From ff70339aadaac760281c85ea53be8b86420847a9 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Wed, 9 Oct 2019 16:29:24 +0100
Subject: [PATCH 01/13] Working branch for notarisation
---
package.json | 3 ++-
scripts/electron_afterSign.js | 25 +++++++++++++++++++++++++
2 files changed, 27 insertions(+), 1 deletion(-)
create mode 100644 scripts/electron_afterSign.js
diff --git a/package.json b/package.json
index bd05b090..cd4f4cd2 100644
--- a/package.json
+++ b/package.json
@@ -188,6 +188,7 @@
"buildResources": "electron_app/build",
"output": "electron_app/dist",
"app": "electron_app"
- }
+ },
+ "afterSign": "scripts/electron_afterSign.js"
}
}
diff --git a/scripts/electron_afterSign.js b/scripts/electron_afterSign.js
new file mode 100644
index 00000000..bb554219
--- /dev/null
+++ b/scripts/electron_afterSign.js
@@ -0,0 +1,25 @@
+const { notarize } = require('electron-notarize');
+
+exports.default = async function(context) {
+ const { electronPlatformName, appOutDir } = context;
+ if (electronPlatformName !== 'darwin') {
+ return;
+ }
+
+ // We get the password from keychain. The keychain stores
+ // user IDs too, but apparently altool can't get the user ID
+ // from the keychain, so we need to get it from the environment.
+ const userId = process.env.NOTARIZE_APPLE_ID;
+ if (userId === undefined) {
+ throw new Exception("User ID not found. Set NOTARIZE_APPLE_ID.");
+ }
+
+ const appName = context.packager.appInfo.productFilename;
+
+ return await notarize({
+ appBundleId: 'im.riot.app',
+ appPath: `${appOutDir}/${appName}.app`,
+ appleId: userId,
+ appleIdPassword: '@keychain:NOTARIZE_CREDS,
+ });
+};
From bad97db3025ce910c2e9dde8c99f48ade6ca6771 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Wed, 9 Oct 2019 16:40:31 +0100
Subject: [PATCH 02/13] remove random spaces
---
scripts/electron_afterSign.js | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/scripts/electron_afterSign.js b/scripts/electron_afterSign.js
index bb554219..78211d41 100644
--- a/scripts/electron_afterSign.js
+++ b/scripts/electron_afterSign.js
@@ -1,7 +1,7 @@
const { notarize } = require('electron-notarize');
exports.default = async function(context) {
- const { electronPlatformName, appOutDir } = context;
+ const { electronPlatformName, appOutDir } = context;
if (electronPlatformName !== 'darwin') {
return;
}
@@ -13,9 +13,9 @@ exports.default = async function(context) {
if (userId === undefined) {
throw new Exception("User ID not found. Set NOTARIZE_APPLE_ID.");
}
-
+
const appName = context.packager.appInfo.productFilename;
-
+
return await notarize({
appBundleId: 'im.riot.app',
appPath: `${appOutDir}/${appName}.app`,
From 7faba49f669bb5e3dc7a00d82c30518f6a39b62c Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Thu, 10 Oct 2019 11:53:49 +0100
Subject: [PATCH 03/13] fix quotes
---
scripts/electron_afterSign.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/electron_afterSign.js b/scripts/electron_afterSign.js
index 78211d41..20bb867d 100644
--- a/scripts/electron_afterSign.js
+++ b/scripts/electron_afterSign.js
@@ -20,6 +20,6 @@ exports.default = async function(context) {
appBundleId: 'im.riot.app',
appPath: `${appOutDir}/${appName}.app`,
appleId: userId,
- appleIdPassword: '@keychain:NOTARIZE_CREDS,
+ appleIdPassword: '@keychain:NOTARIZE_CREDS',
});
};
From 29f186bc18b6b6b26f9ff4c01df8e3b56f51be74 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Thu, 10 Oct 2019 11:57:39 +0100
Subject: [PATCH 04/13] add electron-notarize
---
package.json | 1 +
yarn.lock | 10 +++++++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/package.json b/package.json
index cd4f4cd2..0836f624 100644
--- a/package.json
+++ b/package.json
@@ -111,6 +111,7 @@
"electron-builder": "^21.2.0",
"electron-builder-squirrel-windows": "^21.2.0",
"electron-devtools-installer": "^2.2.4",
+ "electron-notarize": "^0.1.1",
"eslint": "^5.8.0",
"eslint-config-google": "^0.7.1",
"eslint-plugin-babel": "^4.1.2",
diff --git a/yarn.lock b/yarn.lock
index b1eb8246..c3cb2a7a 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -3134,6 +3134,14 @@ electron-devtools-installer@^2.2.4:
rimraf "^2.5.2"
semver "^5.3.0"
+electron-notarize@^0.1.1:
+ version "0.1.1"
+ resolved "https://registry.yarnpkg.com/electron-notarize/-/electron-notarize-0.1.1.tgz#c3563d70c5e7b3315f44e8495b30050a8c408b91"
+ integrity sha512-TpKfJcz4LXl5jiGvZTs5fbEx+wUFXV5u8voeG5WCHWfY/cdgdD8lDZIZRqLVOtR3VO+drgJ9aiSHIO9TYn/fKg==
+ dependencies:
+ debug "^4.1.1"
+ fs-extra "^8.0.1"
+
electron-publish@21.2.0:
version "21.2.0"
resolved "https://registry.yarnpkg.com/electron-publish/-/electron-publish-21.2.0.tgz#cc225cb46aa62e74b899f2f7299b396c9802387d"
@@ -4083,7 +4091,7 @@ fs-extra@^0.30.0:
path-is-absolute "^1.0.0"
rimraf "^2.2.8"
-fs-extra@^8.1.0:
+fs-extra@^8.0.1, fs-extra@^8.1.0:
version "8.1.0"
resolved "https://registry.yarnpkg.com/fs-extra/-/fs-extra-8.1.0.tgz#49d43c45a88cd9677668cb7be1b46efdb8d2e1c0"
integrity sha512-yhlQgA6mnOJUKOsRUFsgJdQCvkKhcz8tlZG5HBQfReYZy46OwLcY+Zia0mtdHsOo9y/hP+CxMN0TU9QxoOtG4g==
From a7d1d9880be3c37db137b9986f76e04b2424eb94 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Thu, 10 Oct 2019 14:56:35 +0100
Subject: [PATCH 05/13] Use my fork of electron-notarize
if only to test it
---
package.json | 2 +-
yarn.lock | 5 ++---
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/package.json b/package.json
index 0836f624..8b0b7ad9 100644
--- a/package.json
+++ b/package.json
@@ -111,7 +111,7 @@
"electron-builder": "^21.2.0",
"electron-builder-squirrel-windows": "^21.2.0",
"electron-devtools-installer": "^2.2.4",
- "electron-notarize": "^0.1.1",
+ "electron-notarize": "dbkr/electron-notarize",
"eslint": "^5.8.0",
"eslint-config-google": "^0.7.1",
"eslint-plugin-babel": "^4.1.2",
diff --git a/yarn.lock b/yarn.lock
index c3cb2a7a..1e4b0f1a 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -3134,10 +3134,9 @@ electron-devtools-installer@^2.2.4:
rimraf "^2.5.2"
semver "^5.3.0"
-electron-notarize@^0.1.1:
+electron-notarize@dbkr/electron-notarize:
version "0.1.1"
- resolved "https://registry.yarnpkg.com/electron-notarize/-/electron-notarize-0.1.1.tgz#c3563d70c5e7b3315f44e8495b30050a8c408b91"
- integrity sha512-TpKfJcz4LXl5jiGvZTs5fbEx+wUFXV5u8voeG5WCHWfY/cdgdD8lDZIZRqLVOtR3VO+drgJ9aiSHIO9TYn/fKg==
+ resolved "https://codeload.github.com/dbkr/electron-notarize/tar.gz/1041444cf330a52e89077bae68745bfe47c8d2db"
dependencies:
debug "^4.1.1"
fs-extra "^8.0.1"
From 2bab328f8d85d9babe6bbff7c9cf8ead6c6e7400 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Thu, 10 Oct 2019 15:32:17 +0100
Subject: [PATCH 06/13] Check everything's in place for the notarising dance
...before we start the build process.
---
scripts/electron-package.sh | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/scripts/electron-package.sh b/scripts/electron-package.sh
index 63c2fd72..9b796b95 100755
--- a/scripts/electron-package.sh
+++ b/scripts/electron-package.sh
@@ -67,6 +67,14 @@ if [ ! -f package.json ]; then
exit
fi
+if [ -z "$NOTARIZE_APPLE_ID" ]; then
+ echo "NOTARIZE_APPLE_ID is not set"
+ exit
+fi
+
+# Test that altool can get its credentials for notarising the mac app
+xcrun altool -u "$NOTARIZE_APPLE_ID" -p '@keychain:NOTARIZE_CREDS' --list-apps || exit
+
echo "Building $version using Update base URL $update_base_url"
projdir=`pwd`
From 0259eb64197e3332c78e4c979e2356df29a16e4f Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Thu, 10 Oct 2019 18:34:26 +0100
Subject: [PATCH 07/13] Go back to upstream electron-notarize
It doesn't work as a github dependency because the typescript
doesn't get built.
---
package.json | 2 +-
yarn.lock | 5 +++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/package.json b/package.json
index 8b0b7ad9..0836f624 100644
--- a/package.json
+++ b/package.json
@@ -111,7 +111,7 @@
"electron-builder": "^21.2.0",
"electron-builder-squirrel-windows": "^21.2.0",
"electron-devtools-installer": "^2.2.4",
- "electron-notarize": "dbkr/electron-notarize",
+ "electron-notarize": "^0.1.1",
"eslint": "^5.8.0",
"eslint-config-google": "^0.7.1",
"eslint-plugin-babel": "^4.1.2",
diff --git a/yarn.lock b/yarn.lock
index 1e4b0f1a..c3cb2a7a 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -3134,9 +3134,10 @@ electron-devtools-installer@^2.2.4:
rimraf "^2.5.2"
semver "^5.3.0"
-electron-notarize@dbkr/electron-notarize:
+electron-notarize@^0.1.1:
version "0.1.1"
- resolved "https://codeload.github.com/dbkr/electron-notarize/tar.gz/1041444cf330a52e89077bae68745bfe47c8d2db"
+ resolved "https://registry.yarnpkg.com/electron-notarize/-/electron-notarize-0.1.1.tgz#c3563d70c5e7b3315f44e8495b30050a8c408b91"
+ integrity sha512-TpKfJcz4LXl5jiGvZTs5fbEx+wUFXV5u8voeG5WCHWfY/cdgdD8lDZIZRqLVOtR3VO+drgJ9aiSHIO9TYn/fKg==
dependencies:
debug "^4.1.1"
fs-extra "^8.0.1"
From 071223120b39f026aadd502ceb284191345a1638 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Fri, 11 Oct 2019 10:45:42 +0100
Subject: [PATCH 08/13] Warn that this might be a while
---
scripts/electron_afterSign.js | 1 +
1 file changed, 1 insertion(+)
diff --git a/scripts/electron_afterSign.js b/scripts/electron_afterSign.js
index 20bb867d..0d42c552 100644
--- a/scripts/electron_afterSign.js
+++ b/scripts/electron_afterSign.js
@@ -16,6 +16,7 @@ exports.default = async function(context) {
const appName = context.packager.appInfo.productFilename;
+ console.log("Notarising macOS app. This may be some time.");
return await notarize({
appBundleId: 'im.riot.app',
appPath: `${appOutDir}/${appName}.app`,
From 5a7efcd7381024380639261465c63169391a572b Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Fri, 11 Oct 2019 12:01:50 +0100
Subject: [PATCH 09/13] Sign the main executable on windows
and automate the signing of the installers
---
electron_app/riot.im/env.sh | 1 +
