• Stars
    star
    559
  • Rank 79,673 (Top 2 %)
  • Language
    TypeScript
  • License
    BSD 2-Clause "Sim...
  • Created almost 9 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Codesign Electron macOS apps

@electron/osx-sign npm Build Status

Codesign Electron macOS apps

About

@electron/osx-sign minimizes the extra work needed to eventually prepare your apps for shipping, providing the most basic tools and assets. Note that the bare necessities here are sufficient for enabling app sandbox, yet other configurations for network access etc. require additional work.

NB: Since @electron/osx-sign injects the entry com.apple.security.application-groups into the entitlements file as part of the pre-signing process, this would reportedly limit app transfer on iTunes Connect (see #150). However, opting out entitlements automation opts['preAutoEntitlements'] === false may result in worse graphics performance.

The signing procedure implemented in this package is based on what described in Code Signing Guide.

Installation

# For use in npm scripts
npm install --save @electron/osx-sign
# yarn
yarn add @electron/osx-sign
# For use from CLI
npm install -g @electron/osx-sign
# Yarn
yarn global add @electron/osx-sign

Note: @electron/osx-sign is a dependency of electron-packager as of 6.0.0 for signing apps on macOS. However, feel free to install this package globally for more customization beyond specifying identity and entitlements.

Usage

Code Signing

From the API

const { signAsync } = require('@electron/osx-sign')
signAsync({
  app: 'path/to/my.app'
})
  .then(function () {
    // Application signed
  })
  .catch(function (err) {
    // Handle the error
  })
opts - Options

Required

app - String

Path to the application package. Needs file extension .app.

Optional

binaries - Array

Path to additional binaries that will be signed along with built-ins of Electron. Default to undefined.

optionsForFile - Function

Function that receives the path to a file and can return the entitlements to use for that file to override the default behavior. The object this function returns can include any of the following optional keys.

Option Description Usage Example
entitlements String specifying the path to an entitlements.plist file. Will default to built-in entitlements files. Can also be an array of entitlement keys that osx-sign will write to an entitlements file for you. 'path/to/entitlements'
hardenedRuntime Boolean flag to enable the Hardened Runtime when signing the app. Enabled by default. false
requirements String specifying the requirements that you recommend to be used to evaluate the code signature. 'anchor apple or anchor = "/var/db/yourcorporateanchor.cert"'
signatureFlags List of code signature flags. Accepts an array of strings or a comma-separated string. ['kSecCodeSignatureRestrict']
timestamp String specifying the URL of the timestamp authority server. Defaults to the server provided by Apple. Please note that this default server may not support signatures not furnished by Apple. Disable the timestamp service with none. 'https://different.timeserver'

Note: Only available via the JS API

identity - String

Name of certificate to use when signing. Default to be selected with respect to provisioning-profile and platform from keychain or keychain by system default.

Signing platform mas will look for 3rd Party Mac Developer Application: * (*), and platform darwin will look for Developer ID Application: * (*) by default.

identityValidation - Boolean

Flag to enable/disable validation for the signing identity. If enabled, the identity provided will be validated in the keychain specified. Default to true.

keychain - String

The keychain name. Default to system default keychain.

ignore - RegExp|Function|Array.<(RegExp|Function)>

Regex, function or an array of regex's and functions that signal skipping signing a file. Elements of other types are treated as RegExp. Default to undefined.

platform - String

Build platform of Electron. Allowed values: darwin, mas. Default to auto detect by presence of Squirrel.framework within the application bundle.

preAutoEntitlements - Boolean

Flag to enable/disable automation of com.apple.security.application-groups in entitlements file and update Info.plist with ElectronTeamID. Default to true.

preEmbedProvisioningProfile - Boolean

Flag to enable/disable embedding of provisioning profile in the current working directory. Default to true.

provisioningProfile - String

Path to provisioning profile.

strictVerify - Boolean|String|Array.

Flag to enable/disable --strict flag when verifying the signed application bundle. If provided as a string, each component should be separated with comma (,). If provided as an array, each item should be a string corresponding to a component. Default to true.

type - String

Specify whether to sign app for development or for distribution. Allowed values: development, distribution. Default to distribution.

version - String

Build version of Electron. Values may be like: 1.1.1, 1.2.0. Default to latest Electron version.

It is recommended to utilize this option for best support of specific Electron versions. This may trigger pre/post operations for signing: For example, automation of setting com.apple.security.application-groups in entitlements file and of updating Info.plist with ElectronTeamID is enabled for all versions starting from 1.1.1; set preAutoEntitlements option to false to disable this feature.

