mac: Enable autoupdate by sign and notarize via github action (#581)

mac: Enable autoupdate by sign and notarize via github action

Signed and notarized binaries are the precondition for autoupdates on
mac. Additionally Gatekeeper on 10.15+ is happy and allows to open the
app instead of blocking it.

The notarize step is added unconditionally, as it only emits a warning if
the notarization API key is not set, but it does not break the build.

This is an upstreaming of https://github.com/csett86/jitsi-meet-electron
where it worked since March 2020.

On CI, only sign if not triggered by pull request, as these will fail (as secrets
are not available to pull request builds).

The required github secrets (signing key, cert and notarize API login, password and team id) are:

Signing

Open the Keychain Access app. Export all certificates (Developer ID Certificate) related to your app into a single file (e.g. certs.p12) and set a strong password.

Base64-encode your certificates using the fol...

.github/workflows/ci.yml

@@ -37,6 +37,14 @@ jobs:
     - uses: actions/setup-node@v1
       with:
         node-version: '16.x'
+    - name: Prepare for app signing and notarization
+      if: ${{ github.event_name != 'pull_request' }}
+      run: |
+        echo "CSC_LINK=${{ secrets.mac_cert }}" >> $GITHUB_ENV
+        echo "CSC_KEY_PASSWORD=${{ secrets.mac_cert_password }}" >> $GITHUB_ENV
+        echo "APPLE_ID=${{ secrets.apple_id }}" >> $GITHUB_ENV
+        echo "APPLE_ID_PASSWORD=${{ secrets.apple_id_password }}" >> $GITHUB_ENV
+        echo "TEAM_ID=${{ secrets.team_id }}" >> $GITHUB_ENV
     - name: Build it
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

notarize.js

+const { notarize } = require('electron-notarize');
+const process = require('process');
+const pkgJson = require('./package.json');
+
+exports.default = async function notarizing(context) {
+    const { electronPlatformName, appOutDir } = context;
+
+    if (electronPlatformName !== 'darwin') {
+        return;
+    }
+
+    if (!(process.env.APPLE_ID && process.env.APPLE_ID_PASSWORD && process.env.TEAM_ID)) {
+        console.log('Skipping notarization');
+
+        return;
+    }
+
+    const appName = context.packager.appInfo.productFilename;
+
+    return await notarize({
+        tool: 'notarytool',
+        appBundleId: pkgJson.build.appId,
+        appPath: `${appOutDir}/${appName}.app`,
+        appleId: process.env.APPLE_ID,
+        appleIdPassword: process.env.APPLE_ID_PASSWORD,
+        teamId: process.env.TEAM_ID
+    });
+};

package.json

@@ -21,6 +21,7 @@
     "productName": "Jitsi Meet",
     "generateUpdatesFilesForAllChannels": true,
     "afterPack": "./linux-sandbox-fix.js",
+    "afterSign": "./notarize.js",
     "files": [
       "build",
       "resources",
@@ -163,6 +164,7 @@
     "electron-context-menu": "^2.5.0",
     "electron-is-dev": "^1.2.0",
     "electron-log": "^4.3.2",
+    "electron-notarize": "1.1.1",
     "electron-react-devtools": "0.5.3",
     "electron-store": "^5.2.0",
     "electron-updater": "^4.4.3",