Skip to content

Commit

Permalink
feat(mac): supplying a value for the ‘ignore’ electron-osx-sign property
Browse files Browse the repository at this point in the history 
Close #5262
  • Loading branch information
@bedney @develar
bedney authored and develar committed Sep 22, 2020
1 parent df5d050 commit aa3625d
Show file tree
Hide file tree
Showing 10 changed files with 213 additions and 163 deletions.
12 changes: 5 additions & 7 deletions .circleci/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,18 +8,18 @@ jobs:
- checkout
- restore_cache:
keys:
- install-dep-cache-{{ checksum "yarn.lock" }}-{{ checksum ".yarn/releases/yarn-2.2.2.cjs" }}
- install-dep-cache-{{ checksum "yarn.lock" }}
- restore_cache:
keys:
- v-8.2.5-electron
- run:
command: YARN_CHECKSUM_BEHAVIOR=ignore node .yarn/releases/yarn-2.2.2.cjs install
command: node .yarn/releases/yarn-2.2.2.cjs install
- run:
command: node .yarn/releases/yarn-2.2.2.cjs pretest
- run:
command: cp .pnp.js .yarn/.pnp.js
- save_cache:
key: install-dep-cache-{{ checksum "yarn.lock" }}-{{ checksum ".yarn/releases/yarn-2.2.2.cjs" }}
key: install-dep-cache-{{ checksum "yarn.lock" }}
paths:
- .yarn
- run:
Expand All @@ -40,18 +40,16 @@ jobs:
- checkout
- restore_cache:
keys:
- install-dep-cache-{{ checksum "yarn.lock" }}-{{ checksum ".yarn/releases/yarn-2.2.2.cjs" }}
- install-dep-cache-{{ checksum "yarn.lock" }}
- restore_cache:
keys:
- v-8.2.5-electron
# because in the build job we use circleci docker image and circleci restores cache to original user home
- run:
command: |
rm -rf .yarn
mv /home/circleci/project/.yarn .yarn
mv .yarn/.pnp.js .pnp.js
mkdir -p ~/.cache
mv /home/circleci/.cache/electron ~/.cache/electron
node .yarn/releases/yarn-2.2.2.cjs install
- run:
# do not use yarn test because lint is done in the build job
command: |
Expand Down
6 changes: 3 additions & 3 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,8 @@
"@babel/core": "^7.11.6",
"@babel/plugin-transform-modules-commonjs": "^7.10.4",
"@babel/preset-env": "^7.11.5",
"@typescript-eslint/eslint-plugin": "^4.1.1",
"@typescript-eslint/parser": "^4.1.1",
"@typescript-eslint/eslint-plugin": "^4.2.0",
"@typescript-eslint/parser": "^4.2.0",
"babel-core": "^6.26.3",
"babel-preset-jest": "^26.3.0",
"bluebird-lst": "^1.0.9",
Expand All @@ -48,7 +48,7 @@
"jsdoc-to-markdown": "^6.0.1",
"ts-babel": "6.1.7",
"ts-jsdoc": "^3.1.1",
"typescript": "~4.0.2",
"typescript": "~4.0.3",
"typescript-json-schema": "^0.43.0"
},
"eslintIgnore": [
Expand Down
2 changes: 1 addition & 1 deletion packages/app-builder-lib/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"builder-util": "workspace:*",
"builder-util-runtime": "workspace:*",
"chromium-pickle-js": "^0.2.0",
"debug": "^4.2.0",
"debug": "^4.3.0",
"ejs": "^3.1.5",
"electron-publish": "workspace:*",
"fs-extra": "^9.0.1",
Expand Down
130 changes: 77 additions & 53 deletions packages/app-builder-lib/scheme.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -993,15 +993,15 @@
"string"
]
},
"role": {
"default": "Editor",
"description": "*macOS-only* The app’s role with respect to the type. The value can be `Editor`, `Viewer`, `Shell`, or `None`. Corresponds to `CFBundleTypeRole`.",
"type": "string"
},
"rank": {
"default": "Default",
"description": "*macOS-only* The app’s rank with respect to the type. The value can be `Owner`, `Default`, `Alternate`, or `None`. Corresponds to `LSHandlerRank`.",
"type": "string"
},
"role": {
"default": "Editor",
"description": "*macOS-only* The app’s role with respect to the type. The value can be `Editor`, `Viewer`, `Shell`, or `None`. Corresponds to `CFBundleTypeRole`.",
"type": "string"
}
},
"required": [
Expand Down Expand Up @@ -1569,6 +1569,9 @@
},
"target": {
"anyOf": [
{
"$ref": "#/definitions/TargetConfiguration"
},
{
"items": {
"anyOf": [
Expand All @@ -1582,9 +1585,6 @@
},
"type": "array"
},
{
"$ref": "#/definitions/TargetConfiguration"
},
{
"type": [
"null",
Expand Down Expand Up @@ -1983,7 +1983,7 @@
]
},
"entitlementsLoginHelper": {
"desciption": "Path to login helper entitlement file. When using App Sandbox, the the `com.apple.security.inherit` key that is normally in the inheritted entitlements cannot be inherited since the login helper is a standalone executable. Defaults to the value provided for `entitlements`.\n\nThis option only applies when signing with `entitlements` provided.",
"description": "Path to login helper entitlement file.\nWhen using App Sandbox, the the `com.apple.security.inherit` key that is normally in the inherited entitlements cannot be inherited since the login helper is a standalone executable.\nDefaults to the value provided for `entitlements`. This option only applies when signing with `entitlements` provided.",
"type": [
"null",
"string"
Expand Down Expand Up @@ -2284,6 +2284,23 @@
"string"
]
},
"signIgnore": {
"anyOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"type": [
"null",
"string"
]
}
],
"description": "Regex or an array of regex's that signal skipping signing a file."
},
"strictVerify": {
"anyOf": [
{
Expand Down Expand Up @@ -2548,7 +2565,7 @@
]
},
"entitlementsLoginHelper": {
"desciption": "Path to login helper entitlement file. When using App Sandbox, the the `com.apple.security.inherit` key that is normally in the inheritted entitlements cannot be inherited since the login helper is a standalone executable. Defaults to the value provided for `entitlements`.\n\nThis option only applies when signing with `entitlements` provided.",
"description": "Path to login helper entitlement file.\nWhen using App Sandbox, the the `com.apple.security.inherit` key that is normally in the inherited entitlements cannot be inherited since the login helper is a standalone executable.\nDefaults to the value provided for `entitlements`. This option only applies when signing with `entitlements` provided.",
"type": [
"null",
"string"
Expand Down Expand Up @@ -2849,6 +2866,23 @@
"string"
]
},
"signIgnore": {
"anyOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"type": [
"null",
"string"
]
}
],
"description": "Regex or an array of regex's that signal skipping signing a file."
},
"strictVerify": {
"anyOf": [
{
Expand Down Expand Up @@ -3696,22 +3730,7 @@
"type": "object"
},
"OutgoingHttpHeaders": {
"additionalProperties": {
"anyOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"type": [
"string",
"number"
]
}
]
},
"additionalProperties": false,
"type": "object"
},
"PkgBackgroundOptions": {