From the Command Line

electron-osx-sign app [embedded-binary ...] [options ...]
Examples

Since electron-osx-sign adds the entry com.apple.developer.team-identifier to a temporary copy of the specified entitlements file (with the default option --pre-auto-entitlements) distribution builds can no longer be run directly. To run the app codesigned for distribution locally after codesigning, you may manually add ElectronTeamID in your Info.plist and com.apple.security.application-groups in the entitlements file, and provide the flag --no-pre-auto-entitlements for electron-osx-sign to avoid this extra bit. Note that "certain features are only allowed across apps whose team-identifier value match" (Technical Note TN2415).

The examples below assume that --pre-auto-entitlements is enabled.

  • To sign a distribution version by default:

    electron-osx-sign path/to/my.app

    For distribution in the Mac App Store: Have the provisioning profile for distribution placed in the current working directory and the signing identity installed in the default keychain. The app is not expected to run after codesigning since there is no provisioned device, and it is intended only for submission to iTunes Connect. For distribution outside the Mac App Store: Have the signing identity for distribution installed in the default keychain and optionally place the provisioning profile in the current working directory. By default App Sandbox is not enabled. The app should run on all devices.

  • To sign development version:

    electron-osx-sign path/to/my.app --type=development

    For testing Mac App Store builds: Have the provisioning profile for development placed in the current working directory and the signing identity installed in the default keychain. The app will only run on provisioned devices. For testing apps for distribution outside the Mac App Store, have the signing identity for development installed in the default keychain and optionally the provisioning profile placed in the current working directory. The app will only run on provisioned devices. However, you may prefer to just go with signing a distribution version because the app is expected to launch properly after codesigned.

  • It is recommended to place the provisioning profile(s) under the working directory for electron-osx-sign to pick up automatically; however, to specify provisioning profile to be embedded explicitly:

    electron-osx-sign path/to/my.app --provisioning-profile=path/to/my.provisionprofile
  • To specify custom entitlements files you have to use the JS API.

  • It is recommended to make use of --version while signing legacy versions of Electron:

    electron-osx-sign path/to/my.app --version=0.34.0

Run electron-osx-sign --help or see electron-osx-sign-usage.txt for CLI-specific options.

electron-osx-flat

From the API

const { flatAsync } = require('@electron/osx-sign')
flatAsync({
  app: 'path/to/my.app'
})
  .then(function () {
    // Application flattened
  })
  .catch(function (err) {
    // Handle the error
  })
opts - Options

Required

app - String

Path to the application bundle. Needs file extension .app.

Optional

identity - String

Name of certificate to use when signing. Default to be selected with respect to platform from keychain or keychain by system default.

Flattening platform mas will look for 3rd Party Mac Developer Installer: * (*), and platform darwin will look for Developer ID Installer: * (*) by default.

identityValidation - Boolean

Flag to enable/disable validation for signing identity. If enabled, the identity provided will be validated in the keychain specified. Default to true.

install - String

Path to install the bundle. Default to /Applications.

keychain - String

The keychain name. Default to system default keychain.

platform - String

Build platform of Electron. Allowed values: darwin, mas. Default to auto detect by presence of Squirrel.framework within the application bundle.

pkg - String

Path to the output the flattened package. Needs file extension .pkg.

scripts - String Path to a directory containing pre and/or post install scripts.

From the Command Line

electron-osx-flat app [options ...]

Example:

electron-osx-flat path/to/my.app

Run electron-osx-flat --help or see electron-osx-flat-usage.txt for CLI-specific options.

Debug

As of release v0.3.1, external module debug is used to display logs and messages; remember to export DEBUG=electron-osx-sign* when necessary.

Test

The project's configured to run automated tests on CircleCI.

If you wish to manually test the module, first comment out opts.identity in test/basic.js to enable auto discovery. Then run the command npm test from the dev directory.

When this command is run for the first time: @electron/get will download macOS Electron releases defined in test/config.json, and save to ~/.electron/, which might take up less than 1GB of disk space.

