fix: mac signing for electron and tauri

zidoro · Dec 16, 2023 · 2c542fe · 2c542fe
1 parent 07e6482
commit 2c542fe
Show file tree

Hide file tree

Showing 10 changed files with 68 additions and 22 deletions.
diff --git a/.github/workflows/build-tauri.yml b/.github/workflows/build-tauri.yml
@@ -2,10 +2,11 @@ name: Build Tauri
 
 on:
   push:
-    branches-ignore:
-      - "master"
+    branches:
+      - master
     paths-ignore:
       - "website"
+      - "CHANGELOG.md"
   workflow_call:
   workflow_dispatch:
 jobs:
@@ -63,15 +64,28 @@ jobs:
       - name: Install NPM Packages
         run: |
           yarn install --immutable --network-timeout 120000
+      - name: Prepare for app notarization
+        if: startsWith(matrix.os, 'macos')
+        # Import Apple API key for app notarization on macOS
+        run: |
+          mkdir -p ~/private_keys/
+          echo '${{ secrets.APPLE_API_KEY_FILE }}' > ~/private_keys/AuthKey_${{ secrets.APPLE_API_KEY }}.p8
       - name: Build
         shell: bash
         run: |
           for target in ${{ join(matrix.tauri_target, ' ') }}; do
             yarn build:tauri --target $target --config ./app/tauri/release.conf.json
           done
         env:
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY_PATH: ~/private_keys/AuthKey_${{ secrets.APPLE_API_KEY }}.p8
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
           TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
           TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
+          APPLE_PROVIDER_SHORT_NAME: ${{ secrets.APPLE_PROVIDER_SHORT_NAME }}
       # Possibly set up some basic unit testing just to make sure parts render and none of the libraries are straight up breaking
       - uses: actions/upload-artifact@v3
         with:

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,10 +1,11 @@
 name: Build
 on:
   push:
-    branches-ignore:
-      - "master"
+    branches:
+      - master
     paths-ignore:
       - "website"
+      - "CHANGELOG.md"
   workflow_call:
   workflow_dispatch:
 jobs:
@@ -39,7 +40,19 @@ jobs:
       - name: Install
         run: |
           yarn install --immutable --network-timeout 120000
+      - name: Prepare for app notarization
+        if: startsWith(matrix.os, 'macos')
+        # Import Apple API key for app notarization on macOS
+        run: |
+          mkdir -p ~/private_keys/
+          echo '${{ secrets.APPLE_API_KEY_FILE }}' > ~/private_keys/AuthKey_${{ secrets.APPLE_API_KEY }}.p8
       - name: Build
+        env:
+          APPLE_API_KEY_PATH: ~/private_keys/AuthKey_${{ secrets.APPLE_API_KEY }}.p8
+          API_KEY_ID: ${{ secrets.APPLE_API_KEY }}
+          API_KEY_ISSUER_ID: ${{ secrets.APPLE_API_ISSUER }}
+          CSC_LINK: ${{ secrets.CSC_LINK }}
+          CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
         run: |
           yarn build
           yarn lerna run ${{ matrix.task }} --stream

diff --git a/.github/workflows/website-deploy.yml b/.github/workflows/website-deploy.yml
@@ -1,10 +1,5 @@
 name: Deploy Website
 on:
-  push:
-    branches:
-      - master
-    paths:
-      - "website"
   workflow_dispatch:
   workflow_call:
 jobs:

diff --git a/app/electron/electron-builder/afterSign.js b/app/electron/electron-builder/afterSign.js
@@ -0,0 +1,22 @@
+const { notarize } = require("electron-notarize");
+
+exports.default = async function notarizing(context) {
+  const { electronPlatformName, appOutDir } = context;
+  if (electronPlatformName !== "darwin" || !process.env.API_KEY_ID) {
+    console.log("Skipping notarization");
+    return;
+  }
+
+  const appName = context.packager.appInfo.productFilename;
+
+  console.log(`Notarizing App ${appOutDir}/${appName}.app`);
+
+  return await notarize({
+    tool: "notarytool",
+    appBundleId: "com.roldanjr.pomatez",
+    appPath: `${appOutDir}/${appName}.app`,
+    appleApiKey: process.env.APPLE_API_KEY_PATH,
+    appleApiKeyId: process.env.API_KEY_ID,
+    appleApiIssuer: process.env.API_KEY_ISSUER_ID,
+  });
+};
diff --git a/app/electron/package.json b/app/electron/package.json
@@ -43,6 +43,7 @@
     "productName": "Pomatez",
     "appId": "com.roldanjr.pomatez",
     "copyright": "Copyright © 2020 ${author}",
+    "afterSign": "./electron-builder/afterSign.js",
     "files": [
       "build"
     ],
@@ -108,6 +109,7 @@
     "electron-builder": "23.6.0",
     "regenerator-runtime": "^0.13.11",
     "electron-reload": "2.0.0-alpha.1",
+    "electron-notarize": "1.2.2",
     "ts-jest": "^26.5.6"
   }
 }
diff --git a/app/tauri/Cargo.lock b/app/tauri/Cargo.lock
diff --git a/app/tauri/Cargo.toml b/app/tauri/Cargo.toml
@@ -3,7 +3,7 @@ name = "pomatez"
 # In the current version of release please, unless the toml file is in the root of the project it cannot be updated.
 # https://github.com/googleapis/release-please/issues/1724
 # util/cargo-version-updater.js will run to keep this value up to date before rust builds.
-version = "1.4.3"
+version = "1.5.0"
 description = "Attractive pomodoro timer for Windows, Mac, and Linux."
 authors = ["Roldan Montilla Jr"]
 license = "MIT"

diff --git a/app/tauri/src/main.rs b/app/tauri/src/main.rs
@@ -60,6 +60,7 @@ fn main() {
         RunEvent::Ready => {
             app_handle.register_global_shortcuts();
 
+            #[cfg(any(target_os = "macos", debug_assertions))]
             let window = app_handle.get_window("main").unwrap();
 
             // There is a bug on mac where the size is not properly respected initially, though this seems to fix it.

diff --git a/app/tauri/tauri.conf.json b/app/tauri/tauri.conf.json
@@ -36,18 +36,9 @@
         "signingIdentity": null
       },
       "publisher": "Roldan Montilla Jr",
-      "resources": [
-        "icons/icon.png"
-      ],
+      "resources": ["icons/icon.png"],
       "shortDescription": "",
-      "targets": [
-        "deb",
-        "appimage",
-        "msi",
-        "nsis",
-        "dmg",
-        "updater"
-      ],
+      "targets": ["deb", "appimage", "msi", "nsis", "dmg", "updater"],
       "windows": {
         "certificateThumbprint": null,
         "digestAlgorithm": "sha256",

diff --git a/yarn.lock b/yarn.lock
@@ -7714,6 +7714,14 @@ electron-log@^4.2.4:
   resolved "https://registry.yarnpkg.com/electron-log/-/electron-log-4.4.8.tgz#fcb9f714dbcaefb6ac7984c4683912c74730248a"
   integrity sha512-QQ4GvrXO+HkgqqEOYbi+DHL7hj5JM+nHi/j+qrN9zeeXVKy8ZABgbu4CnG+BBqDZ2+tbeq9tUC4DZfIWFU5AZA==
 
+[email protected]:
+  version "1.2.2"
+  resolved "https://registry.yarnpkg.com/electron-notarize/-/electron-notarize-1.2.2.tgz#ebf2b258e8e08c1c9f8ff61dc53d5b16b439daf4"
+  integrity sha512-ZStVWYcWI7g87/PgjPJSIIhwQXOaw4/XeXU+pWqMMktSLHaGMLHdyPPN7Cmao7+Cr7fYufA16npdtMndYciHNw==
+  dependencies:
+    debug "^4.1.1"
+    fs-extra "^9.0.1"
+
 electron-osx-sign@^0.6.0:
   version "0.6.0"
   resolved "https://registry.yarnpkg.com/electron-osx-sign/-/electron-osx-sign-0.6.0.tgz#9b69c191d471d9458ef5b1e4fdd52baa059f1bb8"