Expand Down Expand Up @@ -4340,10 +4359,18 @@
"description": "Specifies any [parts](https://snapcraft.io/docs/reference/parts) that should be built before this part.\nDefaults to `[\"desktop-gtk2\"\"]`.\n\nIf list contains `default`, it will be replaced to default list, so, `[\"default\", \"foo\"]` can be used to add custom parts `foo` in addition to defaults."
},
"appPartStage": {
"type": "array",
"items": {
"type": "string"
}
"anyOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"type": "null"
}
],
"description": "Specifies which files from the app part to stage and which to exclude. Individual files, directories, wildcards, globstars, and exclusions are accepted. See [Snapcraft filesets](https://snapcraft.io/docs/snapcraft-filesets) to learn more about the format.\n\nThe defaults can be found in [snap.ts](https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/templates/snap/snapcraft.yaml#L29)."
},
"artifactName": {
"description": "The [artifact file name template](/configuration/configuration#artifact-file-name-template).",
Expand Down Expand Up @@ -4475,7 +4502,8 @@
]
},
"layout": {
"type": "object"
"type": "object",
"description": "Specifies any files to make accessible from locations such as `/usr`, `/var`, and `/etc`. See [snap layouts](https://snapcraft.io/docs/snap-layouts) to learn more."
},
"mimeTypes": {
"anyOf": [
Expand Down Expand Up @@ -4515,24 +4543,6 @@
],
"description": "The list of [plugs](https://snapcraft.io/docs/reference/interfaces).\nDefaults to `[\"desktop\", \"desktop-legacy\", \"home\", \"x11\", \"unity7\", \"browser-support\", \"network\", \"gsettings\", \"audio-playback\", \"pulseaudio\", \"opengl\"]`.\n\nIf list contains `default`, it will be replaced to default list, so, `[\"default\", \"foo\"]` can be used to add custom plug `foo` in addition to defaults.\n\nAdditional attributes can be specified using object instead of just name of plug:\n```\n[\n {\n \"browser-sandbox\": {\n \"interface\": \"browser-support\",\n \"allow-sandbox\": true\n },\n },\n \"another-simple-plug-name\"\n]\n```"
},
"slots": {
"anyOf": [
{
"items": {
"anyOf": [
{
"type": "string"
}
]
},
"type": "array"
},
{
"type": "null"
}
],
"description": "The list of [slots](https://snapcraft.io/docs/reference/interfaces)."
},
"publish": {
"anyOf": [
{
Expand Down Expand Up @@ -4595,6 +4605,20 @@
}
]
},
"slots": {
"anyOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"type": "null"
}
],
"description": "The list of [slots](https://snapcraft.io/docs/reference/interfaces)."
},
"stagePackages": {
"anyOf": [
{
Expand Down Expand Up @@ -5343,6 +5367,9 @@
},
"target": {
"anyOf": [
{
"$ref": "#/definitions/TargetConfiguration"
},
{
"items": {
"anyOf": [
Expand All @@ -5356,9 +5383,6 @@
},
"type": "array"
},
{
"$ref": "#/definitions/TargetConfiguration"
},
{
"type": [
"null",
Expand Down Expand Up @@ -6161,4 +6185,4 @@
}
},
"type": "object"
}
}
22 changes: 20 additions & 2 deletions packages/app-builder-lib/src/macPackager.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,14 +172,32 @@ export default class MacPackager extends PlatformPackager<MacConfiguration> {
throw new InvalidConfigurationError("macOS High Sierra 10.13.6 is required to sign")
}

let filter = options.signIgnore
if (Array.isArray(filter)) {
if (filter.length == 0) {
filter = null
}
}
else if (filter != null) {
filter = filter.length === 0 ? null : [filter]
}

const filterRe = filter == null ? null : filter.map(it => new RegExp(it))

const signOptions: any = {
"identity-validation": false,
// https://github.com/electron-userland/electron-builder/issues/1699
// kext are signed by the chipset manufacturers. You need a special certificate (only available on request) from Apple to be able to sign kext.
ignore: (file: string) => {
if (filterRe != null) {
for (const regExp of filterRe) {
if (regExp.test(file)) {
return true
}
}
}
return file.endsWith(".kext") || file.startsWith("/Contents/PlugIns", appPath.length) ||
// https://github.com/electron-userland/electron-builder/issues/2010
file.includes("/node_modules/puppeteer/.local-chromium")
file.includes("/node_modules/puppeteer/.local-chromium") /* https://github.com/electron-userland/electron-builder/issues/2010 */
},
identity: identity!,
type,
Expand Down
10 changes: 10 additions & 0 deletions packages/app-builder-lib/src/options/macOptions.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,11 @@ export interface MacConfiguration extends PlatformSpecificBuildOptions {
*/
readonly entitlementsInherit?: string | null

/**
* Path to login helper entitlement file.
* When using App Sandbox, the the `com.apple.security.inherit` key that is normally in the inherited entitlements cannot be inherited since the login helper is a standalone executable.
* Defaults to the value provided for `entitlements`. This option only applies when signing with `entitlements` provided.
*/
readonly entitlementsLoginHelper?: string | null

/**
Expand Down Expand Up @@ -160,6 +165,11 @@ export interface MacConfiguration extends PlatformSpecificBuildOptions {
* @default true
*/
readonly strictVerify?: Array<string> | string | boolean

/**
* Regex or an array of regex's that signal skipping signing a file.
*/
readonly signIgnore?: Array<string> | string | null
}

export interface DmgOptions extends TargetSpecificOptions {
Expand Down
2 changes: 1 addition & 1 deletion packages/builder-util-runtime/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
"node": ">=8.2.5"
},
"dependencies": {
"debug": "^4.2.0",
"debug": "^4.3.0",
"sax": "^1.2.4"
},
"devDependencies": {
Expand Down
2 changes: 1 addition & 1 deletion test/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
"@types/fs-extra": "^9.0.1",
"@types/jest": "^26.0.14",
"@types/js-yaml": "^3.12.5",
"@types/node": "^14.10.3",
"@types/node": "^14.11.2",
"@types/semver": "^7.3.4",
"app-builder-lib": "workspace:*",
"bluebird-lst": "^1.0.9",
Expand Down
2 changes: 1 addition & 1 deletion test/snapshots/mac/macArchiveTest.js.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ Object {
exports[`invalid target 1`] = `
"Invalid configuration object. electron-builder <appVersion> has been initialized using a configuration object that does not match the API schema.
- configuration.mac should be one of these:
object { appId?, artifactName?, asar?, asarUnpack?, binaries?, bundleShortVersion?, bundleVersion?, category?, compression?, cscInstallerKeyPassword?, cscInstallerLink?, cscKeyPassword?, cscLink?, darkModeSupport?, detectUpdateChannel?, electronLanguages?, electronUpdaterCompatibility?, entitlements?, entitlementsInherit?, extendInfo?, extraDistFiles?, extraFiles?, extraResources?, fileAssociations?, files?, forceCodeSigning?, gatekeeperAssess?, generateUpdatesFilesForAllChannels?, hardenedRuntime?, helperBundleId?, helperEHBundleId?, helperGPUBundleId?, helperNPBundleId?, helperPluginBundleId?, helperRendererBundleId?, icon?, identity?, minimumSystemVersion?, protocols?, provisioningProfile?, publish?, releaseInfo?, requirements?, target?, type? } | null
object { appId?, artifactName?, asar?, asarUnpack?, binaries?, bundleShortVersion?, bundleVersion?, category?, compression?, cscInstallerKeyPassword?, cscInstallerLink?, cscKeyPassword?, cscLink?, darkModeSupport?, detectUpdateChannel?, electronLanguages?, electronUpdaterCompatibility?, entitlements?, entitlementsInherit?, entitlementsLoginHelper?, extendInfo?, extraDistFiles?, extraFiles?, extraResources?, fileAssociations?, files?, forceCodeSigning?, gatekeeperAssess?, generateUpdatesFilesForAllChannels?, hardenedRuntime?, helperBundleId?, helperEHBundleId?, helperGPUBundleId?, helperNPBundleId?, helperPluginBundleId?, helperRendererBundleId?, icon?, identity?, minimumSystemVersion?, protocols?, provisioningProfile?, publish?, releaseInfo?, requirements?, signIgnore?, strictVerify?, target?, type? } | null
-> Options related to how build macOS targets.
Details:
* configuration.mac.target[0] should be one of these:
Expand Down
Loading

0 comments on commit aa3625d

Please sign in to comment.