Merge pull request #303 from jagerman/mac-build-fixes
Mac packaging updates
This commit is contained in:
commit
f19e28f930
63
BUILDING.md
63
BUILDING.md
|
@ -1,42 +1,43 @@
|
|||
# Building
|
||||
|
||||
Building oxen electron wallet binaries is done using github actions. Windows and linux binaries will build right out of the box but there are some extra steps needed for Mac OS
|
||||
Set up the supported versions of npm/node/etc.:
|
||||
|
||||
## Mac OS
|
||||
nvm use
|
||||
|
||||
The build script for Mac OS requires you to have a valid `Developer ID Application` certificate. Without this the build script cannot sign and notarize the mac binary which is needed for Catalina 10.15 and above.
|
||||
If you would like to disable this then comment out `"afterSign": "build/notarize.js",` in package.json.
|
||||
## Linux, Windows
|
||||
|
||||
You will also need an [App-specific password](https://support.apple.com/en-al/HT204397) for the apple account you wish to notarize with
|
||||
npm run build
|
||||
|
||||
### Setup
|
||||
## MacOS
|
||||
|
||||
Once you have your `Developer ID Application` you need to export it into a `.p12` file. Keep a note of the password used to encrypt this file as it will be needed later.
|
||||
If you don't care about signing (i.e. you are not going to distribute) then you should be able to
|
||||
simply `npm run build`.
|
||||
|
||||
We need to Base64 encode this file, so run the following command:
|
||||
When you want to distribute the app, however, you need to do a bunch of crap to satisfy Apple's
|
||||
arbitrary security theatre Rube Goldberg machine that purports to keep users safe but in reality is
|
||||
designed to further Apple lock-in control of the Apple ecosystem.
|
||||
|
||||
```
|
||||
base64 -i certificate.p12 -o encoded.txt
|
||||
```
|
||||
1. You have to pay Apple money (every year) to get a developer account.
|
||||
2. You need a `Developer ID Application` certificate, created and signed from the Apple, and loaded
|
||||
into your system keychain. `security find-identity -v` should show it.
|
||||
3. You need to create an [App-specific password](https://support.apple.com/en-al/HT204397) for the
|
||||
Apple developer account under which you are notarizing.
|
||||
4. In the project root, create a `.env` file with contents:
|
||||
|
||||
#### On GitHub:
|
||||
SIGNING_APPLE_ID=your-developer-id@example.com
|
||||
SIGNING_APP_PASSWORD=app-specific-password
|
||||
|
||||
1. Navigate to the main page of the repository.
|
||||
2. Under your repository name, click **Settings**.
|
||||
3. In the left sidebar, click **Secrets**.
|
||||
4. Add the following secrets:
|
||||
1. Certificate
|
||||
- Name: `MAC_CERTIFICATE`
|
||||
- Value: The encoded Base64 certificate
|
||||
2. Certificate password
|
||||
- Name: `MAC_CERTIFICATE_PASSWORD`
|
||||
- Value: The password that was set when the certificate was exported.
|
||||
3. Apple ID
|
||||
- Name: `SIGNING_APPLE_ID`
|
||||
- Value: The apple id (email) to use for signing
|
||||
4. Apple Password
|
||||
- Name: `SIGNING_APP_PASSWORD`
|
||||
- Value: The app-specific password that was generated for the apple id
|
||||
5. Team ID (Optional)
|
||||
- Name: `SIGNING_TEAM_ID`
|
||||
- Value: The apple team id if you're sigining the application for a team
|
||||
This password can be plaintext if absolutely needed (e.g. in a CI job) but should be a [keychain
|
||||
reference](https://github.com/electron/electron-notarize#safety-when-using-appleidpassword) such
|
||||
as `@keychain:some-token` for better security where feasible.
|
||||
|
||||
- If you have multiple ids and need to use a particular signing team ID you can add:
|
||||
|
||||
SIGNING_TEAM_ID=TEAMIDXYZ1
|
||||
|
||||
5. If building from a remote connection (e.g. ssh'd into a mac) then unlock the keychain for that
|
||||
session by running `security unlock`.
|
||||
|
||||
With all of that set up, your `npm run build` should produce a signed and notarized installer.
|
||||
Hopefully. Maybe. Sometimes Apple's servers are broken and you might have to try again. But don't
|
||||
worry, Apple's incompetence around signing makes everything more secure because... reasons.
|
||||
|
|
|
@ -36,11 +36,11 @@ exports.default = async function notarizing(context) {
|
|||
}
|
||||
|
||||
const options = {
|
||||
appBundleId: "com.oxen.electron-wallet",
|
||||
tool: "notarytool",
|
||||
appPath: `${appOutDir}/${appName}.app`,
|
||||
appleId: SIGNING_APPLE_ID,
|
||||
appleIdPassword: SIGNING_APP_PASSWORD
|
||||
};
|
||||
if (!isEmpty(SIGNING_TEAM_ID)) options.ascProvider = SIGNING_TEAM_ID;
|
||||
if (!isEmpty(SIGNING_TEAM_ID)) options.teamId = SIGNING_TEAM_ID;
|
||||
return notarize(options);
|
||||
};
|
||||
|
|
|
@ -1,32 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
if [ -z "$OS" ]; then
|
||||
echo "OS must be set"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "$RENAME" ]; then
|
||||
RENAME="latest"
|
||||
fi
|
||||
|
||||
if [ "$OS" == "Linux" ]; then
|
||||
ASSET_URL="https://oxen.rocks/oxen-io/oxen-core/oxen-dev-linux-LATEST.tar.xz"
|
||||
elif [ "$OS" == "Windows" ]; then
|
||||
ASSET_URL="https://oxen.rocks/oxen-io/oxen-core/oxen-dev-win-LATEST.zip"
|
||||
elif [ "$OS" == "macOS" ]; then
|
||||
ASSET_URL="https://oxen.rocks/oxen-io/oxen-core/oxen-dev-macos-LATEST.tar.xz"
|
||||
else
|
||||
echo "OS must be Linux, Windows or macOS"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "About to download the binaries"
|
||||
|
||||
curl -sL --fail \
|
||||
-H "Accept: application/octet-stream" \
|
||||
-o "${RENAME}" \
|
||||
"$ASSET_URL"
|
||||
|
||||
echo "Oxen binaries downloaded"
|
|
@ -1,40 +0,0 @@
|
|||
#!/bin/bash
|
||||
# Source from: https://github.com/houqp/download-release-assets-action
|
||||
|
||||
set -e
|
||||
|
||||
if [ -z "$OS" ]; then
|
||||
echo "OS must be set"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "$RENAME" ]; then
|
||||
RENAME="latest"
|
||||
fi
|
||||
|
||||
REPO="oxen-io/oxen-core"
|
||||
RELEASE="latest"
|
||||
|
||||
if [ "$OS" == "Linux" ]; then
|
||||
FILE_NAME_REGEX="linux"
|
||||
elif [ "$OS" == "Windows" ]; then
|
||||
FILE_NAME_REGEX="win"
|
||||
elif [ "$OS" == "macOS" ]; then
|
||||
FILE_NAME_REGEX="macos"
|
||||
else
|
||||
echo "OS must be Linux, Windows or macOS"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
ASSET_URL=$(curl -sL --fail \
|
||||
-H "Accept: application/vnd.github.v3+json" \
|
||||
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
||||
"https://api.github.com/repos/${REPO}/releases/${RELEASE}" \
|
||||
| jq -r ".assets | .[] | select(.name | test(\"${FILE_NAME_REGEX}\")) | .url")
|
||||
|
||||
curl -sL --fail \
|
||||
-H "Accept: application/octet-stream" \
|
||||
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
||||
-o "${RENAME}" \
|
||||
"$ASSET_URL"
|
File diff suppressed because it is too large
Load Diff
|
@ -48,7 +48,7 @@
|
|||
"devtron": "^1.4.0",
|
||||
"dotenv": "^8.1.0",
|
||||
"electron": "^4.1.1",
|
||||
"electron-builder": "^22.4.1",
|
||||
"electron-builder": "^23.0.3",
|
||||
"electron-debug": "^2.1.0",
|
||||
"electron-devtools-installer": "^2.2.4",
|
||||
"electron-notarize": "^0.1.1",
|
||||
|
|
|
@ -158,7 +158,7 @@ module.exports = function() {
|
|||
|
||||
appId: "com.oxen.electron-wallet",
|
||||
productName: "Oxen Electron Wallet",
|
||||
copyright: "Copyright © 2018-2021 Oxen, 2018 Ryo Currency Project",
|
||||
copyright: "Copyright © 2018-2022 Oxen, 2018 Ryo Currency Project",
|
||||
afterSign: "build/notarize.js",
|
||||
artifactName: "oxen-electron-wallet-${version}-${os}.${ext}",
|
||||
publish: "github",
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ "$#" -ne 1 ] || [[ "$1" != http* ]]; then
|
||||
cat <<EOF >&2
|
||||
Usage: $0 URL -- download and extract an oxen-core build (typically from https://oxen.rocks)
|
||||
|
||||
Some common URLs:
|
||||
https://oxen.rocks/oxen-io/oxen-core/oxen-stable-linux-LATEST.tar.xz
|
||||
https://oxen.rocks/oxen-io/oxen-core/oxen-stable-win-LATEST.tar.xz
|
||||
https://oxen.rocks/oxen-io/oxen-core/oxen-stable-macos-LATEST.tar.xz
|
||||
|
||||
https://oxen.rocks/oxen-io/oxen-core/oxen-dev-linux-LATEST.tar.xz
|
||||
https://oxen.rocks/oxen-io/oxen-core/oxen-dev-win-LATEST.tar.xz
|
||||
https://oxen.rocks/oxen-io/oxen-core/oxen-dev-macos-LATEST.tar.xz
|
||||
EOF
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! [ -f tools/download-oxen-files.sh ] || ! [ -d bin ]; then
|
||||
echo "This script needs to be invoked from the oxen-electron-gui-wallet top-level project directory" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
tar=tar
|
||||
if [[ "$($tar --version)" == bsdtar* ]]; then
|
||||
tar=gtar
|
||||
if ! command -v $tar; then
|
||||
echo "GNU tar is required, but your tar is \`bsdtar' and \`gtar' doesn't work." >&2
|
||||
echo "This is probably a mac; please install gnutar (e.g. via macports or homebrew)" >&2
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
rm -f bin/oxen*
|
||||
|
||||
curl -sS "$1" | $tar --strip-components=1 -C bin -xJv --no-anchored oxend oxen-wallet-rpc
|
||||
|
||||
echo "Checking downloaded versions:"
|
||||
echo -n "oxend: "; ./bin/oxend --version
|
||||
echo -n "oxen-wallet-rpc: "; ./bin/oxen-wallet-rpc --version
|
Loading…
Reference in New Issue