⚡ 🎉 auto detect if you can sign builds

Rather than having to set an environment variable to say you don’t have
the cert, let the build tooling figure it out for you and log more
useful messages along the way.

If you have the certificate, you’ll now see:
![](https://cldup.com/--k6ry1Av7-2000x2000.png)

And if you don’t, you’ll no longer see a really confusing stack trace
but instead:
![](https://cldup.com/v5gx_zbkUo-3000x3000.png)

Author: imlucas

package.json

@@ -93,6 +93,7 @@
     "bootstrap": "https://github.com/twbs/bootstrap/archive/v3.3.5.tar.gz",
     "browserify": "^10.2.4",
     "bugsnag-js": "^2.4.8",
+    "chalk": "^1.1.1",
     "d3": "^3.5.5",
     "del": "^1.2.0",
     "domready": "^1.0.8",
@@ -102,6 +103,7 @@
     "eslint": "^0.24.1",
     "eslint-config-mongodb-js": "^0.1.4",
     "event-stream": "^3.3.1",
+    "figures": "^1.4.0",
     "font-awesome": "https://github.com/FortAwesome/Font-Awesome/archive/v4.3.0.tar.gz",
     "glob": "^5.0.14",
     "gulp": "^3.9.0",

tasks/darwin.js

@@ -1,19 +1,21 @@
 var path = require('path');
 var pkg = require(path.resolve(__dirname, '../package.json'));
 var fs = require('fs');
-var cp = require('child_process');
+var run = require('./run');
+var format = require('util').format;
+var chalk = require('chalk');
+var figures = require('figures');
 var series = require('run-series');
 var _ = require('lodash');
+var packager = require('electron-packager');
+var createDMG = require('electron-installer-dmg');
 
 var debug = require('debug')('scout:tasks:darwin');
 
 var NAME = pkg.product_name;
 var PACKAGE = path.join('dist', NAME + '-darwin-x64');
 var APP_PATH = path.join(PACKAGE, NAME + '.app');
 
-var packager = require('electron-packager');
-var createDMG = require('electron-installer-dmg');
-
 module.exports.ELECTRON = path.join(APP_PATH, 'Contents', 'MacOS', 'Electron');
 module.exports.RESOURCES = path.join(APP_PATH, 'Contents', 'Resources');
 
@@ -29,7 +31,6 @@ var PACKAGER_CONFIG = {
   prune: true,
   'app-bundle-id': 'com.mongodb.compass',
   'app-version': pkg.version,
-  sign: '90E39AA7832E95369F0FC6DAF823A04DFBD9CF7A',
   protocols: [
     {
       name: 'MongoDB Prototcol',
@@ -38,11 +39,6 @@ var PACKAGER_CONFIG = {
   ]
 };
 
-// Adjust config via environment variables
-if (process.env.SCOUT_INSTALLER_UNSIGNED !== undefined) {
-  PACKAGER_CONFIG.sign = null;
-}
-
 // @todo (imlucas): Standardize `electron-installer-dmg`
 // options w/ `electron-installer-squirrel-windows`.
 var INSTALLER_CONFIG = {
@@ -69,39 +65,127 @@ var INSTALLER_CONFIG = {
   ]
 };
 
-module.exports.build = function(done) {
-  fs.exists(APP_PATH, function(exists) {
-    if (exists) {
-      debug('.app already exists.  skipping packager run.');
-      return done();
+var CODESIGN_IDENTITY_COMMON_NAME = 'Developer ID Application: Matt Kangas (ZD3CL9MT3L)';
+var CODESIGN_IDENTITY_SHA1 = '90E39AA7832E95369F0FC6DAF823A04DFBD9CF7A';
+
+/**
+ * Checks if the current environment can actually sign builds.
+ * If signing can be done, `electron-packager`'s config will
+ * be updated to sign artifacts.  If not, gracefully degrade
+ *
+ * @param {Function} fn - Callback.
+ */
+function addCodesignIdentityIfAvailable(fn) {
+  run('certtool', ['y'], function(err, output) {
+    if (err) {
+      debug('Failed to list certificates.  Build will not be signed.');
+      fn();
+      return;
     }
-    debug('running packager to create electron binaries...');
-    packager(PACKAGER_CONFIG, done);
+    if (output.indexOf(CODESIGN_IDENTITY_COMMON_NAME) === -1) {
+      debug('Signing identity `%s` not detected.  Build will not be signed.',
+        CODESIGN_IDENTITY_COMMON_NAME);
+      fn();
+      return;
+    }
+
+    PACKAGER_CONFIG.sign = CODESIGN_IDENTITY_SHA1;
+    debug('The signing identity `%s` is available!  '
+      + 'This build will be signed!', CODESIGN_IDENTITY_COMMON_NAME);
+
+    console.log(chalk.green.bold(figures.tick),
+      format(' This build will be signed using the `%s` signing identity',
+        CODESIGN_IDENTITY_COMMON_NAME));
+    fn();
   });
-};
+}
+
+module.exports.build = function(done) {
+  addCodesignIdentityIfAvailable(function(err) {
+    if (err) return done(err);
 
-var verify = function(done) {
-  var cmd = 'codesign --verify "' + APP_PATH + '"';
-  debug('Verifying `%s` has been signed...', APP_PATH);
-  cp.exec(cmd, done);
+    fs.exists(APP_PATH, function(exists) {
+      if (exists && process.env.NODE_ENV !== 'production') {
+        debug('.app already exists.  skipping packager run.');
+        return done();
+      }
+      debug('running electron-packager...');
+      packager(PACKAGER_CONFIG, done);
+    });
+  });
 };
 
