use native notarization

2024-11-14 08:57:21 +00:00 · 2023-07-19 00:03:58 +02:00 · 2023-07-19 00:03:58 +02:00 · 9d05fbeb90
commit 9d05fbeb90
parent 299be86498
5 changed files with 11 additions and 53 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -88,6 +88,7 @@ jobs:
        CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
        CSC_INSTALLER_LINK: ${{ secrets.CSC_INSTALLER_LINK }}
        CSC_INSTALLER_KEY_PASSWORD: ${{ secrets.CSC_INSTALLER_KEY_PASSWORD }}
+        APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        APPSTORE_USERNAME: ${{ secrets.APPSTORE_USERNAME }}
        APPSTORE_PASSWORD: ${{ secrets.APPSTORE_PASSWORD }}
        USE_HARD_LINKS: false
--- a/build/mac/afterBuildHook.cjs
+++ b/build/mac/afterBuildHook.cjs
@ -1,16 +0,0 @@
-const fs = require('fs')
-const signHook = require('./afterSignHook.cjs')
-
-module.exports = async function (params) {
-    // notarize the app on Mac OS only.
-    if (process.platform !== 'darwin' || !process.env.GITHUB_REF || !process.env.GITHUB_REF.startsWith('refs/tags/')) {
-        return
-    }
-    console.log('afterBuild hook triggered')
-
-    let pkgName = fs.readdirSync('dist').find(x => x.endsWith('.pkg'))
-    signHook({
-        appOutDir: 'dist',
-        _pathOverride: pkgName,
-    })
-}
--- a/build/mac/afterSignHook.cjs
+++ b/build/mac/afterSignHook.cjs
@ -1,35 +0,0 @@
-// See: https://medium.com/@TwitterArchiveEraser/notarize-electron-apps-7a5f988406db
-
-const fs = require('fs')
-const path = require('path')
-const notarizer = require('@electron/notarize')
-
-module.exports = async function (params) {
-    // notarize the app on Mac OS only.
-    if (process.platform !== 'darwin' || !process.env.GITHUB_REF || !process.env.GITHUB_REF.startsWith('refs/tags/')) {
-        return
-    }
-    console.log('afterSign hook triggered', params)
-
-    let appId = 'org.tabby'
-
-    let appPath = path.join(params.appOutDir, params._pathOverride || `${params.packager.appInfo.productFilename}.app`)
-    if (!fs.existsSync(appPath)) {
-        throw new Error(`Cannot find application at: ${appPath}`)
-    }
-
-    console.log(`Notarizing ${appId} found at ${appPath}`)
-
-    try {
-        await notarizer.notarize({
-            appBundleId: appId,
-            appPath: appPath,
-            appleId: process.env.APPSTORE_USERNAME,
-            appleIdPassword: process.env.APPSTORE_PASSWORD,
-        })
-    } catch (error) {
-        console.error(error)
-    }
-
-    console.log(`Done notarizing ${appId}`)
-}
--- a/electron-builder.yml
+++ b/electron-builder.yml
@ -3,8 +3,6 @@ appId: org.tabby
 productName: Tabby
 compression: normal
 npmRebuild: false
-afterSign: "./build/mac/afterSignHook.cjs"
-afterAllArtifactBuild: "./build/mac/afterBuildHook.cjs"
 files:
 - '**/*'
 - dist
--- a/scripts/build-macos.mjs
+++ b/scripts/build-macos.mjs
@ -13,6 +13,9 @@ if (process.env.GITHUB_HEAD_REF) {
    process.env.CSC_IDENTITY_AUTO_DISCOVERY = 'false'
 }

+process.env.APPLE_ID ??= process.env.APPSTORE_USERNAME
+process.env.APPLE_APP_SPECIFIC_PASSWORD ??= process.env.APPSTORE_PASSWORD
+
 builder({
    dir: true,
    mac: ['pkg', 'zip'],
@ -24,6 +27,13 @@ builder({
        },
        mac: {
            identity: !process.env.CI || process.env.CSC_LINK ? undefined : null,
+            notarize: process.env.APPLE_TEAM_ID ? {
+                appBundleId: 'org.tabby',
+                teamId: process.env.APPLE_TEAM_ID,
+            } : false,
+        },
+        pkg: {
+            identity: !process.env.CI || process.env.CSC_INSTALLER_LINK ? undefined : null,
        },
        npmRebuild: process.env.ARCH !== 'arm64',
        publish: process.env.KEYGEN_TOKEN ? [