mac: Enable autoupdate by sign and notarize via github action (#581)

mac: Enable autoupdate by sign and notarize via github action

Signed and notarized binaries are the precondition for autoupdates on
mac. Additionally Gatekeeper on 10.15+ is happy and allows to open the
app instead of blocking it.

The notarize step is added unconditionally, as it only emits a warning if
the notarization API key is not set, but it does not break the build.

This is an upstreaming of https://github.com/csett86/jitsi-meet-electron
where it worked since March 2020.

On CI, only sign if not triggered by pull request, as these will fail (as secrets
are not available to pull request builds).

The required github secrets (signing key, cert and notarize API login, password and team id) are:

Signing

Open the Keychain Access app. Export all certificates (Developer ID Certificate) related to your app into a single file (e.g. certs.p12) and set a strong password.

Base64-encode your certificates using the following command: base64 -i certs.p12 -o encoded.txt

In the GitHub repository, go to Settings → Secrets and add the following two variables:

    mac_certs: Your base64 encoded certificates, i.e. the content of the encoded.txt file you created before
    mac_certs_password: The password you set when exporting the certificates

Notarization

Create an app-specific password for your apple id: https://support.apple.com/de-de/HT204397

In the GitHub repository, go to Settings → Secrets and add the following three variables:

    apple_id: your apple id
    apple_id_password: the just created app-specific password for your apple id
    team_id: your team short name: https://github.com/electron/electron-notarize#notes-on-your-team-short-name

Co-authored-by: Saúl Ibarra Corretgé <s@saghul.net>
This commit is contained in:
csett86 2021-11-04 22:29:34 +01:00 committed by GitHub
parent 6a60a6d8cd
commit ae306f5c5d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 293 additions and 294 deletions

View File

@ -37,6 +37,14 @@ jobs:
- uses: actions/setup-node@v1
with:
node-version: '16.x'
- name: Prepare for app signing and notarization
if: ${{ github.event_name != 'pull_request' }}
run: |
echo "CSC_LINK=${{ secrets.mac_cert }}" >> $GITHUB_ENV
echo "CSC_KEY_PASSWORD=${{ secrets.mac_cert_password }}" >> $GITHUB_ENV
echo "APPLE_ID=${{ secrets.apple_id }}" >> $GITHUB_ENV
echo "APPLE_ID_PASSWORD=${{ secrets.apple_id_password }}" >> $GITHUB_ENV
echo "TEAM_ID=${{ secrets.team_id }}" >> $GITHUB_ENV
- name: Build it
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

28
notarize.js Normal file
View File

@ -0,0 +1,28 @@
const { notarize } = require('electron-notarize');
const process = require('process');
const pkgJson = require('./package.json');
exports.default = async function notarizing(context) {
const { electronPlatformName, appOutDir } = context;
if (electronPlatformName !== 'darwin') {
return;
}
if (!(process.env.APPLE_ID && process.env.APPLE_ID_PASSWORD && process.env.TEAM_ID)) {
console.log('Skipping notarization');
return;
}
const appName = context.packager.appInfo.productFilename;
return await notarize({
tool: 'notarytool',
appBundleId: pkgJson.build.appId,
appPath: `${appOutDir}/${appName}.app`,
appleId: process.env.APPLE_ID,
appleIdPassword: process.env.APPLE_ID_PASSWORD,
teamId: process.env.TEAM_ID
});
};

549
package-lock.json generated

File diff suppressed because it is too large Load Diff

View File

@ -21,6 +21,7 @@
"productName": "Jitsi Meet",
"generateUpdatesFilesForAllChannels": true,
"afterPack": "./linux-sandbox-fix.js",
"afterSign": "./notarize.js",
"files": [
"build",
"resources",
@ -163,6 +164,7 @@
"electron-context-menu": "^2.5.0",
"electron-is-dev": "^1.2.0",
"electron-log": "^4.3.2",
"electron-notarize": "1.1.1",
"electron-react-devtools": "0.5.3",
"electron-store": "^5.2.0",
"electron-updater": "^4.4.3",