Mailspring/app/build/tasks/setup-mac-keychain-task.js

/* eslint global-require: 0 */
const path = require('path');
const fs = require('fs-plus');

// Codesigning is a Mac-only process that requires a valid Apple
// certificate, the private key, and access to the Mac keychain.
//
// We can only codesign from keys in the keychain. At the end of the day
// we need the certificate and private key to exist in the keychain
//
// In the case of Travis, we need to setup a temp keychain from encrypted
// files in the repository. We'll decrypt and import our certificates,
// put them in a temporary keychain, and use that.
//
// If you want to verify the app was signed you can run the commands:
//
//     spctl -a -t exec -vv /path/to/N1.app
//
// Which should return "satisfies its Designated Requirement"
//
// And:
//
//     codesign -dvvv /path/to/N1.app
//
// Which should return "accepted"
module.exports = grunt => {
  let getCertData;
  const { spawnP } = grunt.config('taskHelpers');
  const tmpKeychain = 'n1-build.keychain';

  const unlockKeychain = (keychain, keychainPass) => {
    const args = ['unlock-keychain', '-p', keychainPass, keychain];
    return spawnP({ cmd: 'security', args });
  };

  const cleanupKeychain = () => {
    if (fs.existsSync(path.join(process.env.HOME, 'Library', 'Keychains', tmpKeychain))) {
      return spawnP({ cmd: 'security', args: ['delete-keychain', tmpKeychain] });
    }
    return Promise.resolve();
  };

  const buildMacKeychain = () => {
    const crypto = require('crypto');
    const tmpPass = crypto.randomBytes(32).toString('hex');
    const { appleCert, nylasCert, nylasPrivateKey, keyPass } = getCertData();
    const codesignBin = path.join('/', 'usr', 'bin', 'codesign');

    // Create a custom, temporary keychain
    return (
      cleanupKeychain()
        .then(() =>
          spawnP({ cmd: 'security', args: ['create-keychain', '-p', tmpPass, tmpKeychain] })
        )
        // Due to a bug in OSX, you must list-keychain with -s in order for it
        // to actually add it to the list of keychains. See http://stackoverflow.com/questions/20391911/os-x-keychain-not-visible-to-keychain-access-app-in-mavericks
        .then(() => spawnP({ cmd: 'security', args: ['list-keychains', '-s', tmpKeychain] }))
        // Make the custom keychain default, so xcodebuild will use it for signing
        .then(() => spawnP({ cmd: 'security', args: ['default-keychain', '-s', tmpKeychain] }))
        // Unlock the keychain
        .then(() => unlockKeychain(tmpKeychain, tmpPass))
        // Set keychain timeout to 1 hour for long builds
        .then(() =>
          spawnP({
            cmd: 'security',
            args: ['set-keychain-settings', '-t', '3600', '-l', tmpKeychain],
          })
        )
        // Add certificates to keychain and allow codesign to access them
        .then(() =>
          spawnP({
            cmd: 'security',
            args: ['import', appleCert, '-k', tmpKeychain, '-T', codesignBin],
          })
        )
        .then(() =>
          spawnP({
            cmd: 'security',
            args: ['import', nylasCert, '-k', tmpKeychain, '-T', codesignBin],
          })
        )
        // Load the password for the private key from environment variables
        .then(() =>
          spawnP({
            cmd: 'security',
            args: ['import', nylasPrivateKey, '-k', tmpKeychain, '-P', keyPass, '-T', codesignBin],
          })
        )
        // mark that the codesign utility should be allowed to access the keychain without
        // prompting for access. (Needed for Mac OS Sierra and above)
        // https://stackoverflow.com/questions/39868578/security-codesign-in-sierra-keychain-ignores-access-control-settings-and-ui-p
        .then(() =>
          spawnP({
            cmd: 'security',
            args: [
              'set-key-partition-list',
              '-S',
              'apple-tool:,apple:,codesign:',
              '-k',
              tmpPass,
              tmpKeychain,
            ],
          })
        )
    );
  };

  getCertData = () => {
    const certs = path.resolve(path.join(grunt.config('buildDir'), 'resources', 'certs', 'mac'));
    const appleCert = path.join(certs, 'AppleWWDRCA.cer');
    const nylasCert = path.join(certs, 'mac-codesigning.cer');
    const nylasPrivateKey = path.join(certs, 'mac-codesigning.p12');

    const keyPass = process.env.APPLE_CODESIGN_KEY_PASSWORD;

    if (!keyPass) {
      throw new Error('APPLE_CODESIGN_KEY_PASSWORD must be set');
    }
    if (!fs.existsSync(appleCert)) {
      throw new Error(`${appleCert} doesn't exist`);
    }
    if (!fs.existsSync(nylasCert)) {
      throw new Error(`${nylasCert} doesn't exist`);
    }
    if (!fs.existsSync(nylasPrivateKey)) {
      throw new Error(`${nylasPrivateKey} doesn't exist`);
    }

    return { appleCert, nylasCert, nylasPrivateKey, keyPass };
  };

  const shouldRun = () => {
    if (process.platform !== 'darwin') {
      grunt.log.writeln(`Skipping keychain setup since ${process.platform} is not darwin`);
      return false;
    }
    return !!process.env.SIGN_BUILD;
  };

  grunt.registerTask(
    'setup-mac-keychain',
    'Setup Mac Keychain to sign the app',
    function setupMacKeychain() {
      const done = this.async();
      if (!shouldRun()) return done();

      return buildMacKeychain()
        .then(done)
        .catch(grunt.fail.fatal);
    }
  );
};
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00			`/* eslint global-require: 0 */`
			`const path = require('path');`
			`const fs = require('fs-plus');`

