mirror of
https://github.com/Foundry376/Mailspring.git
synced 2025-01-01 13:14:16 +08:00
152 lines
5.3 KiB
JavaScript
152 lines
5.3 KiB
JavaScript
/* eslint global-require: 0 */
|
|
const path = require('path');
|
|
const fs = require('fs-plus');
|
|
|
|
// Codesigning is a Mac-only process that requires a valid Apple
|
|
// certificate, the private key, and access to the Mac keychain.
|
|
//
|
|
// We can only codesign from keys in the keychain. At the end of the day
|
|
// we need the certificate and private key to exist in the keychain
|
|
//
|
|
// In the case of Travis, we need to setup a temp keychain from encrypted
|
|
// files in the repository. We'll decrypt and import our certificates,
|
|
// put them in a temporary keychain, and use that.
|
|
//
|
|
// If you want to verify the app was signed you can run the commands:
|
|
//
|
|
// spctl -a -t exec -vv /path/to/N1.app
|
|
//
|
|
// Which should return "satisfies its Designated Requirement"
|
|
//
|
|
// And:
|
|
//
|
|
// codesign -dvvv /path/to/N1.app
|
|
//
|
|
// Which should return "accepted"
|
|
module.exports = grunt => {
|
|
let getCertData;
|
|
const { spawnP } = grunt.config('taskHelpers');
|
|
const tmpKeychain = 'n1-build.keychain';
|
|
|
|
const unlockKeychain = (keychain, keychainPass) => {
|
|
const args = ['unlock-keychain', '-p', keychainPass, keychain];
|
|
return spawnP({ cmd: 'security', args });
|
|
};
|
|
|
|
const cleanupKeychain = () => {
|
|
if (fs.existsSync(path.join(process.env.HOME, 'Library', 'Keychains', tmpKeychain))) {
|
|
return spawnP({ cmd: 'security', args: ['delete-keychain', tmpKeychain] });
|
|
}
|
|
return Promise.resolve();
|
|
};
|
|
|
|
const buildMacKeychain = () => {
|
|
const crypto = require('crypto');
|
|
const tmpPass = crypto.randomBytes(32).toString('hex');
|
|
const { appleCert, nylasCert, nylasPrivateKey, keyPass } = getCertData();
|
|
const codesignBin = path.join('/', 'usr', 'bin', 'codesign');
|
|
|
|
// Create a custom, temporary keychain
|
|
return (
|
|
cleanupKeychain()
|
|
.then(() =>
|
|
spawnP({ cmd: 'security', args: ['create-keychain', '-p', tmpPass, tmpKeychain] })
|
|
)
|
|
// Due to a bug in OSX, you must list-keychain with -s in order for it
|
|
// to actually add it to the list of keychains. See http://stackoverflow.com/questions/20391911/os-x-keychain-not-visible-to-keychain-access-app-in-mavericks
|
|
.then(() => spawnP({ cmd: 'security', args: ['list-keychains', '-s', tmpKeychain] }))
|
|
// Make the custom keychain default, so xcodebuild will use it for signing
|
|
.then(() => spawnP({ cmd: 'security', args: ['default-keychain', '-s', tmpKeychain] }))
|
|
// Unlock the keychain
|
|
.then(() => unlockKeychain(tmpKeychain, tmpPass))
|
|
// Set keychain timeout to 1 hour for long builds
|
|
.then(() =>
|
|
spawnP({
|
|
cmd: 'security',
|
|
args: ['set-keychain-settings', '-t', '3600', '-l', tmpKeychain],
|
|
})
|
|
)
|
|
// Add certificates to keychain and allow codesign to access them
|
|
.then(() =>
|
|
spawnP({
|
|
cmd: 'security',
|
|
args: ['import', appleCert, '-k', tmpKeychain, '-T', codesignBin],
|
|
})
|
|
)
|
|
.then(() =>
|
|
spawnP({
|
|
cmd: 'security',
|
|
args: ['import', nylasCert, '-k', tmpKeychain, '-T', codesignBin],
|
|
})
|
|
)
|
|
// Load the password for the private key from environment variables
|
|
.then(() =>
|
|
spawnP({
|
|
cmd: 'security',
|
|
args: ['import', nylasPrivateKey, '-k', tmpKeychain, '-P', keyPass, '-T', codesignBin],
|
|
})
|
|
)
|
|
// mark that the codesign utility should be allowed to access the keychain without
|
|
// prompting for access. (Needed for Mac OS Sierra and above)
|
|
// https://stackoverflow.com/questions/39868578/security-codesign-in-sierra-keychain-ignores-access-control-settings-and-ui-p
|
|
.then(() =>
|
|
spawnP({
|
|
cmd: 'security',
|
|
args: [
|
|
'set-key-partition-list',
|
|
'-S',
|
|
'apple-tool:,apple:,codesign:',
|
|
'-k',
|
|
tmpPass,
|
|
tmpKeychain,
|
|
],
|
|
})
|
|
)
|
|
);
|
|
};
|
|
|
|
getCertData = () => {
|
|
const certs = path.resolve(path.join(grunt.config('buildDir'), 'resources', 'certs', 'mac'));
|
|
const appleCert = path.join(certs, 'AppleWWDRCA.cer');
|
|
const nylasCert = path.join(certs, 'mac-codesigning.cer');
|
|
const nylasPrivateKey = path.join(certs, 'mac-codesigning.p12');
|
|
|
|
const keyPass = process.env.APPLE_CODESIGN_KEY_PASSWORD;
|
|
|
|
if (!keyPass) {
|
|
throw new Error('APPLE_CODESIGN_KEY_PASSWORD must be set');
|
|
}
|
|
if (!fs.existsSync(appleCert)) {
|
|
throw new Error(`${appleCert} doesn't exist`);
|
|
}
|
|
if (!fs.existsSync(nylasCert)) {
|
|
throw new Error(`${nylasCert} doesn't exist`);
|
|
}
|
|
if (!fs.existsSync(nylasPrivateKey)) {
|
|
throw new Error(`${nylasPrivateKey} doesn't exist`);
|
|
}
|
|
|
|
return { appleCert, nylasCert, nylasPrivateKey, keyPass };
|
|
};
|
|
|
|
const shouldRun = () => {
|
|
if (process.platform !== 'darwin') {
|
|
grunt.log.writeln(`Skipping keychain setup since ${process.platform} is not darwin`);
|
|
return false;
|
|
}
|
|
return !!process.env.SIGN_BUILD;
|
|
};
|
|
|
|
grunt.registerTask(
|
|
'setup-mac-keychain',
|
|
'Setup Mac Keychain to sign the app',
|
|
function setupMacKeychain() {
|
|
const done = this.async();
|
|
if (!shouldRun()) return done();
|
|
|
|
return buildMacKeychain()
|
|
.then(done)
|
|
.catch(grunt.fail.fatal);
|
|
}
|
|
);
|
|
};
|