, "devDependencies": { + "@electron/notarize": "^1.2.3", "@testing-library/dom": "^9.0.1", "@testing-library/jest-dom": "^5.16.4", "@testing-library/react": "^14.0.0", diff --git a/public/entitlements.mac.plist b/public/entitlements.mac.plist new file mode 100644 index 0000000000..8090af38e1 --- /dev/null +++ b/public/entitlements.mac.plist @@ -0,0 +1,12 @@ + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-library-validation + + + diff --git a/sign/notarize.js b/sign/notarize.js new file mode 100644 index 0000000000..da044a3a26 --- /dev/null +++ b/sign/notarize.js @@ -0,0 +1,23 @@ +require('dotenv').config() +const { notarize } = require('@electron/notarize') + +exports.default = async function notarizing(context) { + const { electronPlatformName, appOutDir } = context + if (electronPlatformName !== 'darwin' || process.env.NOTARIZE === 'false') { + console.log('Notarizing skipped') + return + } + + console.log('Notarizing Application...') + + const appName = context.packager.appInfo.productFilename + + return await notarize({ + tool: 'notarytool', + appBundleId: 'com.heroicgameslauncher.hgl', + appPath: `${appOutDir}/${appName}.app`, + teamId: process.env.TEAMID, + appleId: process.env.APPLE_ID, + appleIdPassword: process.env.APPLE_APP_SPECIFIC_PASSWORD + }) +} diff --git a/tsconfig.json b/tsconfig.json index 2a5a883e4e..1fb6b1b019 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -27,5 +27,5 @@ "typeRoots": ["./node-modules/@types", "src/common/typedefs"] }, "include": ["src"], - "exclude": ["vite.config.ts", "**/__tests__/**", "**/__mocks__/**"] + "exclude": ["vite.config.ts", "**/__tests__/**", "**/__mocks__/**", "sign"] } diff --git a/yarn.lock b/yarn.lock index 207ed4d7be..70a4ad4b3c 100644 --- a/yarn.lock +++ b/yarn.lock @@ -468,6 +468,14 @@ optionalDependencies: global-agent "^3.0.0" +"@electron/notarize@^1.2.3": + version "1.2.3" + resolved "https://registry.yarnpkg.com/@electron/notarize/-/notarize-1.2.3.tgz#38056a629e5a0b5fd56c975c4828c0f74285b644" + integrity sha512-9oRzT56rKh5bspk3KpAVF8lPKHYQrBnRwcgiOeR0hdilVEQmszDaAu0IPCPrwwzJN0ugNs0rRboTreHMt/6mBQ== + dependencies: + debug "^4.1.1" + fs-extra "^9.0.1" + "@electron/universal@1.2.1": version "1.2.1" resolved "https://registry.yarnpkg.com/@electron/universal/-/universal-1.2.1.tgz#3c2c4ff37063a4e9ab1e6ff57db0bc619bc82339"