feat: add cert signing to macos builds

kubeshop · Sep 29, 2021 · 2859fe5 · 2859fe5
1 parent 993d0f6
commit 2859fe5
Show file tree

Hide file tree

Showing 5 changed files with 276 additions and 2 deletions.
diff --git a/.github/workflows/monokle-sign-test.yml b/.github/workflows/monokle-sign-test.yml
@@ -0,0 +1,181 @@
+name: monokle-publish
+
+on:
+  push:
+    branches:
+      - steen/feat/sign-binaries
+  release:
+    types:
+      - prereleased
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  # This workflow contains a single job called "build"
+  build-and-publish-mac:
+    runs-on: macOS-latest
+
+    steps:
+      # Make sure build is clean and no files from a previous run are re-used.
+      - name: Cleanup files before run
+        run: |
+          rm -rf *
+          rm /Users/runner/.npm/_logs/*.log || true
+        if: ${{ always() }}
+
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
+      - name: Checkout Project
+        uses: actions/checkout@v2
+
+      # Check memory and cpu
+      - name: Verify Runner Resources
+        run: |
+          sysctl -n machdep.cpu.brand_string
+          vm_stat | perl -ne '/page size of (\d+)/ and $size=$1; /Pages\s+([^:]+)[^\d]+(\d+)/ and printf("%-16s % 16.2f Mi\n", "$1:", $2 * $size / 1048576);'
+
+      - name: Add MacOS certs
+        run: |
+          ls -la
+          chmod +x .github/workflows/scripts/add-osx-cert.sh && .github/workflows/scripts/add-osx-cert.sh
+        env:
+          CERTIFICATE_OSX_APPLICATION: ${{ secrets.MONOKLE_MACOS_CERTS }}
+          CERTIFICATE_PASSWORD: ${{ secrets.MONOKLE_MACOS_CERTS_PASSWORD }}
+
+      - name: Electron mac os security identities
+        run: security find-identity -v
+
+      - name: Get Node Version
+        run: |
+          cat .nvmrc
+          echo "::set-output name=nodeversion::$(cat .nvmrc)"
+        id: get-node-version
+
+      - name: Use Node.js ${{ steps.get-node-version.outputs.nodeversion }}
+        uses: actions/setup-node@v2
+        with:
+          node-version: ${{ steps.get-node-version.outputs.nodeversion }}
+          cache: 'npm'
+
+      - name: Install Dependencies
+        run: |
+          env
+          echo "npm: $(npm --version)"
+          echo "node: $(node --version)"
+          npm install
+
+      - name: Verify Dependencies
+        run: |
+          ls -la
+          npm list --depth=1
+
+      - name: Build
+        run: |
+          npm run electron:build:ci
+        env:
+          # Set CI flag to false, or the build fails on all warnings, not just errors as locally.
+          CI: false
+
+      - name: Package and Publish
+        run: |
+          npm exec -c "electron-builder --publish \"always\""
+        env:
+          GITHUB_TOKEN: ${{ secrets.github_token }}
+          EP_PRE_RELEASE: true
+          NOTARIZE: true
+          CSC_LINK: ${{ secrets.MONOKLE_MACOS_CERTS }}
+          CSC_KEY_PASSWORD: ${{ secrets.MONOKLE_MACOS_CERTS_PASSWORD }}
+
+      # Check Binary Size
+      - name: Build Succeeded
+        run: |
+          ls -alh dist | grep Monokle && du -sh dist/mac || true
+        if: ${{ success() }}
+
+      - name: Archive Binary
+        uses: actions/upload-artifact@v2
+        with:
+          name: dist
+          path: dist
+        if: ${{ success() }}
+
+      - name: Build Failed - Output Build Logs
+        run: |
+          cat /Users/runner/.npm/_logs/*-debug.log || true
+        if: ${{ failure() || cancelled() }}
+
+      - name: Build Failed - Archive Build Logs
+        uses: actions/upload-artifact@v2
+        with:
+          name: logs
+          path: /Users/runner/.npm/_logs
+        if: ${{ failure() || cancelled() }}
+
+      # Make sure no secrets or certs are left on the runner
+      - name: Cleanup files after run
+        run: |
+          rm -rf *
+          ls -la
+        if: ${{ always() }}
+
+  build-and-publish-windows:
+    runs-on: windows-latest
+
+    steps:
+      # Make sure build is clean and no files from a previous run are re-used.
+      - name: Cleanup files before run
+        run: |
+          cmd /r dir
+        if: ${{ always() }}
+
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
+      - name: Checkout Project
+        uses: actions/checkout@v2
+
+      - name: Get Node Version
+        run: |
+          Set-PSDebug -Trace 1
+          $filePath = "D:\a\monokle\monokle\.nvmrc"
+          Get-Content $filePath -Raw
+          $content = Get-Content $filePath -Raw
+          echo "::set-output name=nodeversion::$content"
+        id: get-node-version
+
+      - name: Use Node.js ${{ steps.get-node-version.outputs.nodeversion }}
