setup macos signing certs (#587)

* setup macos signing certs

* add signing

* fix macos signing timeout

* add notarizing

* reduce upload artifacts

.github/workflows/desktop-builds.yml

@@ -29,13 +29,39 @@ jobs:
         with:
           node-version: 18
           cache: yarn
+          architecture: ${{ matrix.architecture }}
       - name: Install dependencies
         run: yarn install --frozen-lockfile
+      - name: Build Electron Web bundle
+        working-directory: apps/desktop-app
+        run: yarn build
+      - name: Set MacOS signing certs
+        if: matrix.os == 'macOS-latest'
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
+          MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
+        run: |
+          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+          security create-keychain -p $MACOS_KEYCHAIN_PASSWORD build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p $MACOS_KEYCHAIN_PASSWORD build.keychain
+          security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PASSWORD -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple: -s -k $MACOS_KEYCHAIN_PASSWORD build.keychain
+          rm -fr *.p12
+          security set-keychain-settings -lut 1200 # prevent the keychain to get locked before codesign is done
       - name: Build, package & make
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
         working-directory: apps/desktop-app
-        run: yarn package --arch=${{ matrix.arch }}
+        timeout-minutes: 10
+        run: yarn make --arch=${{ matrix.arch }}
       - name: Upload artifacts
         uses: actions/upload-artifact@v3
         with:
           name: ${{ matrix.os }}
-          path: apps/desktop-app/out/**/*
+          # apps/desktop-app/out/ contains also the packaged app in case you need to debug it before make
+          # By default we only upload the bundled one to reduce the upload time
+          path: apps/desktop-app/out/make/**/*

apps/desktop-app/forge.config.js

@@ -1,10 +1,41 @@
 const path = require("path");
+const fs = require("fs");
 
 module.exports = {
+  name: "Serenity",
+  appBundleId: "re.serenity.desktop-app",
+  // asar: true,
   packagerConfig: {
+    executableName: "serenity-desktop-app",
     icon: path.resolve(__dirname, "icons", "icon"),
+    osxSign: {
+      // "hardened-runtime": true,
+      // "gatekeeper-assess": false,
+    },
+    osxNotarize: {
+      tool: "notarytool",
+      appleId: process.env.APPLE_ID,
+      appleIdPassword: process.env.APPLE_ID_PASSWORD,
+      teamId: process.env.APPLE_TEAM_ID,
+    },
   },
   rebuildConfig: {},
+  hooks: {
+    packageAfterPrune: async (forgeConfig, buildPath) => {
+      const sqliteBuildPath = path.join(
+        buildPath,
+        "node_modules",
+        "sqlite3",
+        "build"
+      );
+      // console.log("Sqlite BuildPath: ", sqliteBuildPath);
+      // needs to be deleted otherwise macos codesign will fail
+      fs.rmSync(sqliteBuildPath, {
+        recursive: true,
+        force: true,
+      });
+    },
+  },
   makers: [
     {
       name: "@electron-forge/maker-squirrel",

apps/desktop-app/package.json

@@ -1,17 +1,16 @@
 {
   "name": "serenity-desktop-app",
+  "license": "AGPL-3.0-only",
   "productName": "Serenity",
-  "executableName": "serenity",
   "version": "0.0.1",
   "description": "End-to-end encrypted workspaces for teams",
   "main": "src/index.ts",
   "scripts": {
-    "build-electron-web": "cd ../app && yarn build:electron-web && cd -",
+    "build": "cd ../app && yarn build:electron-web && cd -",
     "dev": "yarn && NODE_ENV=\"development\" electron-forge start",
-    "package": "yarn build-electron-web && electron-forge package",
-    "package:only": "electron-forge package",
+    "package": "DEBUG=electron-osx-sign* electron-forge package",
     "make": "electron-forge make",
-    "publish": "electron-forge publish",
+    "publish-app": "electron-forge publish",
     "lint": "eslint --ext .tsx --ext .ts ./",
     "test": "echo 'Nothing to test'",
     "ts:check": "yarn tsc --noEmit"