Unverified Commit ae306f5c authored by csett86's avatar csett86 Committed by GitHub
Browse files

mac: Enable autoupdate by sign and notarize via github action (#581)

mac: Enable autoupdate by sign and notarize via github action

Signed and notarized binaries are the precondition for autoupdates on
mac. Additionally Gatekeeper on 10.15+ is happy and allows to open the
app instead of blocking it.

The notarize step is added unconditionally, as it only emits a warning if
the notarization API key is not set, but it does not break the build.

This is an upstreaming of https://github.com/csett86/jitsi-meet-electron
where it worked since March 2020.

On CI, only sign if not triggered by pull request, as these will fail (as secrets
are not available to pull request builds).

The required github secrets (signing key, cert and notarize API login, password and team id) are:

Signing

Open the Keychain Access app. Export all certificates (Developer ID Certificate) related to your app into a single file (e.g. certs.p12) and set a strong password.

Base64-encode your certificates using the fol...
parent 6a60a6d8
......@@ -37,6 +37,14 @@ jobs:
- uses: actions/setup-node@v1
with:
node-version: '16.x'
- name: Prepare for app signing and notarization
if: ${{ github.event_name != 'pull_request' }}
run: |
echo "CSC_LINK=${{ secrets.mac_cert }}" >> $GITHUB_ENV
echo "CSC_KEY_PASSWORD=${{ secrets.mac_cert_password }}" >> $GITHUB_ENV
echo "APPLE_ID=${{ secrets.apple_id }}" >> $GITHUB_ENV
echo "APPLE_ID_PASSWORD=${{ secrets.apple_id_password }}" >> $GITHUB_ENV
echo "TEAM_ID=${{ secrets.team_id }}" >> $GITHUB_ENV
- name: Build it
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
......
const { notarize } = require('electron-notarize');
const process = require('process');
const pkgJson = require('./package.json');
exports.default = async function notarizing(context) {
const { electronPlatformName, appOutDir } = context;
if (electronPlatformName !== 'darwin') {
return;
}
if (!(process.env.APPLE_ID && process.env.APPLE_ID_PASSWORD && process.env.TEAM_ID)) {
console.log('Skipping notarization');
return;
}
const appName = context.packager.appInfo.productFilename;
return await notarize({
tool: 'notarytool',
appBundleId: pkgJson.build.appId,
appPath: `${appOutDir}/${appName}.app`,
appleId: process.env.APPLE_ID,
appleIdPassword: process.env.APPLE_ID_PASSWORD,
teamId: process.env.TEAM_ID
});
};
This diff is collapsed.
......@@ -21,6 +21,7 @@
"productName": "Jitsi Meet",
"generateUpdatesFilesForAllChannels": true,
"afterPack": "./linux-sandbox-fix.js",
"afterSign": "./notarize.js",
"files": [
"build",
"resources",
......@@ -163,6 +164,7 @@
"electron-context-menu": "^2.5.0",
"electron-is-dev": "^1.2.0",
"electron-log": "^4.3.2",
"electron-notarize": "1.1.1",
"electron-react-devtools": "0.5.3",
"electron-store": "^5.2.0",
"electron-updater": "^4.4.3",
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment