-
-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add support for macOS app API key notarization #1127
feat: Add support for macOS app API key notarization #1127
Conversation
Thanks for opening a pull request! Here are some highlighted action items that will help get it across the finish line, from the
Development and triage is community-driven, so please be patient and we will get back to you as soon as we can. |
Codecov Report
@@ Coverage Diff @@
## master #1127 +/- ##
======================================
Coverage 100% 100%
======================================
Files 14 14
Lines 703 698 -5
======================================
- Hits 703 698 -5
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I appreciate the work you've done here! To answer your questions:
Should this validation be present in electron-packager? Should it instead be deferred to the notarization library?
I think you're right, all of the validations should go into electron-notarize
rather than be in Electron Packager.
Should the failure mode only produce warnings and continue the build without notarization? This seemed odd to me, but perhaps that's normal behavior for electron-packager.
Currently, Packager outputs a warning and moves on if the bundled app cannot be signed. It seems reasonable to do something similar for notarizing.
CC: @MarshallOfSound, if you have differing opinions
@malept Thanks for the quick review! I've removed the validation in 8569536, if that's the way we want to go. Perhaps it would be valuable to copy validation from 6b41b29 into Notarize in a follow-up PR? |
Hey @malept, just checking in! Are we waiting on input from @MarshallOfSound? |
I think the way forward is:
|
I think the reason validation doesn't exist in Notarize is because it's doing simple translation to CLI args, which would fail only when I'm guessing these validation steps were in Packager to catch failures before running Notarize, since Notarize doesn't have a validation step. I'll investigate adding such a step to Notarize. if you have any suggestions for how that should look, please let me know! Time to learn some TypeScript 😉 |
Part of enabling API key auth in electron-packager: electron/packager#1127
Part of enabling API key auth in electron-packager: electron/packager#1127
Part of enabling API key auth in electron-packager: electron/packager#1127
Part of enabling API key auth in electron-packager: electron/packager#1127
Ok, kicked off a PR on notarize (sorry for all the noise ^^): electron/notarize#35 Also ran the following diff + test successfully with the PR's version of notarize:
diff --git a/src/mac.js b/src/mac.js
index e9e6575..9329c73 100644
--- a/src/mac.js
+++ b/src/mac.js
@@ -6,7 +6,7 @@
const plist = require('plist')
-const { notarize } = require('electron-notarize')
+const { validateAuthorizationArgs, notarize } = require('electron-notarize')
const { signAsync } = require('electron-osx-sign')
@@ -396,6 +396,13 @@
function createNotarizeOpts (properties, appBundleId, appPath, quiet) {
const notarizeOpts = properties
+ try {
+ validateAuthorizationArgs(notarizeOpts)
+ } catch (e) {
+ common.warning(`Failed validation, notarize will not run: ${e.message}`)
+ return
+ } diff --git a/test/darwin.js b/test/darwin.js
index afa5db1..51446d8 100644
--- a/test/darwin.js
+++ b/test/darwin.js
@@ -262,6 +262,13 @@ if (!(process.env.CI && process.platform === 'win32')) {
t.deepEqual(obj.CFBundleURLTypes, expected, 'CFBundleURLTypes did not contain specified protocol schemes and names')
}))
+ test('osxNotarize: missing appleIdPassword', t => {
+ util.setupConsoleWarnSpy()
+ const notarizeOpts = mac.createNotarizeOpts({ appleId: '' })
+ t.falsy(notarizeOpts, 'does not generate options')
+ util.assertWarning(t, 'WARNING: Failed validation, notarize will not run: The appleId property is required when using notarization with appleIdPassword')
+ })
+
test('osxNotarize: appBundleId not overwritten', t => {
const args = { appleId: '1', appleIdPassword: '2', appBundleId: 'no' }
const notarizeOpts = mac.createNotarizeOpts(args, 'yes', 'appPath', true) |
Part of enabling API key auth in electron-packager: electron/packager#1127
I've updated the |
Thanks for the approval / merge! Ok, fixed! It seems the bullet points under authentication options were removed in the migration to the new format. I've added them back in my commit ^ but I can definitely remove them if we only want to direct folks to notarize's doc instead 👍 |
I think I'd rather direct folks to the |
Roger that, updated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll merge this once I commit the suggestions below.
Thanks for your patience!
Thanks for your contribution! 🎉 |
Excellent, thank you! 🚀 |
Summarize your changes:
Hi all, thanks for this wonderful tool. It's saved me countless hours in developing my app 👏
This PR adds support for macOS app API key notarization, which is pretty nice when building a pipeline in open source code. This way I can limit the API key's permissions and completely revoke it if compromised.
The existing notarization validation failed when providing an App Store Connect API key and issuer in place of the expected Apple ID and password combo. This PR loosens it up to accept either pair of credentials.
I came up with a couple questions while writing this up: