updating electron-* versions, adding code for Mac code-signing/notarization, adding linux installer builds in docker

robertpatrick · robertpatrick · commit c39c8ef3b0be · 2021-10-05T11:56:28.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,7 @@
 node_modules
 dist/
 yarn.lock
+package-lock.json
+/.idea
+*.iml
+docker.env
diff --git a/README.md b/README.md
@@ -9,7 +9,13 @@ If you can't use GitHub, you can use other providers:
 
 1. For macOS, you will need a code-signing certificate.
 
-    Install Xcode (from the App Store), then follow [these instructions](https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html#//apple_ref/doc/uid/TP40012582-CH31-SW6) to make sure you have a "Mac Developer" certificate.  If you'd like to export the certificate (for automated building, for instance) [you can](https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html#//apple_ref/doc/uid/TP40012582-CH31-SW7).  You would then follow [these instructions](https://www.electron.build/code-signing).
+    Install Xcode (from the App Store), then follow [these instructions](https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html#//apple_ref/doc/uid/TP40012582-CH31-SW6) to make sure you have a "Developer ID Application" certificate.  If you'd like to export the certificate (for automated building, for instance) [you can](https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html#//apple_ref/doc/uid/TP40012582-CH31-SW7).  You would then follow [these instructions](https://www.electron.build/code-signing).
+   
+    This example application is set up to perform code-signing and notarization on Mac OS provided that a `Developer ID
+    Application` certificate is installed in the default keychain.  The following environment variables are important for the signing process:
+    - `CSC_IDENTITY_AUTO_DISCOVERY` - controls whether `electron-builder` tries to sign the application; default is `true`, set to `false` to skip signing
+    - `APPLEID` - the Apple ID to use for notarization (required for signing).
+    - `APPLEIDPASS` - the password to use with the specified Apple ID for notarization (required for signing).  Apple recommends setting up an app-specific password to safeguard the Apple ID password (see [Apple Support](https://support.apple.com/en-us/HT204397)) for more information.
 
 2. Adjust `package.json` if needed.
 
@@ -49,7 +55,7 @@ If you can't use GitHub, you can use other providers:
 
 5. Publish for your platform with:
 
-        build -p always
+        electron-builder -p always
 
    or
 
@@ -63,12 +69,16 @@ If you can't use GitHub, you can use other providers:
         },
         ...
 
-6. Release the release on GitHub by going to <https://github.com/YOUR_GIT_HUB_USERNAME/electron-updater-example/releases>, editing the release and clicking "Publish release."
+   NOTE: The Mac OS signing/notarization process must be run on Mac OS.  This application is set up to build Linux installers using the `electronuserland/builder` Docker image.  Run:
+   
+        npm run publish-linux-docker
 
-7. Download and install the app from <https://github.com/YOUR_GIT_HUB_USERNAME/electron-updater-example/releases>.
+7. Release the release on GitHub by going to <https://github.com/YOUR_GIT_HUB_USERNAME/electron-updater-example/releases>, editing the release and clicking "Publish release."
 
-8. Update the version in `package.json`, commit and push to GitHub.
+8. Download and install the app from <https://github.com/YOUR_GIT_HUB_USERNAME/electron-updater-example/releases>.
 
-9. Do steps 5 and 6 again.
+9. Update the version in `package.json`, commit and push to GitHub.
 
-10. Open the installed version of the app and see that it updates itself.
+10. Do steps 5 and 6 again.
+
+11. Open the installed version of the app and see that it updates itself.
diff --git a/build/entitlements.mac.plist b/build/entitlements.mac.plist
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+  </dict>
+</plist>
diff --git a/build/linuxInstallers.sh b/build/linuxInstallers.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+SCRIPT_DIR=$(dirname "$0")
+export WORKSPACE=$(cd "${SCRIPT_DIR}/.."; pwd)
+if [ -z "${GH_TOKEN}" ]; then
+  echo "GH_TOKEN environment variable must be set prior to running this script">&2
+  exit 1
+fi
+
+EXAMPLE_ENV_FILE="${WORKSPACE}/docker.env"
+echo "EXAMPLE_USER=$(id -un)" > "${EXAMPLE_ENV_FILE}"
+# shellcheck disable=SC2129
+echo "EXAMPLE_UID=$(id -u)" >> "${EXAMPLE_ENV_FILE}"
+echo "EXAMPLE_GROUP=$(id -gn)" >> "${EXAMPLE_ENV_FILE}"
+echo "EXAMPLE_GID=$(id -g)" >> "${EXAMPLE_ENV_FILE}"
+echo "GH_TOKEN=${GH_TOKEN}" >> "${EXAMPLE_ENV_FILE}"
+
+if [ -n "${HTTPS_PROXY}" ]; then
+  echo "HTTPS_PROXY=${HTTPS_PROXY}" >> "${EXAMPLE_ENV_FILE}"
+fi
+
+docker run --rm -v "${WORKSPACE}:/project" --env-file "${EXAMPLE_ENV_FILE}" electronuserland/builder /project/build/linuxInstallersInDocker.sh
diff --git a/build/linuxInstallersInDocker.sh b/build/linuxInstallersInDocker.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env /bin/bash
+if [ -z "${EXAMPLE_USER}" ] || [ -z "${EXAMPLE_UID}" ]; then
+  echo "EXAMPLE_USER and EXAMPLE_UID environment variables must be set" 1>&2
+  exit 1
+fi
+if [ -z "${EXAMPLE_GROUP}" ] || [ -z "${EXAMPLE_GID}" ]; then
+  echo "EXAMPLE_GROUP and EXAMPLE_GID environment variables must be set" 1>&2
+  exit 1
+fi
+
+groupadd --gid "${EXAMPLE_GID}" "${EXAMPLE_GROUP}"
+useradd --gid "${EXAMPLE_GID}" --uid "${EXAMPLE_UID}" --shell /bin/bash --no-create-home "${EXAMPLE_USER}"
+
+# Electron Builder seems to rely on the user's home directory being present...
+mkdir -p "/home/${EXAMPLE_USER}"
+chmod 777 "/home/${EXAMPLE_USER}"
+
+# Electron Builder tries to create /scratch when it needs to build a binary (rather than using prebuilt binaries)
+# so create it prior to running it with the necessary permissions.
+mkdir -p "/scratch"
+chmod 777 "/scratch"
+
+#
+# Build the installers
+#
+cd /project || exit
+NPM_COMMAND="npm run publish"
+if [ "${HTTPS_PROXY}" != "" ]; then
+  NPM_COMMAND="HTTPS_PROXY=${HTTPS_PROXY} $NPM_COMMAND"
+fi
+
+su "${EXAMPLE_USER}" --command "${NPM_COMMAND}"
+
+NPM_EXIT_CODE=$?
+if [ ${NPM_EXIT_CODE} -ne 0 ]; then
+  exit ${NPM_EXIT_CODE}
+fi
diff --git a/build/notarize.js b/build/notarize.js
@@ -0,0 +1,19 @@
+const { notarize } = require('electron-notarize');
+const path = require('path');
+
+exports.default = async function notarizing(context) {
+  const { electronPlatformName, appOutDir } = context;
+  if (electronPlatformName !== 'darwin') {
+    return;
+  }
+
+  const appName = context.packager.appInfo.productFilename;
+  const appPath = path.normalize(path.join(process.cwd(), 'dist', 'mac', `${appName}.app`));
+  console.log('calling notarize with appPath = %s', appPath);
+  return await notarize({
+    appBundleId: 'com.github.iffy.electronupdaterexample',
+    appPath: appPath,
+    appleId: process.env.APPLEID,
+    appleIdPassword: process.env.APPLEIDPASS,
+  });
+};
diff --git a/main.js b/main.js
@@ -1,7 +1,7 @@
 // This is free and unencumbered software released into the public domain.
 // See LICENSE for details
 
-const {app, BrowserWindow, Menu, protocol, ipcMain} = require('electron');
+const {app, BrowserWindow, Menu} = require('electron');
 const log = require('electron-log');
 const {autoUpdater} = require("electron-updater");
 
@@ -59,7 +59,12 @@ function sendStatusToWindow(text) {
   win.webContents.send('message', text);
 }
 function createDefaultWindow() {
-  win = new BrowserWindow();
+  win = new BrowserWindow({
+    webPreferences: {
+      nodeIntegration: true,
+      contextIsolation: false
+    }
+  });
   win.webContents.openDevTools();
   win.on('closed', () => {
     win = null;
diff --git a/package.json b/package.json
@@ -1,28 +1,52 @@
 {
   "name": "electron-updater-example",
-  "version": "0.7.1",
+  "version": "0.7.2",
   "main": "main.js",
   "description": "electron-updater example project",
   "author": "Matt Haggard",
   "scripts": {
-    "publish": "build -p always"
+    "publish": "electron-builder -p always",
+    "publish-linux-docker": "./build/linuxInstallers.sh"
   },
   "devDependencies": {
-    "electron": "^3.0.2",
-    "electron-builder": "^20.28.4"
+    "electron": "^14.0.1",
+    "electron-builder": "^22.11.7"
   },
   "dependencies": {
-    "electron-log": "^1.3.0",
-    "electron-updater": "^4.0.6"
+    "electron-log": "^4.4.1",
+    "electron-updater": "^4.3.9"
   },
   "build": {
     "appId": "com.github.iffy.electronupdaterexample",
+    "productName": "Electron Updater Example",
+    "afterSign": "./build.notarize.js",
+    "directories": {
+      "output": "dist"
+    },
+    "files": [
+      "!.DS_Store"
+    ],
     "mac": {
       "category": "your.app.category.type",
-      "target": [
-        "zip",
-        "dmg"
-      ]
+      "target": "default",
+      "type": "distribution",
+      "hardenedRuntime": true,
+      "gatekeeperAsses": false,
+      "entitlements": "./build/entitlements.mac.plist"
+    },
+    "dmg": {
+      "sign": false
+    },
+    "win": {
+      "target": "nsis"
+    },
+    "nsis": {
+      "oneClick": false,
+      "allowToChangeInstallationDirectory": true
+    },
+    "linux": {
+      "category": "your.app.category.type",
+      "target": "AppImage"
     }
   }
 }