A successful testing should look something like:

$ npm test

> [email protected] pretest electron-osx-sign
> rimraf test/work

> [email protected] test electron-osx-sign
> standard && tape test

Calling @electron/get before running tests...
Running tests...
TAP version 13
# setup
# defaults-test:v7.0.0-beta.3-darwin-x64
ok 1 app signed
# defaults-test:v7.0.0-beta.3-mas-x64
ok 2 app signed
# defaults-test:v6.0.3-darwin-x64
ok 3 app signed
# defaults-test:v6.0.3-mas-x64
ok 4 app signed
# defaults-test:v5.0.10-darwin-x64
ok 5 app signed
# defaults-test:v5.0.10-mas-x64
ok 6 app signed
# defaults-test:v4.2.9-darwin-x64
ok 7 app signed
# defaults-test:v4.2.9-mas-x64
ok 8 app signed
# defaults-test:v3.1.2-darwin-x64
ok 9 app signed
# defaults-test:v3.1.2-mas-x64
ok 10 app signed
# teardown

1..10
# tests 10
# pass  10

# ok

More Repositories

1

electron

:electron: Build cross-platform desktop apps with JavaScript, HTML, and CSS
C++
113,167
star
2

electron-quick-start

Clone to try a simple Electron app
JavaScript
11,060
star
3

electron-api-demos

Explore the Electron APIs
HTML
10,247
star
4

fiddle

:electron: ๐Ÿš€ The easiest way to get started with Electron
TypeScript
7,414
star
5

forge

:electron: A complete tool for building and publishing Electron applications
TypeScript
6,371
star
6

asar

Simple extensive tar-like archive format with indexing
JavaScript
2,520
star
7

apps

A collection of apps built on Electron
JavaScript
1,674
star
8

rcedit

Command line tool to edit resources of exe
C++
1,642
star
9

electronjs.org-old

Electron website
Handlebars
1,603
star
10

windows-installer

Build Windows Installers for Electron apps
TypeScript
1,559
star
11

electron-quick-start-typescript

Clone to try a simple Electron app (in TypeScript)
TypeScript
1,181
star
12

rebuild

Package to rebuild native Node.js modules against the currently installed Electron version
TypeScript
1,008
star
13

update-electron-app

๐ŸŒฒ A drop-in module that adds autoUpdating capabilities to Electron apps
TypeScript
729
star
14

i18n

๐ŸŒ The home of Electron's translated documentation
TypeScript
625
star
15

simple-samples

Minimal Electron applications with ideas for taking them further
JavaScript
610
star
16

update.electronjs.org

๐Ÿ“ก A free service that makes it easy for open-source Electron apps to update themselves.
JavaScript
601
star
17

libchromiumcontent

Shared library build of Chromiumโ€™s Content module
Python
485
star
18

remote

Bridge JavaScript objects from the main process to the renderer process in Electron.
TypeScript
369
star
19

get

Download Electron release artifacts
TypeScript
336
star
20

build-tools

The GN scripts to use for Electron dev-flows
JavaScript
254
star
21

releases

๐Ÿ“ฆ Complete and up-to-date info about every release of Electron
JavaScript
244
star
22

mini-breakpad-server

Minimum breakpad crash reports collecting server
CoffeeScript
243
star
23

node

Node fork to make it suitable for embedding in Electron
234
star
24

node-rcedit

Node module to edit resources of exe
JavaScript
186
star
25

node-abi

๐Ÿข ๐Ÿš€ Get the Node.js and Electron ABI for a given target and runtime
JavaScript
159
star
26

packager

Customize and package your Electron app with OS-specific bundles (.app, .exe, etc.) via JS or CLI
TypeScript
154
star
27

governance

Public repository for governance issues and documents
Shell
138
star
28

sheriff

Controls and monitors organization permissions across GitHub, Slack and GSuite. Built with โค๏ธ by The Electron Team
TypeScript
138
star
29

chromedriver

Download ChromeDriver for Electron
JavaScript
129
star
30

notarize

Notarize your macOS Electron Apps
TypeScript
129
star
31

typescript-definitions

Convert the Electron API JSON file to electron.d.ts
TypeScript
125
star
32

universal

Create Universal macOS applications from two x64 and arm64 Electron applications
TypeScript
112
star
33

website

:electron: The Electron website
TypeScript
108
star
34

mksnapshot

Electron mksnapshot binaries
JavaScript
102
star
35

trop

automate the backporting process
TypeScript
72
star
36

node-minidump

Node module to process minidump files
JavaScript
67
star
37

pdf-viewer

Fork of Chrome pdf extension to work as webui page in Electron
JavaScript
51
star
38

clerk

Verify PRs have release notes
TypeScript
48
star
39

hubdown

Convert markdown to GitHub-style HTML using a common set of remark plugins
JavaScript
39
star
40

native-mate

Fork of Chromium's gin library that makes it easier to marshal types between C++ and JavaScript.
C++
38
star
41