			`// Codesigning is a Mac-only process that requires a valid Apple`
			`// certificate, the private key, and access to the Mac keychain.`
			`//`
			`// We can only codesign from keys in the keychain. At the end of the day`
			`// we need the certificate and private key to exist in the keychain`
			`//`
			`// In the case of Travis, we need to setup a temp keychain from encrypted`
Encrypt and commit Mac build secrets 2017-08-11 12:24:12 +08:00			`// files in the repository. We'll decrypt and import our certificates,`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00			`// put them in a temporary keychain, and use that.`
			`//`
			`// If you want to verify the app was signed you can run the commands:`
			`//`
			`// spctl -a -t exec -vv /path/to/N1.app`
			`//`
			`// Which should return "satisfies its Designated Requirement"`
			`//`
			`// And:`
			`//`
Encrypt and commit Mac build secrets 2017-08-11 12:24:12 +08:00			`// codesign -dvvv /path/to/N1.app`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00			`//`
			`// Which should return "accepted"`
Adopt ✨ prettier ✨, upgrade ESLint 2017-09-27 02:33:08 +08:00			`module.exports = grunt => {`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00			`let getCertData;`
Adopt ✨ prettier ✨, upgrade ESLint 2017-09-27 02:33:08 +08:00			`const { spawnP } = grunt.config('taskHelpers');`
			`const tmpKeychain = 'n1-build.keychain';`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00
			`const unlockKeychain = (keychain, keychainPass) => {`
			`const args = ['unlock-keychain', '-p', keychainPass, keychain];`
Adopt ✨ prettier ✨, upgrade ESLint 2017-09-27 02:33:08 +08:00			`return spawnP({ cmd: 'security', args });`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00			`};`

			`const cleanupKeychain = () => {`
Adopt ✨ prettier ✨, upgrade ESLint 2017-09-27 02:33:08 +08:00			`if (fs.existsSync(path.join(process.env.HOME, 'Library', 'Keychains', tmpKeychain))) {`
			`return spawnP({ cmd: 'security', args: ['delete-keychain', tmpKeychain] });`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00			`}`
Adopt ✨ prettier ✨, upgrade ESLint 2017-09-27 02:33:08 +08:00			`return Promise.resolve();`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00			`};`

[client-app] run windows build separately Summary: build-client, aka packaging, aka bundling is now separate from uploading. This is both to compartmentalize our tasks a bit more and so we can add a non-grunt windows task inbetween packaging and uploading. No more heavily-overloaded PUBLISH_BUILD flag. Added SIGN_BUILD flag instead. No more TRAVIS and TRAVIS_PULL_REQUEST flag. Test Plan: Manual Reviewers: halla, juan, spang Reviewed By: juan, spang Differential Revision: https://phab.nylas.com/D4208 2017-03-14 06:48:45 +08:00			`const buildMacKeychain = () => {`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00			`const crypto = require('crypto');`
			`const tmpPass = crypto.randomBytes(32).toString('hex');`
Adopt ✨ prettier ✨, upgrade ESLint 2017-09-27 02:33:08 +08:00			`const { appleCert, nylasCert, nylasPrivateKey, keyPass } = getCertData();`
			`const codesignBin = path.join('/', 'usr', 'bin', 'codesign');`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00
			`// Create a custom, temporary keychain`
Adopt ✨ prettier ✨, upgrade ESLint 2017-09-27 02:33:08 +08:00			`return (`
			`cleanupKeychain()`
			`.then(() =>`
			`spawnP({ cmd: 'security', args: ['create-keychain', '-p', tmpPass, tmpKeychain] })`
			`)`
			`// Due to a bug in OSX, you must list-keychain with -s in order for it`
			`// to actually add it to the list of keychains. See http://stackoverflow.com/questions/20391911/os-x-keychain-not-visible-to-keychain-access-app-in-mavericks`
			`.then(() => spawnP({ cmd: 'security', args: ['list-keychains', '-s', tmpKeychain] }))`
			`// Make the custom keychain default, so xcodebuild will use it for signing`
			`.then(() => spawnP({ cmd: 'security', args: ['default-keychain', '-s', tmpKeychain] }))`
			`// Unlock the keychain`
			`.then(() => unlockKeychain(tmpKeychain, tmpPass))`
			`// Set keychain timeout to 1 hour for long builds`
			`.then(() =>`
			`spawnP({`
			`cmd: 'security',`
			`args: ['set-keychain-settings', '-t', '3600', '-l', tmpKeychain],`
			`})`
			`)`
			`// Add certificates to keychain and allow codesign to access them`
			`.then(() =>`
			`spawnP({`
			`cmd: 'security',`
			`args: ['import', appleCert, '-k', tmpKeychain, '-T', codesignBin],`
			`})`
			`)`
			`.then(() =>`
			`spawnP({`
			`cmd: 'security',`
			`args: ['import', nylasCert, '-k', tmpKeychain, '-T', codesignBin],`
			`})`
			`)`
			`// Load the password for the private key from environment variables`
			`.then(() =>`
			`spawnP({`
			`cmd: 'security',`
			`args: ['import', nylasPrivateKey, '-k', tmpKeychain, '-P', keyPass, '-T', codesignBin],`
			`})`
			`)`
			`// mark that the codesign utility should be allowed to access the keychain without`
			`// prompting for access. (Needed for Mac OS Sierra and above)`
			`// https://stackoverflow.com/questions/39868578/security-codesign-in-sierra-keychain-ignores-access-control-settings-and-ui-p`
			`.then(() =>`
			`spawnP({`
			`cmd: 'security',`
			`args: [`
			`'set-key-partition-list',`
			`'-S',`
			`'apple-tool:,apple:,codesign:',`
			`'-k',`
			`tmpPass,`
			`tmpKeychain,`
			`],`
			`})`
			`)`
			`);`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00			`};`

