oxen-io
/
oxen-electron-gui-wallet
mirror of https://github.com/oxen-io/oxen-electron-gui-wallet.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Make mac build and signing work 

- Rewrite instructions so that GitHub Actions isn't required to make a
  signed build.
- Switch notarization tool to more modern (supposedly faster) version
- Replace buggy download scripts with one that extracts things for you
This commit is contained in:
Jason Rhinelander 2022-06-14 16:24:36 -03:00
parent 2e1f0f6faa
commit da6e62e5ca
6 changed files with 75 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
BUILDING.md
View File

@ -1,42 +1,43 @@
# Building # Building
Building oxen electron wallet binaries is done using github actions. Windows and linux binaries will build right out of the box but there are some extra steps needed for Mac OS Set up the supported versions of npm/node/etc.:
## Mac OS nvm use
The build script for Mac OS requires you to have a valid `Developer ID Application` certificate. Without this the build script cannot sign and notarize the mac binary which is needed for Catalina 10.15 and above. ## Linux, Windows
If you would like to disable this then comment out `"afterSign": "build/notarize.js",` in package.json.
You will also need an [App-specific password](https://support.apple.com/en-al/HT204397) for the apple account you wish to notarize with npm run build
### Setup ## MacOS
Once you have your `Developer ID Application` you need to export it into a `.p12` file. Keep a note of the password used to encrypt this file as it will be needed later. If you don't care about signing (i.e. you are not going to distribute) then you should be able to
simply `npm run build`.
We need to Base64 encode this file, so run the following command: When you want to distribute the app, however, you need to do a bunch of crap to satisfy Apple's
arbitrary security theatre Rube Goldberg machine that purports to keep users safe but in reality is
designed to further Apple lock-in control of the Apple ecosystem.
``` 1. You have to pay Apple money (every year) to get a developer account.
base64 -i certificate.p12 -o encoded.txt 2. You need a `Developer ID Application` certificate, created and signed from the Apple, and loaded
``` into your system keychain. `security find-identity -v` should show it.
3. You need to create an [App-specific password](https://support.apple.com/en-al/HT204397) for the
Apple developer account under which you are notarizing.
4. In the project root, create a `.env` file with contents:
#### On GitHub: SIGNING_APPLE_ID=your-developer-id@example.com
SIGNING_APP_PASSWORD=app-specific-password
1. Navigate to the main page of the repository. This password can be plaintext if absolutely needed (e.g. in a CI job) but should be a [keychain
2. Under your repository name, click **Settings**. reference](https://github.com/electron/electron-notarize#safety-when-using-appleidpassword) such
3. In the left sidebar, click **Secrets**. as `@keychain:some-token` for better security where feasible.
4. Add the following secrets:
1. Certificate - If you have multiple ids and need to use a particular signing team ID you can add:
- Name: `MAC_CERTIFICATE`
- Value: The encoded Base64 certificate SIGNING_TEAM_ID=TEAMIDXYZ1
2. Certificate password
- Name: `MAC_CERTIFICATE_PASSWORD` 5. If building from a remote connection (e.g. ssh'd into a mac) then unlock the keychain for that
- Value: The password that was set when the certificate was exported. session by running `security unlock`.
3. Apple ID
- Name: `SIGNING_APPLE_ID` With all of that set up, your `npm run build` should produce a signed and notarized installer.
- Value: The apple id (email) to use for signing Hopefully. Maybe. Sometimes Apple's servers are broken and you might have to try again. But don't
4. Apple Password worry, Apple's incompetence around signing makes everything more secure because... reasons.
- Name: `SIGNING_APP_PASSWORD`
- Value: The app-specific password that was generated for the apple id
5. Team ID (Optional)
- Name: `SIGNING_TEAM_ID`
- Value: The apple team id if you're sigining the application for a team

4
build/notarize.js
View File

@ -36,11 +36,11 @@ exports.default = async function notarizing(context) {
} }
const options = { const options = {
appBundleId: "com.oxen.electron-wallet", tool: "notarytool",
appPath: `${appOutDir}/${appName}.app`, appPath: `${appOutDir}/${appName}.app`,
appleId: SIGNING_APPLE_ID, appleId: SIGNING_APPLE_ID,
appleIdPassword: SIGNING_APP_PASSWORD appleIdPassword: SIGNING_APP_PASSWORD
}; };
if (!isEmpty(SIGNING_TEAM_ID)) options.ascProvider = SIGNING_TEAM_ID; if (!isEmpty(SIGNING_TEAM_ID)) options.teamId = SIGNING_TEAM_ID;
return notarize(options); return notarize(options);
}; };

