oxen-io
/
oxen-electron-gui-wallet
mirror of https://github.com/oxen-io/oxen-electron-gui-wallet.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Make mac build and signing work 

- Rewrite instructions so that GitHub Actions isn't required to make a
  signed build.
- Switch notarization tool to more modern (supposedly faster) version
- Replace buggy download scripts with one that extracts things for you
This commit is contained in:
Jason Rhinelander 2022-06-14 16:24:36 -03:00
parent 2e1f0f6faa
commit da6e62e5ca
6 changed files with 75 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
BUILDING.md
View File

@ -1,42 +1,43 @@
# Building
Building oxen electron wallet binaries is done using github actions. Windows and linux binaries will build right out of the box but there are some extra steps needed for Mac OS
Set up the supported versions of npm/node/etc.:
## Mac OS
nvm use
The build script for Mac OS requires you to have a valid `Developer ID Application` certificate. Without this the build script cannot sign and notarize the mac binary which is needed for Catalina 10.15 and above.
If you would like to disable this then comment out `"afterSign": "build/notarize.js",` in package.json.
## Linux, Windows
You will also need an [App-specific password](https://support.apple.com/en-al/HT204397) for the apple account you wish to notarize with
npm run build
### Setup
## MacOS
Once you have your `Developer ID Application` you need to export it into a `.p12` file. Keep a note of the password used to encrypt this file as it will be needed later.
If you don't care about signing (i.e. you are not going to distribute) then you should be able to
simply `npm run build`.
We need to Base64 encode this file, so run the following command:
When you want to distribute the app, however, you need to do a bunch of crap to satisfy Apple's
arbitrary security theatre Rube Goldberg machine that purports to keep users safe but in reality is
designed to further Apple lock-in control of the Apple ecosystem.
```
base64 -i certificate.p12 -o encoded.txt
```
1. You have to pay Apple money (every year) to get a developer account.
2. You need a `Developer ID Application` certificate, created and signed from the Apple, and loaded
into your system keychain. `security find-identity -v` should show it.
3. You need to create an [App-specific password](https://support.apple.com/en-al/HT204397) for the
Apple developer account under which you are notarizing.
4. In the project root, create a `.env` file with contents:
#### On GitHub:
SIGNING_APPLE_ID=your-developer-id@example.com
SIGNING_APP_PASSWORD=app-specific-password
1. Navigate to the main page of the repository.
2. Under your repository name, click **Settings**.
3. In the left sidebar, click **Secrets**.
4. Add the following secrets:
1. Certificate
- Name: `MAC_CERTIFICATE`
- Value: The encoded Base64 certificate
2. Certificate password
- Name: `MAC_CERTIFICATE_PASSWORD`
- Value: The password that was set when the certificate was exported.
3. Apple ID
- Name: `SIGNING_APPLE_ID`
- Value: The apple id (email) to use for signing
4. Apple Password
- Name: `SIGNING_APP_PASSWORD`
- Value: The app-specific password that was generated for the apple id
5. Team ID (Optional)
- Name: `SIGNING_TEAM_ID`
- Value: The apple team id if you're sigining the application for a team
This password can be plaintext if absolutely needed (e.g. in a CI job) but should be a [keychain
reference](https://github.com/electron/electron-notarize#safety-when-using-appleidpassword) such
as `@keychain:some-token` for better security where feasible.
- If you have multiple ids and need to use a particular signing team ID you can add:
SIGNING_TEAM_ID=TEAMIDXYZ1
5. If building from a remote connection (e.g. ssh'd into a mac) then unlock the keychain for that
session by running `security unlock`.
With all of that set up, your `npm run build` should produce a signed and notarized installer.
Hopefully. Maybe. Sometimes Apple's servers are broken and you might have to try again. But don't
worry, Apple's incompetence around signing makes everything more secure because... reasons.

4
build/notarize.js
View File

@ -36,11 +36,11 @@ exports.default = async function notarizing(context) {
}
const options = {
appBundleId: "com.oxen.electron-wallet",
tool: "notarytool",
appPath: `${appOutDir}/${appName}.app`,
appleId: SIGNING_APPLE_ID,
appleIdPassword: SIGNING_APP_PASSWORD
};
if (!isEmpty(SIGNING_TEAM_ID)) options.ascProvider = SIGNING_TEAM_ID;
if (!isEmpty(SIGNING_TEAM_ID)) options.teamId = SIGNING_TEAM_ID;
return notarize(options);
};