fuses

TypeScript
35
star
42

download-stats

โฌ‡๏ธ Download stats for Electron. Updated daily.
JavaScript
35
star
43

onboarding-guide

or, "So You Want to Be an Electron Hacker"
34
star
44

crashpad

Electron fork of crashpad
C++
32
star
45

symbolicate-mac

Symbolicate macOS Electron crash reports
JavaScript
30
star
46

chromium-breakpad

GitHub clone of the breakpad used by Chromium
C++
29
star
47

node-chromium-pickle-js

Binary value packing and unpacking library compatible with Chromium's Pickle class
JavaScript
22
star
48

electron-docs-linter

Parse and validate Electron's API documentation
JavaScript
21
star
49

windows-sign

Codesign Electron apps for Windows
TypeScript
20
star
50

docs-parser

Parse Electron docs in a lossless way into a JSON file
TypeScript
20
star
51

nightlies

Nightly release store
19
star
52

be

Scripts to help building Electron
JavaScript
18
star
53

dependent-repos

Public GitHub repos that depend on Electron. spiritual successor to https://github.com/electron/repos-using-electron
JavaScript
18
star
54

season-of-docs-2020

๐Ÿ“– Project repository for Electron's possible participation in Google's Season of Docs
18
star
55

debian-sysroot-image-creator

Scripts to create debian sysroot image for building electron
Python
18
star
56

asar-require

Enable "require" scripts in asar archives
CoffeeScript
18
star
57

cation

Electron's PR monitoring bot
TypeScript
17
star
58

packages

A collection of all npm packages that mention `electron` in their package.json
JavaScript
17
star
59

symbol-server

Electron symbol server
TypeScript
16
star
60

unreleased

Checks for and reports commits unreleased for a specific release branch.
JavaScript
13
star
61

archaeologist

Digging up your artifacts since 2018
TypeScript
13
star
62

algolia-indices

Algolia search index data for Electron APIs, Tutorials, Packages, and Repos
JavaScript
13
star
63

fiddle-core

Run fiddles from anywhere, on any Electron release
TypeScript
13
star
64

github-app-auth

Gets an auth token for a repo via a GitHub app installation
TypeScript
11
star
65

electron-frameworks

Frameworks used by Electron
11
star
66

search-with-your-keyboard

Add keyboard navigation to your existing client-side search interface.
JavaScript
10
star
67

build-images

Base docker image used to build Electron on CI
Shell
10
star
68

electron-api-historian

Find the birthday of every Electron API
JavaScript
9
star
69

gyp

Python
9
star
70

electron-api-docs

๐Ÿ“ Electron's API documentation in a structured JSON format [ARCHIVED]
JavaScript
9
star
71

build-tools-installer

Installer for Electron's wrapper toolkit for working with Electron.js source code
JavaScript
9
star
72

electron-docs

Fetch Electron documentation as raw markdown strings
JavaScript
8
star
73

.github

organization-wide defaults for all electron/* repos
7
star
74

rfcs

7
star
75

bugbot

Making life easier for people who report or triage Electron issues.
TypeScript
6
star
76

node-is-valid-window

Validates if a pointer to window is valid.
C++
5
star
77

electron-translators

Everyone who has helped translate Electron's documentation into different languages.
JavaScript
5
star
78

eslint-config

ESLint config used by Electron and Electron maintained modules
JavaScript
5
star
79

circleci-oidc-secret-exchange

Provides dynamic access to secrets in exchange for a valid OIDC token
TypeScript
5
star
80

electron-userland-reports

Slices of data about packages, repos, and users in Electron userland. Collected from the GitHub API, npm registry, and libraries.io
JavaScript
5
star
81

lint-roller

JavaScript
4
star
82

roller

๐ŸŽตrollin on upstream ๐ŸŽต
TypeScript
4
star
83

github-app-auth-action

TypeScript
3
star
84

tweets

3
star
85

electron-website-updater

JavaScript
3
star
86

zoilist

Nag @electron/api-wg to do API reviews
TypeScript
3
star
87

libcc-check

A little tool for checking up on libchromiumcontent builds.
JavaScript
2
star
88

slack-chromium-helper

Slack bot to unfurl Chromium development URLs
TypeScript
2
star
89

release-status

Public facing release status information
JavaScript
2
star
90

electron-issues

An experiment to better understand the issues filed on the electron/electron repo
JavaScript
2
star
91

hippo

TypeScript
2
star
92

ventifact

TypeScript
2
star
93

node-orb

Shell
1
star
94

electron-notarize

Notarize your macOS Electron Apps
TypeScript
1
star
95

docs-reviewer

TypeScript
1
star