+        uses: actions/setup-node@v2
+        with:
+          node-version: ${{ steps.get-node-version.outputs.nodeversion }}
+          cache: 'npm'
+
+      # Install Dependencies
+      - name: Install Dependencies
+        run: |
+          Set-PSDebug -Trace 1
+          node --version
+          npm --version
+          npm install
+
+      - name: Verify Dependencies
+        run: |
+          cmd /r dir
+          npm list --depth=1
+
+      - name: Build
+        run: |
+          npm run electron:build:ci
+        env:
+          # Set CI flag to false, or the build fails on all warnings, not just errors as locally.
+          CI: false
+
+      - name: Package and Publish
+        run: |
+          npm exec -c 'electron-builder --publish "always"'
+        env:
+          GITHUB_TOKEN: ${{ secrets.github_token }}
+          EP_PRE_RELEASE: true
+
+      # Check Binary Size
+      - name: Build Succeeded
+        run: |
+          cmd /r dir .\dist
+        if: ${{ success() }}
diff --git a/.github/workflows/scripts/add-osx-cert.sh b/.github/workflows/scripts/add-osx-cert.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env sh
+
+KEY_CHAIN=build.keychain
+CERTIFICATE_P12=certificate.p12
+
+# Recreate the certificate from the secure environment variable
+echo $CERTIFICATE_OSX_APPLICATION | base64 --decode > $CERTIFICATE_P12
+
+#create a keychain
+security create-keychain -p actions $KEY_CHAIN
+
+# Make the keychain the default so identities are found
+security default-keychain -s $KEY_CHAIN
+
+# Unlock the keychain
+security unlock-keychain -p actions $KEY_CHAIN
+
+security import $CERTIFICATE_P12 -k $KEY_CHAIN -P $CERTIFICATE_PASSWORD -T /usr/bin/codesign;
+
+security set-key-partition-list -S apple-tool:,apple: -s -k actions $KEY_CHAIN
+
+# remove certs
+rm -fr *.p12
diff --git a/electron/src/entitlements.mac.inherit.plist b/electron/src/entitlements.mac.inherit.plist
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.automation.apple-events</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+  </dict>
+</plist>
diff --git a/notarization/afterSignHook.js b/notarization/afterSignHook.js
@@ -0,0 +1,44 @@
+/* eslint-disable */
+require('dotenv').config();
+
+const fs = require('fs');
+const path = require('path');
+var electron_notarize = require('electron-notarize');
+
+module.exports = async function (params) {
+  // Only notarize the app if building for macOS and the NOTARIZE environment
+  // variable is present.
+  if (!process.env.NOTARIZE || process.platform !== 'darwin') {
+    return;
+  }
+  console.log('afterSign hook triggered', params);
+
+  const package = require(path.join(process.cwd(), './package.json'));
+
+  // This should match the appId from electron-builder. It reads from
+  // package.json so you won't have to maintain two separate configurations.
+  let appId = package.build.appId;
+  if (!appId) {
+    console.error("appId is missing from build configuration 'package.json'");
+  }
+
+  let appPath = path.join(params.appOutDir, `${params.packager.appInfo.productFilename}.app`);
+  if (!fs.existsSync(appPath)) {
+    throw new Error(`Cannot find application at: ${appPath}`);
+  }
+
+  console.log(`Notarizing ${appId} found at ${appPath}`);
+
+  try {
+    await electron_notarize.notarize({
+      appBundleId: appId,
+      appPath: appPath,
+      appleId: process.env.appleId,
+      appleIdPassword: process.env.appleIdPassword,
+    });
+  } catch (error) {
+    console.error(error);
+  }
+
+  console.log(`Done notarizing ${appId}`);
+};
diff --git a/package.json b/package.json
@@ -44,6 +44,7 @@
     "cross-env": "7.0.3",
     "electron": "13.4.0",
     "electron-builder": "22.11.11",
+    "electron-notarize": "1.1.0",
     "electron-reload": "2.0.0-alpha.1",
     "eslint-config-airbnb": "18.2.1",
     "eslint-config-prettier": "8.3.0",
@@ -141,8 +142,14 @@
     "copyright": "Copyright © 2021 ${author}",
     "mac": {
       "category": "public.app-category.utilities",
-      "icon": "build/icon.png"
+      "icon": "build/icon.png",
+      "hardenedRuntime": true,
+      "entitlements": "./electron/src/entitlements.mac.inherit.plist",
+      "target": [
+        "dmg"
+      ]
     },
+    "afterSign": "./notarization/afterSignHook.js",
     "dmg": {
       "icon": "build/icon.png"
     },
@@ -182,7 +189,8 @@
       "!**/node_modules/@jest/**/*",
       "!**/node_modules/monaco-editor/min/**/*",
       "!**/node_modules/monaco-editor/min-maps/**/*",
-      "!**/docs/**/*"
+      "!**/docs/**/*",
+      "!notarization/**/*"
     ],
     "extraResources": [
       {