mirror of
https://github.com/Foundry376/Mailspring.git
synced 2025-02-24 08:04:11 +08:00
118 lines
4.7 KiB
JavaScript
118 lines
4.7 KiB
JavaScript
/* eslint global-require: 0 */
|
|
const path = require('path');
|
|
const fs = require('fs-plus');
|
|
|
|
// Codesigning is a Mac-only process that requires a valid Apple
|
|
// certificate, the private key, and access to the Mac keychain.
|
|
//
|
|
// We can only codesign from keys in the keychain. At the end of the day
|
|
// we need the certificate and private key to exist in the keychain
|
|
//
|
|
// In the case of Travis, we need to setup a temp keychain from encrypted
|
|
// files in the repository. We'll decrypt and import our certificates,
|
|
// put them in a temporary keychain, and use that.
|
|
//
|
|
// If you want to verify the app was signed you can run the commands:
|
|
//
|
|
// spctl -a -t exec -vv /path/to/N1.app
|
|
//
|
|
// Which should return "satisfies its Designated Requirement"
|
|
//
|
|
// And:
|
|
//
|
|
// codesign -dvvv /path/to/N1.app
|
|
//
|
|
// Which should return "accepted"
|
|
module.exports = (grunt) => {
|
|
let getCertData;
|
|
const {spawnP} = grunt.config('taskHelpers')
|
|
const tmpKeychain = "n1-build.keychain";
|
|
|
|
const unlockKeychain = (keychain, keychainPass) => {
|
|
const args = ['unlock-keychain', '-p', keychainPass, keychain];
|
|
return spawnP({cmd: "security", args});
|
|
};
|
|
|
|
const cleanupKeychain = () => {
|
|
if (fs.existsSync(path.join(process.env.HOME, "Library", "Keychains", tmpKeychain))) {
|
|
return spawnP({cmd: "security", args: ["delete-keychain", tmpKeychain]});
|
|
}
|
|
return Promise.resolve()
|
|
};
|
|
|
|
const buildMacKeychain = () => {
|
|
const crypto = require('crypto');
|
|
const tmpPass = crypto.randomBytes(32).toString('hex');
|
|
const {appleCert, nylasCert, nylasPrivateKey, keyPass} = getCertData();
|
|
const codesignBin = path.join("/", "usr", "bin", "codesign");
|
|
|
|
// Create a custom, temporary keychain
|
|
return cleanupKeychain()
|
|
.then(() => spawnP({cmd: "security", args: ["create-keychain", '-p', tmpPass, tmpKeychain]}))
|
|
|
|
// Due to a bug in OSX, you must list-keychain with -s in order for it
|
|
// to actually add it to the list of keychains. See http://stackoverflow.com/questions/20391911/os-x-keychain-not-visible-to-keychain-access-app-in-mavericks
|
|
.then(() => spawnP({cmd: "security", args: ["list-keychains", "-s", tmpKeychain]}))
|
|
|
|
// Make the custom keychain default, so xcodebuild will use it for signing
|
|
.then(() => spawnP({cmd: "security", args: ["default-keychain", "-s", tmpKeychain]}))
|
|
|
|
// Unlock the keychain
|
|
.then(() => unlockKeychain(tmpKeychain, tmpPass))
|
|
|
|
// Set keychain timeout to 1 hour for long builds
|
|
.then(() => spawnP({cmd: "security", args: ["set-keychain-settings", "-t", "3600", "-l", tmpKeychain]}))
|
|
|
|
// Add certificates to keychain and allow codesign to access them
|
|
.then(() => spawnP({cmd: "security", args: ["import", appleCert, "-k", tmpKeychain, "-T", codesignBin]}))
|
|
|
|
.then(() => spawnP({cmd: "security", args: ["import", nylasCert, "-k", tmpKeychain, "-T", codesignBin]}))
|
|
|
|
// Load the password for the private key from environment variables
|
|
.then(() => spawnP({cmd: "security", args: ["import", nylasPrivateKey, "-k", tmpKeychain, "-P", keyPass, "-T", codesignBin]}))
|
|
|
|
// mark that the codesign utility should be allowed to access the keychain without
|
|
// prompting for access. (Needed for Mac OS Sierra and above)
|
|
// https://stackoverflow.com/questions/39868578/security-codesign-in-sierra-keychain-ignores-access-control-settings-and-ui-p
|
|
.then(() => spawnP({cmd: "security", args: ["set-key-partition-list", "-S", "apple-tool:,apple:,codesign:", "-k", tmpPass, tmpKeychain]}))
|
|
};
|
|
|
|
getCertData = () => {
|
|
const certs = path.resolve(path.join(grunt.config('buildDir'), 'resources', 'certs', 'mac'));
|
|
const appleCert = path.join(certs, 'AppleWWDRCA.cer');
|
|
const nylasCert = path.join(certs, 'mac-merani.cer');
|
|
const nylasPrivateKey = path.join(certs, 'mac-merani.p12');
|
|
|
|
const keyPass = process.env.APPLE_CODESIGN_KEY_PASSWORD;
|
|
|
|
if (!keyPass) {
|
|
throw new Error("APPLE_CODESIGN_KEY_PASSWORD must be set");
|
|
}
|
|
if (!fs.existsSync(appleCert)) {
|
|
throw new Error(`${appleCert} doesn't exist`);
|
|
}
|
|
if (!fs.existsSync(nylasCert)) {
|
|
throw new Error(`${nylasCert} doesn't exist`);
|
|
}
|
|
if (!fs.existsSync(nylasPrivateKey)) {
|
|
throw new Error(`${nylasPrivateKey} doesn't exist`);
|
|
}
|
|
|
|
return {appleCert, nylasCert, nylasPrivateKey, keyPass};
|
|
};
|
|
|
|
const shouldRun = () => {
|
|
if (process.platform !== 'darwin') {
|
|
grunt.log.writeln(`Skipping keychain setup since ${process.platform} is not darwin`);
|
|
return false
|
|
}
|
|
return !!process.env.SIGN_BUILD
|
|
}
|
|
|
|
grunt.registerTask('setup-mac-keychain', 'Setup Mac Keychain to sign the app', function setupMacKeychain() {
|
|
const done = this.async();
|
|
if (!shouldRun()) return done();
|
|
|
|
return buildMacKeychain().then(done).catch(grunt.fail.fatal);
|
|
});
|
|
}
|