From fbb51b9c41a77a9d1171da66a210ae72313777a9 Mon Sep 17 00:00:00 2001 From: Richard Lau Date: Fri, 27 Mar 2020 12:14:47 -0400 Subject: [PATCH] test: check bundled binaries are signed on macOS For notarization on macOS all packaged binaries must be signed. Add a regression test to check that known binaries from our dependencies (at the time of this commit term-size via npm) are signed. Signed-off-by: Richard Lau PR-URL: https://github.com/nodejs/node/pull/32522 Reviewed-By: Luigi Pinca Reviewed-By: Anna Henningsen --- test/parallel/test-macos-signed-deps.js | 31 +++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 test/parallel/test-macos-signed-deps.js diff --git a/test/parallel/test-macos-signed-deps.js b/test/parallel/test-macos-signed-deps.js new file mode 100644 index 00000000000000..1932d7686caae3 --- /dev/null +++ b/test/parallel/test-macos-signed-deps.js @@ -0,0 +1,31 @@ +'use strict'; + +// Notarization on macOS requires all binaries to be signed. +// We sign our own binaries but check here if any binaries from our dependencies +// (e.g. npm) are signed. +const common = require('../common'); + +if (!common.isOSX) { + common.skip('macOS specific test'); +} + +const assert = require('assert'); +const { spawnSync } = require('child_process'); +const path = require('path'); + +const debuglog = require('util').debuglog('test'); + +const binaries = [ + 'deps/npm/node_modules/term-size/vendor/macos/term-size', +]; + +for (const testbin of binaries) { + const bin = path.resolve(__dirname, '..', '..', testbin); + debuglog(`Checking ${bin}`); + const cp = spawnSync('codesign', [ '-vvvv', bin ], { encoding: 'utf8' }); + debuglog(cp.stdout); + debuglog(cp.stderr); + assert.strictEqual(cp.signal, null); + assert.strictEqual(cp.status, 0, `${bin} does not appear to be signed.\n` + + `${cp.stdout}\n${cp.stderr}`); +}