Notarize app after signing

author: Linus Färnstrand <linus@mullvad.net> 2019-09-30 10:25:38 +0200
committer: Linus Färnstrand <linus@mullvad.net> 2019-10-01 16:51:22 +0200
commit: fb9fc49131d8fd39eef169f6cd498b67b436933d (patch)
tree: a3ee18a06c31a301c65237993667277b89972f3e
parent: 57a143f6f6ebd132044de8f334c9d43164ff4c15 (diff)
download: mullvadvpn-fb9fc49131d8fd39eef169f6cd498b67b436933d.tar.xz
mullvadvpn-fb9fc49131d8fd39eef169f6cd498b67b436933d.zip
2 files changed, 34 insertions, 14 deletions
diff --git a/build.sh b/build.sh
index a67471d2cd..d1f9b6a6d7 100755
--- a/build.sh
+++ b/build.sh
@@ -21,6 +21,7 @@ source env.sh ""
 
 if [[ "${1:-""}" != "--dev-build" ]]; then
     BUILD_MODE="release"
+    NPM_PACK_ARGS=""
     if [[ $(git diff --shortstat 2> /dev/null | tail -n1) != "" ]]; then
         echo "Dirty working directory!"
         echo "You should only build releases in clean working directories in order to make it"
@@ -48,6 +49,7 @@ if [[ "${1:-""}" != "--dev-build" ]]; then
     fi
 else
     BUILD_MODE="dev"
+    NPM_PACK_ARGS="--no-compression"
     echo "!! Development build. Not for general distribution !!"
     unset CSC_LINK CSC_KEY_PASSWORD
     export CSC_IDENTITY_AUTO_DISCOVERY=false
@@ -57,6 +59,9 @@ if [[ "$BUILD_MODE" == "dev" || $(git describe) != "$PRODUCT_VERSION" ]]; then
     GIT_COMMIT=$(git rev-parse HEAD | head -c 6)
     PRODUCT_VERSION="$PRODUCT_VERSION-dev-$GIT_COMMIT"
     echo "Modifying product version to $PRODUCT_VERSION"
+
+    echo "Disabling Apple notarization (macOs only) of installer in this dev build"
+    NPM_PACK_ARGS+=" --no-apple-notarization"
 else
     echo "Removing old Rust build artifacts"
     cargo +stable clean
@@ -164,21 +169,10 @@ npm install
 
 echo "Packing final release artifact..."
 
-if [[ "$BUILD_MODE" == "dev" ]]; then
-    # Disable installer compression on *explicit* dev builds.
-    # This does not disable compression on build server builds, since they
-    # always run without --dev-build.
-    echo "Disabling compression of installer in this dev build"
-
-    PACK_ARGS="--no-compression"
-else
-    PACK_ARGS=""
-fi
-
 case "$(uname -s)" in
-    Linux*)     npm run pack:linux -- $PACK_ARGS;;
-    Darwin*)    npm run pack:mac -- $PACK_ARGS;;
-    MINGW*)     npm run pack:win -- $PACK_ARGS;;
+    Linux*)     npm run pack:linux -- $NPM_PACK_ARGS;;
+    Darwin*)    npm run pack:mac -- $NPM_PACK_ARGS;;
+    MINGW*)     npm run pack:win -- $NPM_PACK_ARGS;;
 esac
 
 popd
diff --git a/gui/tasks/distribution.js b/gui/tasks/distribution.js
index 16bdd4f811..c950a24950 100644
--- a/gui/tasks/distribution.js
+++ b/gui/tasks/distribution.js
@@ -3,12 +3,14 @@ const fs = require('fs');
 const builder = require('electron-builder');
 const rimraf = require('rimraf');
 const util = require('util');
+const { notarize } = require('electron-notarize');
 
 const renameAsync = util.promisify(fs.rename);
 const unlinkAsync = util.promisify(fs.unlink);
 const rimrafAsync = util.promisify(rimraf);
 
 const compression = process.argv.indexOf('--no-compression') !== -1 ? 'store' : 'normal';
+const noAppleNotarization = process.argv.indexOf('--no-apple-notarization') !== -1;
 
 const config = {
   appId: 'net.mullvad.vpn',
@@ -156,6 +158,8 @@ function packWin() {
 
 function packMac() {
   let appOutDir;
+  let outDir;
+  let appVersion;
 
   return builder.build({
     targets: builder.Platform.MAC.createTarget(),
@@ -163,16 +167,38 @@ function packMac() {
       ...config,
       afterPack: (context) => {
         appOutDir = context.appOutDir;
+        outDir = context.outDir;
+        appVersion = context.packager.appInfo.version;
         return Promise.resolve();
       },
       afterAllArtifactBuild: (buildResult) => {
+        if (!noAppleNotarization) {
+          notarizeMac(path.join(outDir, `MullvadVPN-${appVersion}.pkg`));
+        }
         // remove the folder that contains the unpacked app
         return rimrafAsync(appOutDir);
       },
+      afterSign: noAppleNotarization
+        ? undefined
+        : (context) => {
+            const appOutDir = context.appOutDir;
+            const appName = context.packager.appInfo.productFilename;
+            return notarizeMac(path.join(appOutDir, `${appName}.app`));
+          },
     },
   });
 }
 
+function notarizeMac(notarizePath) {
+  console.log('Notarizing ' + notarizePath);
+  return notarize({
+    appBundleId: config.appId,
+    appPath: notarizePath,
+    appleId: process.env.NOTARIZE_APPLE_ID,
+    appleIdPassword: process.env.NOTARIZE_APPLE_ID_PASSWORD,
+  });
+}
+
 function packLinux() {
   return builder.build({
     targets: builder.Platform.LINUX.createTarget(),
author	Linus Färnstrand <linus@mullvad.net>	2019-09-30 10:25:38 +0200
committer	Linus Färnstrand <linus@mullvad.net>	2019-10-01 16:51:22 +0200
commit	fb9fc49131d8fd39eef169f6cd498b67b436933d (patch)
tree	a3ee18a06c31a301c65237993667277b89972f3e
parent	57a143f6f6ebd132044de8f334c9d43164ff4c15 (diff)
download	mullvadvpn-fb9fc49131d8fd39eef169f6cd498b67b436933d.tar.xz mullvadvpn-fb9fc49131d8fd39eef169f6cd498b67b436933d.zip