Signing: also produce signed zip file on macOS

We use the zip file for upgrades on macOS; therefore, we need to ensure we emit a zip file during signing there so that we can have an artifact with signed applications for the user to upgrade to. Signed-off-by: Mark Yen <mark.yen@suse.com>
jandubois · Jan 9, 2024 · eed8ba1 · eed8ba1
1 parent fb0105a
commit eed8ba1
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 16 deletions.
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
@@ -68,6 +68,7 @@ bindir
 binfmt
 bitnami
 blkio
+blockmap
 bootfs
 bosco
 bottlesofbeeronthewall

diff --git a/scripts/lib/sign-macos.ts b/scripts/lib/sign-macos.ts
@@ -31,7 +31,7 @@ type SigningConfig = {
   remove: string[];
 };
 
-export async function sign(workDir: string): Promise<string> {
+export async function sign(workDir: string): Promise<string[]> {
   const certFingerprint = process.env.CSC_FINGERPRINT ?? '';
   const appleId = process.env.APPLEID;
   const appleIdPassword = process.env.AC_PASSWORD;
@@ -125,28 +125,34 @@ export async function sign(workDir: string): Promise<string> {
     throw new Error(message.join('\n'));
   }
 
-  console.log('Building disk image...');
+  console.log('Building disk image and update archive...');
   const arch = process.env.M1 ? Arch.arm64 : Arch.x64;
   const productFileName = config.productName?.replace(/\s+/g, '.');
   const productArch = process.env.M1 ? 'aarch64' : 'x86_64';
   const artifactName = `${ productFileName }-\${version}.${ productArch }.\${ext}`;
+  const formats = ['dmg', 'zip'];
 
   // Build the dmg, explicitly _not_ using an identity; we just signed
   // everything as we wanted already.
   const results = await build({
-    targets:     new Map([[Platform.MAC, new Map([[arch, ['dmg']]])]]),
+    targets:     new Map([[Platform.MAC, new Map([[arch, formats]])]]),
     config:      _.merge<Configuration, Configuration>(config, { mac: { artifactName, identity: null } }),
     prepackaged: appDir,
   });
 
-  const dmgFile = results.find(v => v.endsWith('.dmg'));
+  const filesToSign = results.filter(f => !f.endsWith('.blockmap'));
 
-  if (!dmgFile) {
-    throw new Error(`Could not find signed disk image`);
+  for (const extension of formats) {
+    if (!filesToSign.find(v => v.endsWith(`.${ extension }`))) {
+      throw new Error(`Could not find built ${ extension } file`);
+    }
   }
-  await spawnFile('codesign', ['--sign', certFingerprint, '--timestamp', dmgFile], { stdio: 'inherit' });
 
-  return dmgFile;
+  await Promise.all(Object.values(filesToSign).map((f) => {
+    return spawnFile('codesign', ['--sign', certFingerprint, '--timestamp', f], { stdio: 'inherit' });
+  }));
+
+  return Object.values(filesToSign);
 }
 
 /**

diff --git a/scripts/lib/sign-win32.ts b/scripts/lib/sign-win32.ts
@@ -44,7 +44,7 @@ interface ElectronBuilderConfiguration {
   }
 }
 
-export async function sign(workDir: string): Promise<string> {
+export async function sign(workDir: string): Promise<string[]> {
   const certFingerprint = process.env.CSC_FINGERPRINT ?? '';
   const certPassword = process.env.CSC_KEY_PASSWORD ?? '';
 
@@ -98,7 +98,7 @@ export async function sign(workDir: string): Promise<string> {
 
   await signFn(...filesToSign);
 
-  return await buildWiX(workDir, unpackedDir, signFn);
+  return [await buildWiX(workDir, unpackedDir, signFn)];
 }
 
 /**

diff --git a/scripts/sign.ts b/scripts/sign.ts
@@ -21,7 +21,7 @@ async function signArchive(archive: string): Promise<void> {
   await fs.promises.mkdir(distDir, { recursive: true });
   const workDir = await fs.promises.mkdtemp(path.join(distDir, 'sign-'));
   const archiveDir = path.join(workDir, 'unpacked');
-  let artifact: string | undefined;
+  let artifacts: string[] | undefined;
 
   try {
     // Extract the archive
@@ -32,20 +32,23 @@ async function signArchive(archive: string): Promise<void> {
     // Detect the archive type
     for (const file of await fs.promises.readdir(archiveDir)) {
       if (file.endsWith('.exe')) {
-        artifact = await windows.sign(workDir);
+        artifacts = await windows.sign(workDir);
         break;
       }
       if (file.endsWith('.app')) {
-        artifact = await macos.sign(workDir);
+        artifacts = await macos.sign(workDir);
         break;
       }
     }
 
-    if (!artifact) {
+    if (!artifacts) {
       throw new Error(`Could not find any files to sign in ${ archive }`);
     }
-    await computeChecksum(artifact);
-    console.log(`Signed result: ${ artifact }`);
+    await Promise.all(artifacts.map(f => computeChecksum(f)));
+
+    for (const line of ['Signed results:', ...artifacts.map(f => ` - ${ f }`)]) {
+      console.log(line);
+    }
   } finally {
     await fs.promises.rm(workDir, { recursive: true, maxRetries: 3 });
   }