32
downloads/download-dev-bins.sh
View File

@ -1,32 +0,0 @@
#!/bin/bash
set -e
if [ -z "$OS" ]; then
echo "OS must be set"
exit 1
fi
if [ -z "$RENAME" ]; then
RENAME="latest"
fi
if [ "$OS" == "Linux" ]; then
ASSET_URL="https://oxen.rocks/oxen-io/oxen-core/oxen-dev-linux-LATEST.tar.xz"
elif [ "$OS" == "Windows" ]; then
ASSET_URL="https://oxen.rocks/oxen-io/oxen-core/oxen-dev-win-LATEST.zip"
elif [ "$OS" == "macOS" ]; then
ASSET_URL="https://oxen.rocks/oxen-io/oxen-core/oxen-dev-macos-LATEST.tar.xz"
else
echo "OS must be Linux, Windows or macOS"
exit 1
fi
echo "About to download the binaries"
curl -sL --fail \
-H "Accept: application/octet-stream" \
-o "${RENAME}" \
"$ASSET_URL"
echo "Oxen binaries downloaded"

40
downloads/download-release-bins.sh
View File

@ -1,40 +0,0 @@
#!/bin/bash
# Source from: https://github.com/houqp/download-release-assets-action
set -e
if [ -z "$OS" ]; then
echo "OS must be set"
exit 1
fi
if [ -z "$RENAME" ]; then
RENAME="latest"
fi
REPO="oxen-io/oxen-core"
RELEASE="latest"
if [ "$OS" == "Linux" ]; then
FILE_NAME_REGEX="linux"
elif [ "$OS" == "Windows" ]; then
FILE_NAME_REGEX="win"
elif [ "$OS" == "macOS" ]; then
FILE_NAME_REGEX="macos"
else
echo "OS must be Linux, Windows or macOS"
exit 1
fi
ASSET_URL=$(curl -sL --fail \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
"https://api.github.com/repos/${REPO}/releases/${RELEASE}" \
| jq -r ".assets | .[] | select(.name | test(\"${FILE_NAME_REGEX}\")) | .url")
curl -sL --fail \
-H "Accept: application/octet-stream" \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-o "${RENAME}" \
"$ASSET_URL"

2
quasar.conf.js
View File

@ -158,7 +158,7 @@ module.exports = function() {
appId: "com.oxen.electron-wallet",
productName: "Oxen Electron Wallet",
copyright: "Copyright © 2018-2021 Oxen, 2018 Ryo Currency Project",
copyright: "Copyright © 2018-2022 Oxen, 2018 Ryo Currency Project",
afterSign: "build/notarize.js",
artifactName: "oxen-electron-wallet-${version}-${os}.${ext}",
publish: "github",

40
tools/download-oxen-files.sh Executable file
View File

@ -0,0 +1,40 @@
#!/bin/bash
if [ "$#" -ne 1 ] || [[ "$1" != http* ]]; then
cat <<EOF >&2
Usage: $0 URL -- download and extract an oxen-core build (typically from https://oxen.rocks)
Some common URLs:
https://oxen.rocks/oxen-io/oxen-core/oxen-stable-linux-LATEST.tar.xz
https://oxen.rocks/oxen-io/oxen-core/oxen-stable-win-LATEST.tar.xz
https://oxen.rocks/oxen-io/oxen-core/oxen-stable-macos-LATEST.tar.xz
https://oxen.rocks/oxen-io/oxen-core/oxen-dev-linux-LATEST.tar.xz
https://oxen.rocks/oxen-io/oxen-core/oxen-dev-win-LATEST.tar.xz
https://oxen.rocks/oxen-io/oxen-core/oxen-dev-macos-LATEST.tar.xz
EOF
exit 1
fi
if ! [ -f tools/download-oxen-files.sh ] || ! [ -d bin ]; then
echo "This script needs to be invoked from the oxen-electron-gui-wallet top-level project directory" >&2
exit 1
fi
tar=tar
if [[ "$($tar --version)" == bsdtar* ]]; then
tar=gtar
if ! command -v $tar; then
echo "GNU tar is required, but your tar is \`bsdtar' and \`gtar' doesn't work." >&2
echo "This is probably a mac; please install gnutar (e.g. via macports or homebrew)" >&2
exit 1
fi
fi
rm -f bin/oxen*
curl -sS "$1" | $tar --strip-components=1 -C bin -xJv --no-anchored oxend oxen-wallet-rpc
echo "Checking downloaded versions:"
echo -n "oxend: "; ./bin/oxend --version
echo -n "oxen-wallet-rpc: "; ./bin/oxen-wallet-rpc --version