package.json | 1 +
scripts/electron-package.sh | 62 +++++++++++++++++-------
scripts/electron_afterSign.js | 91 +++++++++++++++++++++++++++--------
yarn.lock | 5 ++
5 files changed, 123 insertions(+), 37 deletions(-)
create mode 100644 electron_app/riot.im/env.sh
diff --git a/electron_app/riot.im/env.sh b/electron_app/riot.im/env.sh
new file mode 100644
index 00000000..92b65fe2
--- /dev/null
+++ b/electron_app/riot.im/env.sh
@@ -0,0 +1 @@
+export OSSLSIGNCODE_SIGNARGS='-pkcs11module /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib -pkcs11engine /usr/local/lib/engines/engine_pkcs11.so -certs "electron_app/riot.im/New Vector Ltd.pem" -key 0a3271cbc1ec0fd8afb37f6bbe0cd65ba08d3b4d -t "http://timestamp.comodoca.com" -h sha256 -verbose'
diff --git a/package.json b/package.json
index 0836f624..ee036377 100644
--- a/package.json
+++ b/package.json
@@ -146,6 +146,7 @@
"postcss-simple-vars": "^4.1.0",
"postcss-strip-inline-comments": "^0.1.5",
"rimraf": "^2.4.3",
+ "shell-escape": "^0.2.0",
"source-map-loader": "^0.2.4",
"webpack": "^4.23.1",
"webpack-cli": "^3.1.2",
diff --git a/scripts/electron-package.sh b/scripts/electron-package.sh
index 9b796b95..5698dc7c 100755
--- a/scripts/electron-package.sh
+++ b/scripts/electron-package.sh
@@ -1,26 +1,30 @@
#!/bin/bash
-set -e
-
usage() {
- echo "Usage: $0 -v <version> -c <config file> [-n]"
+ echo "Usage: $0 -v <version> -d <config directory> [-n]"
echo
echo "version: commit-ish to check out and build"
- echo "config file: a path to a json config file to"
- echo "ship with the build. In addition, update_base_url:"
- echo "from this file is used to set up auto-update."
+ echo "config directory: a path to a directory containing"
+ echo "config.json, a json config file to ship with the build"
+ echo "and env.sh, a file to source environment variables"
+ echo "from."
echo "-n: build with no config file."
echo
- echo "Values may also be passed as environment variables"
+ echo "The update_base_url value from config.json is used to set up auto-update."
+ echo
+ echo "Environment variables:"
+ echo " OSSLSIGNCODE_SIGNARGS: Arguments to pass to osslsigncode when signing"
+ echo " NOTARIZE_APPLE_ID: Apple ID to use for notarisation. The password for"
+ echo " this account must be set in NOTARIZE_CREDS in the keychain."
}
-conffile=
+confdir=
version=
skipcfg=0
-while getopts "c:v:n" opt; do
+while getopts "d:v:n" opt; do
case $opt in
- c)
- conffile=$OPTARG
+ d)
+ confdir=$OPTARG
;;
v)
version=$OPTARG
@@ -42,6 +46,8 @@ if [ -z "$version" ]; then
exit
fi
+conffile="$confdir/config.json"
+
if [ -z "$conffile" ] && [ "$skipcfg" = 0 ]; then
echo "No config file given. Use -c to supply a config file or"
echo "-n to build with no config file (and no auto update)."
@@ -67,14 +73,31 @@ if [ ! -f package.json ]; then
exit
fi
+[ -f "$confdir/env.sh" ] && . "$confdir/env.sh"
+
if [ -z "$NOTARIZE_APPLE_ID" ]; then
echo "NOTARIZE_APPLE_ID is not set"
exit
fi
+osslsigncode -h 2> /dev/null
+if [ $? -ne 255 ]; then # osslsigncode exits with 255 after printing usgae...
+ echo "osslsigncode not found"
+ exit
+fi
+
# Test that altool can get its credentials for notarising the mac app
xcrun altool -u "$NOTARIZE_APPLE_ID" -p '@keychain:NOTARIZE_CREDS' --list-apps || exit
+# Get the token password: we'll need it later, but get it now so we fail early if it's not there
+token_password=`security find-generic-password -s riot_signing_token -w`
+if [ $? -ne 0 ]; then
+ echo "riot_signing_token not found in keychain"
+ exit
+fi
+
+set -e
+
echo "Building $version using Update base URL $update_base_url"
projdir=`pwd`
@@ -115,14 +138,12 @@ mkdir -p "$projdir/electron_app/dist/unsigned/"
mkdir -p "$pubdir/install/macos"
cp $distdir/*.dmg "$pubdir/install/macos/"
-# Windows installers go to the dist dir because they need signing
+# Windows installers need signing, this comes later
mkdir -p "$pubdir/install/win32/ia32/"
mkdir -p "$projdir/electron_app/dist/unsigned/ia32/"
-cp $distdir/squirrel-windows-ia32/*.exe "$projdir/electron_app/dist/unsigned/ia32/"
mkdir -p "$pubdir/install/win32/x64/"
mkdir -p "$projdir/electron_app/dist/unsigned/x64/"
-cp $distdir/squirrel-windows/*.exe "$projdir/electron_app/dist/unsigned/x64/"
# Packages for auto-update
mkdir -p "$pubdir/update/macos"
@@ -144,9 +165,16 @@ cp $distdir/squirrel-windows/RELEASES "$pubdir/update/win32/x64/"
# longer appears to work).
cp $distdir/*_amd64.deb "$projdir/electron_app/dist/"
+# Now we sign the windows installer executables (as opposed to the main binary which
+# is signed in the electron afteSign hook)
+echo "Signing Windows installers..."
+
+osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$distdir/squirrel-windows-ia32/*.exe" -out "$projdir/electron_app/dist/unsigned/ia32/"
+osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$distdir/squirrel-windows/*.exe" -out "$projdir/electron_app/dist/unsigned/x64/"
+
+echo "Installers signed"
+
rm -rf "$builddir"
-echo "Unsigned Windows installers have been placed in electron_app/dist/unsigned/ - sign them,"
-echo "or just copy them to "$pubdir/install/win32/\<arch\>/""
-echo "Once you've done this, $pubdir can be hosted on your web server."
+echo "$pubdir can now be hosted on your web server."
echo "deb archives are in electron_app/dist/ - these should be added into your debian repository"
diff --git a/scripts/electron_afterSign.js b/scripts/electron_afterSign.js
index 0d42c552..0149d7c4 100644
--- a/scripts/electron_afterSign.js
+++ b/scripts/electron_afterSign.js
@@ -1,26 +1,77 @@
const { notarize } = require('electron-notarize');
+const { exec, execFile } = require('child_process');
+const fs = require('fs');
+const shellescape = require('shell-escape');
exports.default = async function(context) {
const { electronPlatformName, appOutDir } = context;
- if (electronPlatformName !== 'darwin') {
- return;
+
+ if (electronPlatformName === 'darwin') {
+ const appName = context.packager.appInfo.productFilename;
+ // We get the password from keychain. The keychain stores
+ // user IDs too, but apparently altool can't get the user ID
+ // from the keychain, so we need to get it from the environment.
+ const userId = process.env.NOTARIZE_APPLE_ID;
+ if (userId === undefined) {
+ throw new Exception("User ID not found. Set NOTARIZE_APPLE_ID.");
+ }
+
+ console.log("Notarising macOS app. This may be some time.");
+ return await notarize({
+ appBundleId: 'im.riot.app',
+ appPath: `${appOutDir}/${appName}.app`,
+ appleId: userId,
+ appleIdPassword: '@keychain:NOTARIZE_CREDS',
+ });
+ } else if (electronPlatformName === 'win32') {
+ // This signs the actual Riot executable
+ const appName = context.packager.appInfo.productFilename;
+
+ // get the token passphrase from the keychain
+ const tokenPassphrase = await new Promise((resolve, reject) => {
+ execFile(
+ 'security',
+ ['find-generic-password', '-s', 'riot_signing_token', '-w'],
+ {},
+ (err, stdout) => {
+ if (err) {
+ reject(err);
+ } else {
+ resolve(stdout.trim());
+ }
+ },
+ );
+ });
+
+ return new Promise((resolve, reject) => {
+ let cmdLine = 'osslsigncode sign ';
+ if (process.env.OSSLSIGNCODE_SIGNARGS) {
+ cmdLine += process.env.OSSLSIGNCODE_SIGNARGS + '';
+ }
+ const tmpFile = 'tmp_' + Math.random().toString(36).substring(2, 15) + '.exe';
+ cmdLine += shellescape([
+ '-pass', tokenPassphrase,
+ '-in', `${appOutDir}/${appName}.exe`,
+ '-out', `${appOutDir}/${tmpFile}`,
+ ]);
+ console.log(cmdLine);
+
+ const signproc = exec(cmdLine, {}, (error, stdout) => {
+ console.log(stdout);
+ });
+ signproc.on('exit', (code) => {
+ if (code !== 0) {
+ reject("osslsigncode failed with code " + code);
+ return;
+ }
+ fs.rename(`${appOutDir}/${tmpFile}`, `${appOutDir}/${appName}.exe`, (err) => {
+ if (err) {
+ reject(err);
+ } else {
+ resolve();
+ }
+ });
+ });
+ });
}
-
- // We get the password from keychain. The keychain stores
- // user IDs too, but apparently altool can't get the user ID
- // from the keychain, so we need to get it from the environment.
- const userId = process.env.NOTARIZE_APPLE_ID;
- if (userId === undefined) {
- throw new Exception("User ID not found. Set NOTARIZE_APPLE_ID.");
- }
-
- const appName = context.packager.appInfo.productFilename;
-
- console.log("Notarising macOS app. This may be some time.");
- return await notarize({
- appBundleId: 'im.riot.app',
- appPath: `${appOutDir}/${appName}.app`,
- appleId: userId,
- appleIdPassword: '@keychain:NOTARIZE_CREDS',
- });
};
diff --git a/yarn.lock b/yarn.lock
index c3cb2a7a..b7b0abd4 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -8239,6 +8239,11 @@ shebang-regex@^1.0.0:
resolved "https://registry.yarnpkg.com/shebang-regex/-/shebang-regex-1.0.0.tgz#da42f49740c0b42db2ca9728571cb190c98efea3"
integrity sha1-2kL0l0DAtC2yypcoVxyxkMmO/qM=
+shell-escape@^0.2.0:
+ version "0.2.0"
+ resolved "https://registry.yarnpkg.com/shell-escape/-/shell-escape-0.2.0.tgz#68fd025eb0490b4f567a027f0bf22480b5f84133"
+ integrity sha1-aP0CXrBJC09WegJ/C/IkgLX4QTM=
+
shell-quote@^1.6.1:
version "1.7.2"
resolved "https://registry.yarnpkg.com/shell-quote/-/shell-quote-1.7.2.tgz#67a7d02c76c9da24f99d20808fcaded0e0e04be2"
From 1ff06c4be44d868147b51ddb91f847d2f38f1f83 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Fri, 11 Oct 2019 12:21:28 +0100
Subject: [PATCH 10/13] Missing space
also don't print the signing command line as it has the token password
---
scripts/electron_afterSign.js | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/scripts/electron_afterSign.js b/scripts/electron_afterSign.js
index 0149d7c4..8966ca7f 100644
--- a/scripts/electron_afterSign.js
+++ b/scripts/electron_afterSign.js
@@ -46,7 +46,7 @@ exports.default = async function(context) {
return new Promise((resolve, reject) => {
let cmdLine = 'osslsigncode sign ';
if (process.env.OSSLSIGNCODE_SIGNARGS) {
- cmdLine += process.env.OSSLSIGNCODE_SIGNARGS + '';
+ cmdLine += process.env.OSSLSIGNCODE_SIGNARGS + ' ';
}
const tmpFile = 'tmp_' + Math.random().toString(36).substring(2, 15) + '.exe';
cmdLine += shellescape([
@@ -54,7 +54,6 @@ exports.default = async function(context) {
'-in', `${appOutDir}/${appName}.exe`,
'-out', `${appOutDir}/${tmpFile}`,
]);
- console.log(cmdLine);
const signproc = exec(cmdLine, {}, (error, stdout) => {
console.log(stdout);
From d6884d5b0ffe1516eeaa635dd24f28936c240711 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Fri, 11 Oct 2019 16:08:04 +0100
Subject: [PATCH 11/13] Make window signing work
Almost certainly won't work for cert names with spaces in them
---
electron_app/riot.im/{New Vector Ltd.pem => New_Vector_Ltd.pem} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename electron_app/riot.im/{New Vector Ltd.pem => New_Vector_Ltd.pem} (100%)
diff --git a/electron_app/riot.im/New Vector Ltd.pem b/electron_app/riot.im/New_Vector_Ltd.pem
similarity index 100%
rename from electron_app/riot.im/New Vector Ltd.pem
rename to electron_app/riot.im/New_Vector_Ltd.pem
From 3545b2751d39a4847b5d568dc829a227d1f68aa1 Mon Sep 17 00:00:00 2001
From: David Baker <dbkr@users.noreply.github.com>
Date: Fri, 18 Oct 2019 10:08:43 +0100
Subject: [PATCH 12/13] typo
Co-Authored-By: Travis Ralston <travpc@gmail.com>
---
scripts/electron-package.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/electron-package.sh b/scripts/electron-package.sh
index 5698dc7c..a7aa56d0 100755
--- a/scripts/electron-package.sh
+++ b/scripts/electron-package.sh
@@ -81,7 +81,7 @@ if [ -z "$NOTARIZE_APPLE_ID" ]; then
fi
osslsigncode -h 2> /dev/null
-if [ $? -ne 255 ]; then # osslsigncode exits with 255 after printing usgae...
+if [ $? -ne 255 ]; then # osslsigncode exits with 255 after printing usage...
echo "osslsigncode not found"
exit
fi
From 94e721acf22bed87b1bc8ae815b440fb5d896de7 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Fri, 18 Oct 2019 10:09:55 +0100
Subject: [PATCH 13/13] Update cert name & do bash globbing correctly
---
electron_app/riot.im/env.sh | 2 +-
scripts/electron-package.sh | 9 +++++++--
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/electron_app/riot.im/env.sh b/electron_app/riot.im/env.sh
index 92b65fe2..79cb6e4e 100644
--- a/electron_app/riot.im/env.sh
+++ b/electron_app/riot.im/env.sh
@@ -1 +1 @@
-export OSSLSIGNCODE_SIGNARGS='-pkcs11module /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib -pkcs11engine /usr/local/lib/engines/engine_pkcs11.so -certs "electron_app/riot.im/New Vector Ltd.pem" -key 0a3271cbc1ec0fd8afb37f6bbe0cd65ba08d3b4d -t "http://timestamp.comodoca.com" -h sha256 -verbose'
+export OSSLSIGNCODE_SIGNARGS='-pkcs11module /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib -pkcs11engine /usr/local/lib/engines/engine_pkcs11.so -certs electron_app/riot.im/New_Vector_Ltd.pem -key 0a3271cbc1ec0fd8afb37f6bbe0cd65ba08d3b4d -t http://timestamp.comodoca.com -h sha256 -verbose'
diff --git a/scripts/electron-package.sh b/scripts/electron-package.sh
index a7aa56d0..7a8a5ca7 100755
--- a/scripts/electron-package.sh
+++ b/scripts/electron-package.sh
@@ -169,8 +169,13 @@ cp $distdir/*_amd64.deb "$projdir/electron_app/dist/"
# is signed in the electron afteSign hook)
echo "Signing Windows installers..."
-osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$distdir/squirrel-windows-ia32/*.exe" -out "$projdir/electron_app/dist/unsigned/ia32/"
-osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$distdir/squirrel-windows/*.exe" -out "$projdir/electron_app/dist/unsigned/x64/"
+exe32=( "$distdir"/squirrel-windows-ia32/*.exe )
+basename32=`basename "$exe32"`
+osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$exe32" -out "$projdir/electron_app/pub/install/win32/ia32/$basename32"
+
+exe64=( "$distdir"/squirrel-windows/*.exe )
+basename64=`basename "$exe64"`
+osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$exe64" -out "$projdir/electron_app/pub/install/win32/x64/$basename64"
echo "Installers signed"