fix app codesigning and notarization (#672)

* fix: app notarization automated and code signing instructions added * next version is set to 2.6.3 * fix: PR feedbacks fixed, improved readme and notarize.js Co-authored-by: Baha <[email protected]>
NemProject · Mar 25, 2022 · 631def2 · 631def2
1 parent 622298b
commit 631def2
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -54,9 +54,45 @@ If the circle next to `Node` is red, click on it and select another node from th
 
 <pre>gulp build-app</pre>
 
-6) Build NEM Wallet Electron apps (only Electron verision support Ledger wallets), default build for MacOS, Windows and Linux
+6) For local use, build NEM Wallet Electron apps (only Electron verision support Ledger wallets), default build for MacOS, Windows and Linux
 
-<pre>npm run release</pre>
+<pre>
+# create the release folder where the artifacts will be created
+mkdir -p release
+
+# to skip code signing
+export CSC_IDENTITY_AUTO_DISCOVERY=false
+
+npm run release
+</pre>
+
+7) Release for distribution: (Code signing for Apple builds - requires `Developer ID Certificate`)
+
+    7.1 On a MacOS machine, download the zip file containing the app signing certificates (ask team)
+
+    7.2 Extract the certificates and double click each one of them to add to the keychain (ask the team for private key password)
+
+    7.3 Starting with MacOS 10.14.5, all signed applications by new `Developer ID Certificate` will need to be notarized. This is an automated step in the process. You'll need to enable notarization by setting the following env vars.
+
+    <pre>
+    export DESKTOP_APP_NOTARIZE=true
+    export DESKTOP_APP_APPLE_ID=VALID_APPLE_DEV_ID
+    export DESKTOP_APP_APPLE_PASSWORD=VALID_APPLE_DEV_PASSWORD
+    </pre>
+
+    7.4 Enable auto discovery for code signing process to pick up the certificates from the keychain
+
+    <pre>export CSC_IDENTITY_AUTO_DISCOVERY=true</pre>
+
+    7.5 Run release
+    <pre>npm run release</pre>
+
+    7.6 Validate if the app is signed with a `Developer ID Certificate` and notarized
+
+    <pre>spctl -a -t exec -v ./release/mac/Nem\ Wallet.app
+    # Output(Success): ./release/mac/Nem Wallet.app: accepted source=Notarized Developer ID
+    # Output(Failure): ./release/mac/Nem Wallet.app: rejected source=Unnotarized Developer ID
+    </pre>
 
 ### Known issues ###
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "NEM-Wallet",
-  "version": "2.6.2",
+  "version": "2.6.3",
   "description": "Cross-platform lite wallet for NEM",
   "author": "https://github.com/QuantumMechanics <[email protected]>",
   "license": "MIT",
@@ -93,7 +93,7 @@
   "build": {
     "appId": "com.nemgrouplimited.nemwallet",
     "extends": null,
-    "copyright": "Copyright © 2019-2021 NEM",
+    "copyright": "Copyright © 2019-2022 NEM",
     "productName": "Nem Wallet",
     "artifactName": "${name}-${os}-${arch}-${version}.${ext}",
     "icon": "./build/images/NanoWallet.icns",
@@ -107,7 +107,8 @@
       "buildResources": "assets",
       "output": "release"
     },
-    "npmRebuild": false
+    "npmRebuild": false,
+    "afterSign": "scripts/notarize.js"
   },
   "mac": {
     "category": "public.app-category.finance",

diff --git a/scripts/notarize.js b/scripts/notarize.js
@@ -0,0 +1,28 @@
+const { notarize } = require('electron-notarize');
+const appBundleId = require('../package.json').build.appId;
+
+// You will need to notarize the application if the "Developer ID Certificate" is new
+exports.default = async (context) => {
+  const { electronPlatformName, appOutDir } = context;  
+  if (electronPlatformName !== 'darwin') {
+    console.log('Skipping notarization because this is not a macOS build.');
+    return;
+  } else if (process.env.DESKTOP_APP_NOTARIZE !== 'true') {
+    console.log('Skipping notarization because DESKTOP_APP_NOTARIZE env is not set.');
+    return;
+  } else if (process.env.DESKTOP_APP_APPLE_ID === undefined || process.env.DESKTOP_APP_APPLE_PASSWORD === undefined) {
+    console.log('Skipping notarization because DESKTOP_APP_APPLE_ID or DESKTOP_APP_APPLE_PASSWORD env is not set.');
+    return;
+  }
+  const appName = context.packager.appInfo.productFilename;
+  const appPath = `${appOutDir}/${appName}.app`;
+
+  console.log(`Notarizing ${appName} with bundleId[${appBundleId}] at ${appPath} ... (This might take several minutes)`);
+
+  return await notarize({
+    appBundleId: appBundleId,
+    appPath: appPath,
+    appleId: process.env.DESKTOP_APP_APPLE_ID,
+    appleIdPassword: process.env.DESKTOP_APP_APPLE_PASSWORD,
+  });
+};
diff --git a/src/app/config/app.constants.js b/src/app/config/app.constants.js
@@ -2,7 +2,7 @@ const AppConstants = {
     //Application name
     appName: 'NEM Wallet',
 
-    version: '2.6.2',
+    version: '2.6.3',
 
     //Network
     defaultNetwork: 104,