			`getCertData = () => {`
[client-app] update Travis Summary: Also see: https://github.com/nylas/nylas-mail-all/commit/3a33b0ad641796251afd19805e4242fe0b280a6c which was hot-pushed to master in order to get Travis building. We now have two travis files: 1. /.travis.yml 2. /packages/client-app/travis.yml The first one is alwas in the private repo and runs `npm install && npm run build-client`. This decrypts our keys and signs, builds, and uploads to S3. The second one is designed to live in our yet-to-be public mirror. It will basically just run `npm install && npm test`. That way the public one should just about ALWAYS pass (YAY!) except of course when you break the tests or something in the installer! Test Plan: Run on new https://travis-ci.com/nylas/nylas-mail-all Reviewers: jerm, spang, juan Reviewed By: spang, juan Differential Revision: https://phab.nylas.com/D3999 2017-02-23 05:19:45 +08:00			`const certs = path.resolve(path.join(grunt.config('buildDir'), 'resources', 'certs', 'mac'));`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00			`const appleCert = path.join(certs, 'AppleWWDRCA.cer');`
Switch product name to “Mailspring” 2017-09-06 04:37:40 +08:00			`const nylasCert = path.join(certs, 'mac-codesigning.cer');`
			`const nylasPrivateKey = path.join(certs, 'mac-codesigning.p12');`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00
			`const keyPass = process.env.APPLE_CODESIGN_KEY_PASSWORD;`

			`if (!keyPass) {`
Adopt ✨ prettier ✨, upgrade ESLint 2017-09-27 02:33:08 +08:00			`throw new Error('APPLE_CODESIGN_KEY_PASSWORD must be set');`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00			`}`
			`if (!fs.existsSync(appleCert)) {`
			throw new Error(`${appleCert} doesn't exist`);
			`}`
			`if (!fs.existsSync(nylasCert)) {`
			throw new Error(`${nylasCert} doesn't exist`);
			`}`
			`if (!fs.existsSync(nylasPrivateKey)) {`
			throw new Error(`${nylasPrivateKey} doesn't exist`);
			`}`

Adopt ✨ prettier ✨, upgrade ESLint 2017-09-27 02:33:08 +08:00			`return { appleCert, nylasCert, nylasPrivateKey, keyPass };`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00			`};`

			`const shouldRun = () => {`
			`if (process.platform !== 'darwin') {`
			grunt.log.writeln(`Skipping keychain setup since ${process.platform} is not darwin`);
Adopt ✨ prettier ✨, upgrade ESLint 2017-09-27 02:33:08 +08:00			`return false;`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00			`}`
Adopt ✨ prettier ✨, upgrade ESLint 2017-09-27 02:33:08 +08:00			`return !!process.env.SIGN_BUILD;`
			`};`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00
Adopt ✨ prettier ✨, upgrade ESLint 2017-09-27 02:33:08 +08:00			`grunt.registerTask(`
			`'setup-mac-keychain',`
			`'Setup Mac Keychain to sign the app',`
			`function setupMacKeychain() {`
			`const done = this.async();`
			`if (!shouldRun()) return done();`
fix(build): add setup travis keychain task 2016-11-22 03:53:29 +08:00
Adopt ✨ prettier ✨, upgrade ESLint 2017-09-27 02:33:08 +08:00			`return buildMacKeychain()`
			`.then(done)`
			`.catch(grunt.fail.fatal);`
			`}`
			`);`
			`};`