From 34c8b1faf5256276f004c171e6678d127f7cd0b2 Mon Sep 17 00:00:00 2001 From: Martin McKeaveney Date: Fri, 15 May 2020 16:06:53 +0100 Subject: [PATCH] notarization and mac code signing through github CI --- .github/workflows/release.yml | 31 +++++----- packages/server/build/entitlements.mac.plist | 12 ++++ packages/server/package.json | 5 +- packages/server/src/electron.js | 2 +- packages/server/yarn.lock | 60 ++++++++++++++++++++ 5 files changed, 94 insertions(+), 16 deletions(-) create mode 100644 packages/server/build/entitlements.mac.plist diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 415dbc11e8..e1081904a0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,27 +29,30 @@ jobs: - run: yarn bootstrap - run: yarn build # - run: yarn test - -# - name: Publish NPM -# run: npm publish -# env: -# NODE_AUTH_TOKEN: ${{secrets.npm_token}} - # - run: npm publish - # env: - # NODE_AUTH_TOKEN: ${{secrets.npm_token}} + + - name: Prepare for app notarization (macOS) + if: startsWith(matrix.os, 'macos') + # Import Apple API key for app notarization on macOS + run: | + mkdir -p ~/private_keys/ + echo '${{ secrets.api_key }}' > ~/private_keys/AuthKey_${{ secrets.api_key_id }}.p8 + - name: Build/release Electron app uses: samuelmeuli/action-electron-builder@v1 with: - skip_build: true package_root: packages/server + # GitHub token, automatically provided to the action # (No need to define this secret in the repo settings) github_token: ${{ secrets.github_token }} + + mac_certs: ${{ secrets.mac_certs }} + mac_certs_password: ${{ secrets.mac_certs_password }} + # release the app after building release: ${{ startsWith(github.ref, 'refs/tags/v') }} - # mac_certs: ${{ secrets.mac_certs }} - # mac_certs_password: ${{ secrets.mac_certs_password }} - # windows_certs: ${{ secrets.windows_certs }} - # windows_certs_password: ${{ secrets.windows_certs_password }} - # snapcraft_token: ${{ secrets.snapcraft_token }} + env: + # macOS notarization API key + API_KEY_ID: ${{ secrets.api_key_id }} + API_KEY_ISSUER_ID: ${{ secrets.api_key_issuer_id }} diff --git a/packages/server/build/entitlements.mac.plist b/packages/server/build/entitlements.mac.plist new file mode 100644 index 0000000000..5e2a11dfe2 --- /dev/null +++ b/packages/server/build/entitlements.mac.plist @@ -0,0 +1,12 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.allow-dyld-environment-variables + + + \ No newline at end of file diff --git a/packages/server/package.json b/packages/server/package.json index fdd9add4b9..c0c8027b36 100644 --- a/packages/server/package.json +++ b/packages/server/package.json @@ -10,8 +10,10 @@ "build": { "appId": "com.budibase.builder", "productName": "Budibase Builder", + "afterSign": "electron-builder-notarize", "mac": { - "category": "public.app-category.developer-tools" + "category": "public.app-category.developer-tools", + "hardenedRuntime": true }, "linux": { "target": [ @@ -69,6 +71,7 @@ "@jest/test-sequencer": "^24.8.0", "electron": "^8.2.5", "electron-builder": "^22.6.0", + "electron-builder-notarize": "^1.1.2", "eslint": "^6.8.0", "jest": "^24.8.0", "nodemon": "^2.0.2", diff --git a/packages/server/src/electron.js b/packages/server/src/electron.js index 321b67fbda..cc06ceeca8 100644 --- a/packages/server/src/electron.js +++ b/packages/server/src/electron.js @@ -8,7 +8,7 @@ const { autoUpdater } = require("electron-updater"); require("dotenv").config({ path: join(homedir(), ".budibase", ".env") }); -const APP_URL = "http://localhost:4001"; +const APP_URL = "http://localhost:4001/_builder"; const APP_TITLE = "Budibase Builder"; function createWindow() { diff --git a/packages/server/yarn.lock b/packages/server/yarn.lock index 4857f07231..ed03ba367c 100644 --- a/packages/server/yarn.lock +++ b/packages/server/yarn.lock @@ -523,6 +523,11 @@ resolved "https://registry.yarnpkg.com/@types/node/-/node-12.12.38.tgz#58841a382f231ad005dbb935c36d44aa1118a26b" integrity sha512-75eLjX0pFuTcUXnnWmALMzzkYorjND0ezNEycaKesbUBg9eGZp4GHPuDmkRc4mQQvIpe29zrzATNRA6hkYqwmA== +"@types/normalize-package-data@^2.4.0": + version "2.4.0" + resolved "https://registry.yarnpkg.com/@types/normalize-package-data/-/normalize-package-data-2.4.0.tgz#e486d0d97396d79beedd0a6e33f4534ff6b4973e" + integrity sha512-f5j5b/Gf71L+dbqxIpQ4Z2WlmI/mPJ0fOkGGmFgtb6sAu97EPczzbS3/tJKxmcYDj55OX6ssqwDAWOHIYDRDGA== + "@types/semver@^7.1.0": version "7.2.0" resolved "https://registry.yarnpkg.com/@types/semver/-/semver-7.2.0.tgz#0d72066965e910531e1db4621c15d0ca36b8d83b" @@ -1809,6 +1814,14 @@ ejs@^3.1.2: dependencies: jake "^10.6.1" +electron-builder-notarize@^1.1.2: + version "1.1.2" + resolved "https://registry.yarnpkg.com/electron-builder-notarize/-/electron-builder-notarize-1.1.2.tgz#29939591c6edf133aadc8450d975e9ce94a15da3" + integrity sha512-IiuG+Wwky4EwekhJ9T5t9m00sFL9EGUrkyr4wqivXxrvtWIGAh2WCUwO6e47l3W8nE/4ng0v+VNJhZEIlCu1xg== + dependencies: + electron-notarize "^0.2.0" + read-pkg-up "^7.0.0" + electron-builder@^22.6.0: version "22.6.0" resolved "https://registry.yarnpkg.com/electron-builder/-/electron-builder-22.6.0.tgz#3ac81634e27026892d66f3a52568e65a7d28d26a" @@ -1834,6 +1847,14 @@ electron-is-dev@^1.2.0: resolved "https://registry.yarnpkg.com/electron-is-dev/-/electron-is-dev-1.2.0.tgz#2e5cea0a1b3ccf1c86f577cee77363ef55deb05e" integrity sha512-R1oD5gMBPS7PVU8gJwH6CtT0e6VSoD0+SzSnYpNm+dBkcijgA+K7VAMHDfnRq/lkKPZArpzplTW6jfiMYosdzw== +electron-notarize@^0.2.0: + version "0.2.1" + resolved "https://registry.yarnpkg.com/electron-notarize/-/electron-notarize-0.2.1.tgz#759e8006decae19134f82996ed910db26d9192cc" + integrity sha512-oZ6/NhKeXmEKNROiFmRNfytqu3cxqC95sjooG7kBXQVEUSQkZnbiAhxVh5jXngL881G197pbwpeVPJyM7Ikmxw== + dependencies: + debug "^4.1.1" + fs-extra "^8.1.0" + electron-publish@22.6.0: version "22.6.0" resolved "https://registry.yarnpkg.com/electron-publish/-/electron-publish-22.6.0.tgz#11dca595cfe3c0fdbc364c28dbb8838a1c6ec799" @@ -4116,6 +4137,11 @@ lie@3.0.4: inline-process-browser "^1.0.0" unreachable-branch-transform "^0.3.0" +lines-and-columns@^1.1.6: + version "1.1.6" + resolved "https://registry.yarnpkg.com/lines-and-columns/-/lines-and-columns-1.1.6.tgz#1c00c743b433cd0a4e80758f7b64a57440d9ff00" + integrity sha1-HADHQ7QzzQpOgHWPe2SldEDZ/wA= + load-json-file@^4.0.0: version "4.0.0" resolved "https://registry.yarnpkg.com/load-json-file/-/load-json-file-4.0.0.tgz#2f5f45ab91e33216234fd53adab668eb4ec0993b" @@ -4736,6 +4762,16 @@ parse-json@^4.0.0: error-ex "^1.3.1" json-parse-better-errors "^1.0.1" +parse-json@^5.0.0: + version "5.0.0" + resolved "https://registry.yarnpkg.com/parse-json/-/parse-json-5.0.0.tgz#73e5114c986d143efa3712d4ea24db9a4266f60f" + integrity sha512-OOY5b7PAEFV0E2Fir1KOkxchnZNCdowAJgQ5NuxjpBKTRP3pQhwkrkxqQjeoKJ+fO7bCpmIZaogI4eZGDMEGOw== + dependencies: + "@babel/code-frame" "^7.0.0" + error-ex "^1.3.1" + json-parse-better-errors "^1.0.1" + lines-and-columns "^1.1.6" + parse5@4.0.0: version "4.0.0" resolved "https://registry.yarnpkg.com/parse5/-/parse5-4.0.0.tgz#6d78656e3da8d78b4ec0b906f7c08ef1dfe3f608" @@ -5030,6 +5066,15 @@ read-pkg-up@^4.0.0: find-up "^3.0.0" read-pkg "^3.0.0" +read-pkg-up@^7.0.0: + version "7.0.1" + resolved "https://registry.yarnpkg.com/read-pkg-up/-/read-pkg-up-7.0.1.tgz#f3a6135758459733ae2b95638056e1854e7ef507" + integrity sha512-zK0TB7Xd6JpCLmlLmufqykGE+/TlOePD6qKClNW7hHDKFh/J7/7gCWGR7joEQEW1bKq3a3yUZSObOoWLFQ4ohg== + dependencies: + find-up "^4.1.0" + read-pkg "^5.2.0" + type-fest "^0.8.1" + read-pkg@^3.0.0: version "3.0.0" resolved "https://registry.yarnpkg.com/read-pkg/-/read-pkg-3.0.0.tgz#9cbc686978fee65d16c00e2b19c237fcf6e38389" @@ -5039,6 +5084,16 @@ read-pkg@^3.0.0: normalize-package-data "^2.3.2" path-type "^3.0.0" +read-pkg@^5.2.0: + version "5.2.0" + resolved "https://registry.yarnpkg.com/read-pkg/-/read-pkg-5.2.0.tgz#7bf295438ca5a33e56cd30e053b34ee7250c93cc" + integrity sha512-Ug69mNOpfvKDAc2Q8DRpMjjzdtrnv9HcSMX+4VsZxD1aZ6ZzrIE7rlzXBtWTyhULSMKg076AW6WR5iZpD0JiOg== + dependencies: + "@types/normalize-package-data" "^2.4.0" + normalize-package-data "^2.5.0" + parse-json "^5.0.0" + type-fest "^0.6.0" + readable-stream@1.0.33: version "1.0.33" resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-1.0.33.tgz#3a360dd66c1b1d7fd4705389860eda1d0f61126c" @@ -6100,6 +6155,11 @@ type-fest@^0.11.0: resolved "https://registry.yarnpkg.com/type-fest/-/type-fest-0.11.0.tgz#97abf0872310fed88a5c466b25681576145e33f1" integrity sha512-OdjXJxnCN1AvyLSzeKIgXTXxV+99ZuXl3Hpo9XpJAv9MBcHrrJOQ5kV7ypXOuQie+AmWG25hLbiKdwYTifzcfQ== +type-fest@^0.6.0: + version "0.6.0" + resolved "https://registry.yarnpkg.com/type-fest/-/type-fest-0.6.0.tgz#8d2a2370d3df886eb5c90ada1c5bf6188acf838b" + integrity sha512-q+MB8nYR1KDLrgr4G5yemftpMC7/QLqVndBmEEdqzmNj5dcFOO4Oo8qlwZE3ULT3+Zim1F8Kq4cBnikNhlCMlg== + type-fest@^0.8.0, type-fest@^0.8.1: version "0.8.1" resolved "https://registry.yarnpkg.com/type-fest/-/type-fest-0.8.1.tgz#09e249ebde851d3b1e48d27c105444667f17b83d"