-module.exports.installer = function(done) {
-  debug('creating installer...');
+/**
+ * If the app is supposed to be signed, verify that
+ * the signing was actually completed correctly.
+ * If signing is not available, print helpful details
+ * on working with unsigned builds.
+ *
+ * @param {Function} done - Callback which receives `(err)`.
+ */
+function verify(done) {
+  if (!PACKAGER_CONFIG.sign) {
+    console.error(chalk.yellow.bold(figures.warning),
+      ' User confusion ahead!');
 
-  var tasks = [];
-  if (PACKAGER_CONFIG.sign) {
-    tasks.push(verify);
+    console.error(chalk.gray(
+      '  The default preferences for OSX Gatekeeper will not',
+      'allow users to run unsigned applications.'));
+
+    console.error(chalk.gray(
+      '  However, we\'re going to continue building',
+      'the app and an installer because you\'re most likely'));
+
+    console.error(chalk.gray(
+      '  a developer trying to test',
+      'the app\'s installation process.'));
+
+    console.error(chalk.gray(
+      '  For more information on OSX Gatekeeper and how to change your',
+      'system preferences to run unsigned applications,'));
+    console.error(chalk.gray('  please see',
+      'https://support.apple.com/en-us/HT202491'));
+    debug('Build is not signed.  Skipping codesign verification.');
+    process.nextTick(done);
+    return;
   }
 
-  tasks.push(_.partial(createDMG, INSTALLER_CONFIG));
+  debug('Verifying `%s` has been signed correctly...', APP_PATH);
+  run('codesign', ['--verify', APP_PATH], function(err) {
+    if (err) {
+      err = new Error('App is not correctly signed');
+      done(err);
+      return;
+    }
+    debug('Verified that the app has been signed correctly!');
+    done();
+  });
+}
+
+/**
+ * Package the application as a single `.DMG` file which
+ * is the OSX equivalent of a `Setup.exe` installer.
+ *
+ * @param {Function} done - Callback which receives `(err)`.
+ */
+module.exports.installer = function(done) {
+  debug('creating installer...');
+
+  var tasks = [
+    verify,
+    _.partial(createDMG, INSTALLER_CONFIG)
+  ];
 
   series(tasks, function(err) {
     if (err) {
-      console.error(err.stack);
+      console.error(chalk.red.bold(figures.cross),
+        'Failed to create DMG installer:', err.message);
+      console.error(chalk.gray(err.stack));
       return done(err);
     }
-    console.log('Installer created!');
+    console.log(chalk.green.bold(figures.tick),
+      ' DMG installer written to',
+      path.join(INSTALLER_CONFIG.out, INSTALLER_CONFIG.name + '.dmg'));
     done();
   });
 };

tasks/run.js

@@ -0,0 +1,108 @@
+var fs = require('fs');
+var format = require('util').format;
+var spawn = require('child_process').spawn;
+var which = require('which');
+var debug = require('debug')('scout:tasks:run');
+
+/**
+ * Use me when you want to run an external command instead
+ * of using `child_process` directly because I'll handle
+ * lots of platform edge cases for you and provide
+ * nice debugging output when things go wrong!
+ *
+ * @example
+ *  var run = require('./tasks/run');
+ *  var args = ['--verify', require('./tasks/darwin').APP_PATH];
+ *  run('codesign', args, function(err){
+ *    if(err){
+ *      console.error('codesign verification failed!');
+ *      process.exit(1);
+ *    }
+ *    console.log('codesign verification succeeded!');
+ *  });
+ *
+ * @param {String} cmd - The bin name of your command, e.g. `grep`.
+ * @param {Array} [args] - Arguments to pass to the command [Default `[]`].
+ * @param {Object} [opts] - Options to pass to `child_process.spawn` [Default `{}`].
+ * @param {Function} fn - Callback which recieves `(err, output)`.
+ */
+function run(cmd, args, opts, fn) {
+  if (typeof opts === 'function') {
+    fn = opts;
+    opts = {};
+  }
+
+  if (typeof args === 'function') {
+    fn = args;
+    args = [];
+    opts = {};
+  }
+
+  getBinPath(cmd, function(err, bin) {
+    if (err) return fn(err);
+
+    debug('running %j', {
+      cmd: cmd,
+      args: args,
+      opts: opts
+    });
+    var output = [];
+
+    var proc = spawn(bin, args, opts);
+    proc.stdout.on('data', function(buf) {
+      debug('  %s> %s', cmd, buf.toString('utf-8'));
+      output.push(buf);
+    });
+    proc.stderr.on('data', function(buf) {
+      debug('  %s> %s', cmd, buf.toString('utf-8'));
+      output.push(buf);
+    });
+
+    proc.on('exit', function(code) {
+      if (code !== 0) {
+        debug('command failed! %j', {
+          cmd: cmd,
+          bin: bin,
+          args: args,
+          opts: opts,
+          code: code
+        });
+        fn(new Error('Command failed!  '
+          + 'Please try again with debugging enabled.'));
+        return;
+      }
+      debug('completed! %j', {
+        cmd: cmd,
+        bin: bin,
+        args: args,
+        opts: opts,
+        code: code
+      });
+
+      fn(null, Buffer.concat(output).toString('utf-8'));
+    });
+  });
+}
+
+/**
+ * Gets the absolute path for a `cmd`.
+ * @param {String} cmd - e.g. `codesign`.
+ * @param {Function} fn - Callback which receives `(err, binPath)`.
+ * @return {void}
+ */
+function getBinPath(cmd, fn) {
+  which(cmd, function(err, bin) {
+    if (err) return fn(err);
+
+    fs.exists(bin, function(exists) {
+      if (!exists) {
+        return fn(new Error(format(
+          'Expected file for `%s` does not exist at `%s`',
+          cmd, bin)));
+      }
+      fn(null, bin);
+    });
+  });
+}
+
+module.exports = run;