32
downloads/download-dev-bins.sh
View File

@ -1,32 +0,0 @@
#!/bin/bash
set -e
if [ -z "$OS" ]; then
echo "OS must be set"
exit 1
fi
if [ -z "$RENAME" ]; then
RENAME="latest"
fi
if [ "$OS" == "Linux" ]; then
ASSET_URL="https://oxen.rocks/oxen-io/oxen-core/oxen-dev-linux-LATEST.tar.xz"
elif [ "$OS" == "Windows" ]; then
ASSET_URL="https://oxen.rocks/oxen-io/oxen-core/oxen-dev-win-LATEST.zip"
elif [ "$OS" == "macOS" ]; then
ASSET_URL="https://oxen.rocks/oxen-io/oxen-core/oxen-dev-macos-LATEST.tar.xz"
else
echo "OS must be Linux, Windows or macOS"
exit 1
fi
echo "About to download the binaries"
curl -sL --fail \
-H "Accept: application/octet-stream" \
-o "${RENAME}" \
"$ASSET_URL"
echo "Oxen binaries downloaded"

40
downloads/download-release-bins.sh
View File

@ -1,40 +0,0 @@
#!/bin/bash
# Source from: https://github.com/houqp/download-release-assets-action
set -e
if [ -z "$OS" ]; then
echo "OS must be set"
exit 1
fi
if [ -z "$RENAME" ]; then
RENAME="latest"
fi
REPO="oxen-io/oxen-core"
RELEASE="latest"
if [ "$OS" == "Linux" ]; then
FILE_NAME_REGEX="linux"
elif [ "$OS" == "Windows" ]; then
FILE_NAME_REGEX="win"
elif [ "$OS" == "macOS" ]; then
FILE_NAME_REGEX="macos"
else
echo "OS must be Linux, Windows or macOS"
exit 1
fi
ASSET_URL=$(curl -sL --fail \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
"https://api.github.com/repos/${REPO}/releases/${RELEASE}" \
| jq -r ".assets | .[] | select(.name | test(\"${FILE_NAME_REGEX}\")) | .url")
curl -sL --fail \
-H "Accept: application/octet-stream" \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-o "${RENAME}" \
"$ASSET_URL"

2
quasar.conf.js
View File

@ -158,7 +158,7 @@ module.exports = function() {
appId: "com.oxen.electron-wallet", appId: "com.oxen.electron-wallet",
productName: "Oxen Electron Wallet", productName: "Oxen Electron Wallet",
copyright: "Copyright © 2018-2021 Oxen, 2018 Ryo Currency Project", copyright: "Copyright © 2018-2022 Oxen, 2018 Ryo Currency Project",
afterSign: "build/notarize.js", afterSign: "build/notarize.js",
artifactName: "oxen-electron-wallet-${version}-${os}.${ext}", artifactName: "oxen-electron-wallet-${version}-${os}.${ext}",
publish: "github", publish: "github",

40
tools/download-oxen-files.sh Executable file
View File

@ -0,0 +1,40 @@
#!/bin/bash
if [ "$#" -ne 1 ] || [[ "$1" != http* ]]; then
cat <<EOF >&2
Usage: $0 URL -- download and extract an oxen-core build (typically from https://oxen.rocks)
Some common URLs:
https://oxen.rocks/oxen-io/oxen-core/oxen-stable-linux-LATEST.tar.xz
https://oxen.rocks/oxen-io/oxen-core/oxen-stable-win-LATEST.tar.xz
https://oxen.rocks/oxen-io/oxen-core/oxen-stable-macos-LATEST.tar.xz
https://oxen.rocks/oxen-io/oxen-core/oxen-dev-linux-LATEST.tar.xz
https://oxen.rocks/oxen-io/oxen-core/oxen-dev-win-LATEST.tar.xz
https://oxen.rocks/oxen-io/oxen-core/oxen-dev-macos-LATEST.tar.xz
EOF
exit 1
fi
if ! [ -f tools/download-oxen-files.sh ] || ! [ -d bin ]; then
echo "This script needs to be invoked from the oxen-electron-gui-wallet top-level project directory" >&2
exit 1
fi
tar=tar
if [[ "$($tar --version)" == bsdtar* ]]; then
tar=gtar
if ! command -v $tar; then
echo "GNU tar is required, but your tar is \`bsdtar' and \`gtar' doesn't work." >&2
echo "This is probably a mac; please install gnutar (e.g. via macports or homebrew)" >&2
exit 1
fi
fi
rm -f bin/oxen*
curl -sS "$1" | $tar --strip-components=1 -C bin -xJv --no-anchored oxend oxen-wallet-rpc
echo "Checking downloaded versions:"
echo -n "oxend: "; ./bin/oxend --version
echo -n "oxen-wallet-rpc: "; ./bin/oxen-wallet-rpc --version