Merge pull request #20350 from atom/add-notarization-macos

Add notarization to macOS app

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "atom",
-  "version": "1.44.0-dev",
+  "version": "1.45.0-dev",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
@@ -2590,6 +2590,45 @@
         "jsbn": "~0.1.0"
       }
     },
+    "electron-notarize": {
+      "version": "0.2.1",
+      "resolved": "https://registry.npmjs.org/electron-notarize/-/electron-notarize-0.2.1.tgz",
+      "integrity": "sha512-oZ6/NhKeXmEKNROiFmRNfytqu3cxqC95sjooG7kBXQVEUSQkZnbiAhxVh5jXngL881G197pbwpeVPJyM7Ikmxw==",
+      "requires": {
+        "debug": "^4.1.1",
+        "fs-extra": "^8.1.0"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "4.1.1",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz",
+          "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==",
+          "requires": {
+            "ms": "^2.1.1"
+          }
+        },
+        "fs-extra": {
+          "version": "8.1.0",
+          "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-8.1.0.tgz",
+          "integrity": "sha512-yhlQgA6mnOJUKOsRUFsgJdQCvkKhcz8tlZG5HBQfReYZy46OwLcY+Zia0mtdHsOo9y/hP+CxMN0TU9QxoOtG4g==",
+          "requires": {
+            "graceful-fs": "^4.2.0",
+            "jsonfile": "^4.0.0",
+            "universalify": "^0.1.0"
+          }
+        },
+        "graceful-fs": {
+          "version": "4.2.3",
+          "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.3.tgz",
+          "integrity": "sha512-a30VEBm4PEdx1dRB7MFK7BejejvCvBronbLjht+sHuGYj8PHs7M/5Z+rt5lw551vZ7yfTCj4Vuyy3mSJytDWRQ=="
+        },
+        "ms": {
+          "version": "2.1.2",
+          "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+          "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+        }
+      }
+    },
     "electron-to-chromium": {
       "version": "1.3.322",
       "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.3.322.tgz",

package.json

@@ -50,6 +50,7 @@
     "deprecation-cop": "file:packages/deprecation-cop",
     "dev-live-reload": "file:packages/dev-live-reload",
     "devtron": "1.3.0",
+    "electron-notarize": "^0.2.1",
     "encoding-selector": "https://www.atom.io/api/packages/encoding-selector/versions/0.23.9/tarball",
     "etch": "^0.12.6",
     "event-kit": "^2.5.3",

resources/mac/entitlements.plist

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+  </dict>
+</plist>

script/build

@@ -36,6 +36,7 @@ const argv = yargs
 const checkChromedriverVersion = require('./lib/check-chromedriver-version')
 const cleanOutputDirectory = require('./lib/clean-output-directory')
 const codeSignOnMac = require('./lib/code-sign-on-mac')
+const notarizeOnMac = require('./lib/notarize-on-mac')
 const codeSignOnWindows = require('./lib/code-sign-on-windows')
 const compressArtifacts = require('./lib/compress-artifacts')
 const copyAssets = require('./lib/copy-assets')
@@ -89,11 +90,12 @@ if (!argv.generateApiDocs) {
   binariesPromise
     .then(packageApplication)
     .then(packagedAppPath => generateStartupSnapshot(packagedAppPath).then(() => packagedAppPath))
-    .then(packagedAppPath => {
+    .then(async packagedAppPath => {
       switch (process.platform) {
         case 'darwin': {
           if (argv.codeSign) {
             codeSignOnMac(packagedAppPath)
+            await notarizeOnMac(packagedAppPath)
           } else if (argv.testSign) {
             testSignOnMac(packagedAppPath)
           } else {

script/lib/code-sign-on-mac.js

@@ -1,8 +1,15 @@
 const downloadFileFromGithub = require('./download-file-from-github');
+const CONFIG = require('../config');
 const fs = require('fs-extra');
 const os = require('os');
 const path = require('path');
 const spawnSync = require('./spawn-sync');
+const macEntitlementsPath = path.join(
+  CONFIG.repositoryRootPath,
+  'resources',
+  'mac',
+  'entitlements.plist'
+);
 
 module.exports = function(packagedAppPath) {
   if (
@@ -126,6 +133,10 @@ module.exports = function(packagedAppPath) {
         '--deep',
         '--force',
         '--verbose',
+        '--entitlements',
+        macEntitlementsPath,
+        '--options',
+        'runtime',
         '--keychain',
         process.env.ATOM_MAC_CODE_SIGNING_KEYCHAIN,
         '--sign',

script/lib/notarize-on-mac.js

@@ -0,0 +1,20 @@
+const notarize = require('electron-notarize').notarize;
+
+module.exports = async function(packagedAppPath) {
+  const appBundleId = 'com.github.atom';
+  const appleId = process.env.AC_USER;
+  const appleIdPassword = process.env.AC_PASSWORD;
+
+  console.log(`Notarizing application at ${packagedAppPath}`);
+
+  try {
+    await notarize({
+      appBundleId: appBundleId,
+      appPath: packagedAppPath,
+      appleId: appleId,
+      appleIdPassword: appleIdPassword
+    });
+  } catch (e) {
+    throw new Error(e);
+  }
+};

script/vsts/platforms/macos.yml

@@ -61,6 +61,8 @@ jobs:
           ATOM_MAC_CODE_SIGNING_CERT_PASSWORD: $(ATOM_MAC_CODE_SIGNING_CERT_PASSWORD)
           ATOM_MAC_CODE_SIGNING_KEYCHAIN: $(ATOM_MAC_CODE_SIGNING_KEYCHAIN)
           ATOM_MAC_CODE_SIGNING_KEYCHAIN_PASSWORD: $(ATOM_MAC_CODE_SIGNING_KEYCHAIN_PASSWORD)
+          AC_USER: $(AC_USER)
+          AC_PASSWORD: $(AC_PASSWORD)
 
       - script: |
           cp $(Build.SourcesDirectory)/out/*.zip $(Build.ArtifactStagingDirectory)