diff options
| -rw-r--r-- | Release.md | 20 | ||||
| -rwxr-xr-x | build.sh | 12 | ||||
| -rwxr-xr-x | ci/buildserver-build.sh | 2 | ||||
| -rw-r--r-- | gui/package-lock.json | 256 | ||||
| -rw-r--r-- | gui/package.json | 2 | ||||
| -rw-r--r-- | gui/tasks/distribution.js | 12 |
6 files changed, 185 insertions, 119 deletions
diff --git a/Release.md b/Release.md index 3963a19ab3..f1896fba37 100644 --- a/Release.md +++ b/Release.md @@ -32,15 +32,19 @@ the version of the app you are going to release. For example `2018.3-beta1` or ` ``` * *macOS only*: - * `NOTARIZE_APPLE_ID` - The AppleId to use when notarizing the app. Only needed on release builds - * `NOTARIZE_APPLE_ID_PASSWORD` - The AppleId password for the account in `NOTARIZE_APPLE_ID`. - Don't use the real AppleId password! Instead create an app specific password and add that to - your keyring. See this documentation: https://github.com/electron/electron-notarize#safety-when-using-appleidpassword + * `NOTARIZE_KEYCHAIN` - The keychain in which the profile is stored + * `NOTARIZE_KEYCHAIN_PROFILE` - The name of the notarytool profile containing the credentials. + The credentials include Apple-ID, app specific password and team ID. Don't use the real + AppleId password! Instead create an app specific password and add that to your keyring. See + this documentation: + https://github.com/electron/electron-notarize#safety-when-using-appleidpassword - Summary: - 1. Generate app specific password on Apple's AppleId management portal. - 2. Run `security add-generic-password -a "<apple_id>" -w <app_specific_password> -s "something_something"` - 3. Set `NOTARIZE_APPLE_ID_PASSWORD="@keychain:something_something"`. + Create the notarytool profile: + 1. Generate app specific password on Apple's AppleId management portal + 2. Run `xcrun notarytool store-credentials <profile name> --keychain <keychain path>`. + Leave the first prompt empty and than fill in the rest with the credentials mentioned + above + 3. Set `NOTARIZE_KEYCHAIN` and `NOTARIZE_KEYCHAIN_PROFILE` to the values specified in 2 1. Run `./build.sh` on each computer/platform where you want to create a release artifact. This will do the following for you: @@ -25,6 +25,8 @@ log_header "Building Mullvad VPN $PRODUCT_VERSION" OPTIMIZE="false" # If the produced binaries should be signed (Windows + macOS only) SIGN="false" +# If the produced app and pkg should be notarized by apple (macOS only) +NOTARIZE="false" # If a macOS build should create an installer artifact working on both # Intel and Apple Silicon Macs UNIVERSAL="false" @@ -33,6 +35,7 @@ while [[ "$#" -gt 0 ]]; do case $1 in --optimize) OPTIMIZE="true";; --sign) SIGN="true";; + --notarize) NOTARIZE="true";; --universal) if [[ "$(uname -s)" != "Darwin" ]]; then log_error "--universal only works on macOS" @@ -127,6 +130,10 @@ else export CSC_IDENTITY_AUTO_DISCOVERY=false fi +if [[ "$NOTARIZE" == "true" ]]; then + NPM_PACK_ARGS+=(--notarize) +fi + if [[ "$IS_RELEASE" == "true" ]]; then log_info "Removing old Rust build artifacts..." cargo clean @@ -136,11 +143,6 @@ if [[ "$IS_RELEASE" == "true" ]]; then else # Allow dev builds to override which API server to use at runtime. CARGO_ARGS+=(--features api-override) - - if [[ "$(uname -s)" == "Darwin" ]]; then - log_info "Disabling Apple notarization of installer in dev build" - NPM_PACK_ARGS+=(--no-apple-notarization) - fi fi # Make Windows builds include a manifest in the daemon binary declaring it must diff --git a/ci/buildserver-build.sh b/ci/buildserver-build.sh index e026764f5a..6d491bb56f 100755 --- a/ci/buildserver-build.sh +++ b/ci/buildserver-build.sh @@ -156,7 +156,7 @@ function build_ref { local build_args=(--optimize --sign) if [[ "$(uname -s)" == "Darwin" ]]; then - build_args+=(--universal) + build_args+=(--universal --notarize) fi artifact_dir=$artifact_dir build "${build_args[@]}" || return 1 diff --git a/gui/package-lock.json b/gui/package-lock.json index f4d53b261c..8685f2f152 100644 --- a/gui/package-lock.json +++ b/gui/package-lock.json @@ -27,6 +27,7 @@ "styled-components": "^5.1.1" }, "devDependencies": { + "@electron/notarize": "^2.1.0", "@playwright/test": "^1.32.0", "@types/chai": "^4.3.3", "@types/chai-as-promised": "^7.1.5", @@ -58,7 +59,6 @@ "electron-builder": "^23.6.0", "electron-devtools-installer": "^3.2.0", "electron-mocha": "^11.0.2", - "electron-notarize": "^1.2.1", "eslint": "^8.36.0", "eslint-plugin-prettier": "^4.2.1", "eslint-plugin-react": "^7.32.2", @@ -359,6 +359,67 @@ "semver": "bin/semver.js" } }, + "node_modules/@electron/notarize": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@electron/notarize/-/notarize-2.1.0.tgz", + "integrity": "sha512-Q02xem1D0sg4v437xHgmBLxI2iz/fc0D4K7fiVWHa/AnW8o7D751xyKNXgziA6HrTOme9ul1JfWN5ark8WH1xA==", + "dev": true, + "dependencies": { + "debug": "^4.1.1", + "fs-extra": "^9.0.1", + "promise-retry": "^2.0.1" + }, + "engines": { + "node": ">= 10.0.0" + } + }, + "node_modules/@electron/notarize/node_modules/debug": { + "version": "4.3.4", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz", + "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==", + "dev": true, + "dependencies": { + "ms": "2.1.2" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/@electron/notarize/node_modules/fs-extra": { + "version": "9.1.0", + "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-9.1.0.tgz", + "integrity": "sha512-hcg3ZmepS30/7BSFqRvoo3DOMQu7IjqxO5nCDt+zM9XWjb33Wg7ziNT+Qvqbuc3+gWpzO02JubVyk2G4Zvo1OQ==", + "dev": true, + "dependencies": { + "at-least-node": "^1.0.0", + "graceful-fs": "^4.2.0", + "jsonfile": "^6.0.1", + "universalify": "^2.0.0" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/@electron/notarize/node_modules/ms": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", + "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==", + "dev": true + }, + "node_modules/@electron/notarize/node_modules/universalify": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/universalify/-/universalify-2.0.0.tgz", + "integrity": "sha512-hAZsKq7Yy11Zu1DE0OzWjw7nnLZmJZYTDZZyEFHZdUhV8FkH5MCfoU1XMaxXovpyW5nq5scPqq0ZDP9Zyl04oQ==", + "dev": true, + "engines": { + "node": ">= 10.0.0" + } + }, "node_modules/@electron/universal": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/@electron/universal/-/universal-1.2.1.tgz", @@ -5058,58 +5119,6 @@ "node": ">=10" } }, - "node_modules/electron-notarize": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/electron-notarize/-/electron-notarize-1.2.1.tgz", - "integrity": "sha512-u/ECWhIrhkSQpZM4cJzVZ5TsmkaqrRo5LDC/KMbGF0sPkm53Ng59+M0zp8QVaql0obfJy9vlVT+4iOkAi2UDlA==", - "dev": true, - "dependencies": { - "debug": "^4.1.1", - "fs-extra": "^9.0.1" - }, - "engines": { - "node": ">= 10.0.0" - } - }, - "node_modules/electron-notarize/node_modules/debug": { - "version": "4.1.1", - "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz", - "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==", - "dev": true, - "dependencies": { - "ms": "^2.1.1" - } - }, - "node_modules/electron-notarize/node_modules/fs-extra": { - "version": "9.1.0", - "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-9.1.0.tgz", - "integrity": "sha512-hcg3ZmepS30/7BSFqRvoo3DOMQu7IjqxO5nCDt+zM9XWjb33Wg7ziNT+Qvqbuc3+gWpzO02JubVyk2G4Zvo1OQ==", - "dev": true, - "dependencies": { - "at-least-node": "^1.0.0", - "graceful-fs": "^4.2.0", - "jsonfile": "^6.0.1", - "universalify": "^2.0.0" - }, - "engines": { - "node": ">=10" - } - }, - "node_modules/electron-notarize/node_modules/ms": { - "version": "2.1.2", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", - "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==", - "dev": true - }, - "node_modules/electron-notarize/node_modules/universalify": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/universalify/-/universalify-2.0.0.tgz", - "integrity": "sha512-hAZsKq7Yy11Zu1DE0OzWjw7nnLZmJZYTDZZyEFHZdUhV8FkH5MCfoU1XMaxXovpyW5nq5scPqq0ZDP9Zyl04oQ==", - "dev": true, - "engines": { - "node": ">= 10.0.0" - } - }, "node_modules/electron-osx-sign": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/electron-osx-sign/-/electron-osx-sign-0.6.0.tgz", @@ -5296,6 +5305,12 @@ "node": ">=6" } }, + "node_modules/err-code": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/err-code/-/err-code-2.0.3.tgz", + "integrity": "sha512-2bmlRpNKBxT/CRmPOlyISQpNj+qSeYvcym/uT0Jx2bMOlKLtSy1ZmLuVxSEKKyor/N5yhvp/ZiG1oE3DEYMSFA==", + "dev": true + }, "node_modules/error-ex": { "version": "1.3.2", "resolved": "https://registry.npmjs.org/error-ex/-/error-ex-1.3.2.tgz", @@ -11296,6 +11311,19 @@ "node": ">=0.4.0" } }, + "node_modules/promise-retry": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/promise-retry/-/promise-retry-2.0.1.tgz", + "integrity": "sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g==", + "dev": true, + "dependencies": { + "err-code": "^2.0.2", + "retry": "^0.12.0" + }, + "engines": { + "node": ">=10" + } + }, "node_modules/prop-types": { "version": "15.8.1", "resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.8.1.tgz", @@ -11966,6 +11994,15 @@ "node": ">=0.12" } }, + "node_modules/retry": { + "version": "0.12.0", + "resolved": "https://registry.npmjs.org/retry/-/retry-0.12.0.tgz", + "integrity": "sha512-9LkiTwjUh6rT555DtE9rTX+BKByPfrMzEAtnlEtdEwr3Nkffwiihqe2bWADg+OQRjt9gl6ICdmB/ZFDCGAtSow==", + "dev": true, + "engines": { + "node": ">= 4" + } + }, "node_modules/reusify": { "version": "1.0.4", "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.0.4.tgz", @@ -14711,6 +14748,52 @@ } } }, + "@electron/notarize": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@electron/notarize/-/notarize-2.1.0.tgz", + "integrity": "sha512-Q02xem1D0sg4v437xHgmBLxI2iz/fc0D4K7fiVWHa/AnW8o7D751xyKNXgziA6HrTOme9ul1JfWN5ark8WH1xA==", + "dev": true, + "requires": { + "debug": "^4.1.1", + "fs-extra": "^9.0.1", + "promise-retry": "^2.0.1" + }, + "dependencies": { + "debug": { + "version": "4.3.4", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz", + "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==", + "dev": true, + "requires": { + "ms": "2.1.2" + } + }, + "fs-extra": { + "version": "9.1.0", + "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-9.1.0.tgz", + "integrity": "sha512-hcg3ZmepS30/7BSFqRvoo3DOMQu7IjqxO5nCDt+zM9XWjb33Wg7ziNT+Qvqbuc3+gWpzO02JubVyk2G4Zvo1OQ==", + "dev": true, + "requires": { + "at-least-node": "^1.0.0", + "graceful-fs": "^4.2.0", + "jsonfile": "^6.0.1", + "universalify": "^2.0.0" + } + }, + "ms": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", + "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==", + "dev": true + }, + "universalify": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/universalify/-/universalify-2.0.0.tgz", + "integrity": "sha512-hAZsKq7Yy11Zu1DE0OzWjw7nnLZmJZYTDZZyEFHZdUhV8FkH5MCfoU1XMaxXovpyW5nq5scPqq0ZDP9Zyl04oQ==", + "dev": true + } + } + }, "@electron/universal": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/@electron/universal/-/universal-1.2.1.tgz", @@ -18541,51 +18624,6 @@ } } }, - "electron-notarize": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/electron-notarize/-/electron-notarize-1.2.1.tgz", - "integrity": "sha512-u/ECWhIrhkSQpZM4cJzVZ5TsmkaqrRo5LDC/KMbGF0sPkm53Ng59+M0zp8QVaql0obfJy9vlVT+4iOkAi2UDlA==", - "dev": true, - "requires": { - "debug": "^4.1.1", - "fs-extra": "^9.0.1" - }, - "dependencies": { - "debug": { - "version": "4.1.1", - "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz", - "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==", - "dev": true, - "requires": { - "ms": "^2.1.1" - } - }, - "fs-extra": { - "version": "9.1.0", - "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-9.1.0.tgz", - "integrity": "sha512-hcg3ZmepS30/7BSFqRvoo3DOMQu7IjqxO5nCDt+zM9XWjb33Wg7ziNT+Qvqbuc3+gWpzO02JubVyk2G4Zvo1OQ==", - "dev": true, - "requires": { - "at-least-node": "^1.0.0", - "graceful-fs": "^4.2.0", - "jsonfile": "^6.0.1", - "universalify": "^2.0.0" - } - }, - "ms": { - "version": "2.1.2", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", - "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==", - "dev": true - }, - "universalify": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/universalify/-/universalify-2.0.0.tgz", - "integrity": "sha512-hAZsKq7Yy11Zu1DE0OzWjw7nnLZmJZYTDZZyEFHZdUhV8FkH5MCfoU1XMaxXovpyW5nq5scPqq0ZDP9Zyl04oQ==", - "dev": true - } - } - }, "electron-osx-sign": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/electron-osx-sign/-/electron-osx-sign-0.6.0.tgz", @@ -18737,6 +18775,12 @@ "integrity": "sha512-+h1lkLKhZMTYjog1VEpJNG7NZJWcuc2DDk/qsqSTRRCOXiLjeQ1d1/udrUGhqMxUgAlwKNZ0cf2uqan5GLuS2A==", "dev": true }, + "err-code": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/err-code/-/err-code-2.0.3.tgz", + "integrity": "sha512-2bmlRpNKBxT/CRmPOlyISQpNj+qSeYvcym/uT0Jx2bMOlKLtSy1ZmLuVxSEKKyor/N5yhvp/ZiG1oE3DEYMSFA==", + "dev": true + }, "error-ex": { "version": "1.3.2", "resolved": "https://registry.npmjs.org/error-ex/-/error-ex-1.3.2.tgz", @@ -23360,6 +23404,16 @@ "integrity": "sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA==", "dev": true }, + "promise-retry": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/promise-retry/-/promise-retry-2.0.1.tgz", + "integrity": "sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g==", + "dev": true, + "requires": { + "err-code": "^2.0.2", + "retry": "^0.12.0" + } + }, "prop-types": { "version": "15.8.1", "resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.8.1.tgz", @@ -23906,6 +23960,12 @@ "integrity": "sha512-TTlYpa+OL+vMMNG24xSlQGEJ3B/RzEfUlLct7b5G/ytav+wPrplCpVMFuwzXbkecJrb6IYo1iFb0S9v37754mg==", "dev": true }, + "retry": { + "version": "0.12.0", + "resolved": "https://registry.npmjs.org/retry/-/retry-0.12.0.tgz", + "integrity": "sha512-9LkiTwjUh6rT555DtE9rTX+BKByPfrMzEAtnlEtdEwr3Nkffwiihqe2bWADg+OQRjt9gl6ICdmB/ZFDCGAtSow==", + "dev": true + }, "reusify": { "version": "1.0.4", "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.0.4.tgz", diff --git a/gui/package.json b/gui/package.json index 4381f221f8..4796ff1ca6 100644 --- a/gui/package.json +++ b/gui/package.json @@ -33,6 +33,7 @@ "nseventmonitor": "^1.0.3" }, "devDependencies": { + "@electron/notarize": "^2.1.0", "@playwright/test": "^1.32.0", "@types/chai": "^4.3.3", "@types/chai-as-promised": "^7.1.5", @@ -64,7 +65,6 @@ "electron-builder": "^23.6.0", "electron-devtools-installer": "^3.2.0", "electron-mocha": "^11.0.2", - "electron-notarize": "^1.2.1", "eslint": "^8.36.0", "eslint-plugin-prettier": "^4.2.1", "eslint-plugin-react": "^7.32.2", diff --git a/gui/tasks/distribution.js b/gui/tasks/distribution.js index e1ba96103e..0cc1c03546 100644 --- a/gui/tasks/distribution.js +++ b/gui/tasks/distribution.js @@ -2,11 +2,11 @@ const path = require('path'); const fs = require('fs'); const builder = require('electron-builder'); const { Arch } = require('electron-builder'); -const { notarize } = require('electron-notarize'); +const { notarize } = require('@electron/notarize'); const { execFileSync } = require('child_process'); const noCompression = process.argv.includes('--no-compression'); -const noAppleNotarization = process.argv.includes('--no-apple-notarization'); +const shouldNotarize = process.argv.includes('--notarize'); const universal = process.argv.includes('--universal'); const release = process.argv.includes('--release'); @@ -305,7 +305,7 @@ function packMac() { return Promise.resolve(); }, afterAllArtifactBuild: async (buildResult) => { - if (!noAppleNotarization) { + if (shouldNotarize) { // buildResult.artifactPaths[0] contains the path to the pkg. await notarizeMac(buildResult.artifactPaths[0]); } @@ -322,7 +322,7 @@ function packMac() { const appOutDir = context.appOutDir; appOutDirs.push(appOutDir); - if (!noAppleNotarization) { + if (shouldNotarize) { const appName = context.packager.appInfo.productFilename; return notarizeMac(path.join(appOutDir, `${appName}.app`)); } @@ -336,8 +336,8 @@ function notarizeMac(notarizePath) { return notarize({ appBundleId: config.appId, appPath: notarizePath, - appleId: process.env.NOTARIZE_APPLE_ID, - appleIdPassword: process.env.NOTARIZE_APPLE_ID_PASSWORD, + keychain: process.env.NOTARIZE_KEYCHAIN, + keychainProfile: process.env.NOTARIZE_KEYCHAIN_PROFILE, }); } |