mac: Enable autoupdate by sign and notarize via github action
Signed and notarized binaries are the precondition for autoupdates on
mac. Additionally Gatekeeper on 10.15+ is happy and allows to open the
app instead of blocking it.
The notarize step is added unconditionally, as it only emits a warning if
the notarization API key is not set, but it does not break the build.
This is an upstreaming of https://github.com/csett86/jitsi-meet-electron
where it worked since March 2020.
On CI, only sign if not triggered by pull request, as these will fail (as secrets
are not available to pull request builds).
The required github secrets (signing key, cert and notarize API login, password and team id) are:
Signing
Open the Keychain Access app. Export all certificates (Developer ID Certificate) related to your app into a single file (e.g. certs.p12) and set a strong password.
Base64-encode your certificates using the following command: base64 -i certs.p12 -o encoded.txt
In the GitHub repository, go to Settings → Secrets and add the following two variables:
mac_certs: Your base64 encoded certificates, i.e. the content of the encoded.txt file you created before
mac_certs_password: The password you set when exporting the certificates
Notarization
Create an app-specific password for your apple id: https://support.apple.com/de-de/HT204397
In the GitHub repository, go to Settings → Secrets and add the following three variables:
apple_id: your apple id
apple_id_password: the just created app-specific password for your apple id
team_id: your team short name: https://github.com/electron/electron-notarize#notes-on-your-team-short-name
Co-authored-by: Saúl Ibarra Corretgé <s@saghul.net>
This moves all webpacked deps to be automatically included from the asar
and thus reduces the shipped binary by 14MB on Windows, 16 MB on Mac and
12MB on Linux. The installed size on mac is reduced by 105 MB.
Previously all the dependencies were webpacked and minified in the asar in the
build folder and in its full installed version unused under node_modules.
Only keep the dependencies that are externally required in the node-modules
folder.
Signed-off-by: Christoph Settgast <csett86@web.de>
Modeled after https://github.com/electron-userland/electron-builder/issues/5371#issuecomment-791771150
but written with promised-based fs nodejs API.
This allows to drop the app-builder-lib .desktop patch, as
--no-sandbox is now part of all linux targets via the additional launcher script,
so the arg can be dropped from the .desktop file Exec line.
Manual workaround is removed from the README as well.
- disable the autoupdater if running as mas (was not working anyway, just logging an error on every start)
- replace check via app.requestSingleInstanceLock() with LSMultipleInstancesProhibited in Info.plist
due to https://github.com/electron/electron/issues/15958
- Quit the app also when all windows are closed to conform to macOS Human Interface Guidelines
Comments from review:
If the application is a single-window app, it might be appropriate to save data and quit the app when the main window is closed.
- "asarUnpack": "**/*.node" to also sign the native addons when packaging
- add the required mas-specific entitlements which include the app-sandbox key
Signed-off-by: Christoph Settgast <csett86@web.de>