Support notarizing Apple's "installer packages" (.pkg files). #60
Comments
💯 yes |
|
@MarshallOfSound If I correctly understood, currently electron-notarize only can notarize zip files and not installer files like .dmg? 🤔 |
|
@MarshallOfSound I'd like to work on this PR. Does this design sound OK to you?
That way we can support notarizing all the file types. Alternately we could just add a simple @GiancarlosIO currently electron-notarize only supports .app files. |
|
Hello When I build the dist with HOWEVER I've been talking to the electron-builder guys. They say they delegate in Then I found this thread and called my attention Regards 🙏 |
|
@daniboomerang It's been a while since I've looked at this but IIRC it is possible to notarize a pkg file. Here is a tutorial of how to manually notarize a pkg file using the same tool that this package does (legacy code-path): I couldn't access the errors you linked to but I have seen something on apple's forums re: scripts causing issues with notarization: Re: notarizing pkg files with this package specifically, we should be able to get this package notarizing non-app files with some simple/moderate changes. I think the main culprit is just the assumption that the input file is an app file, such as seen here: |
|
Hi @alanning I looked at the turorial you shared. I was researching a lot on my own and came up with a very similar approach but using notary tool instead of altool. Unfortunatelly the result after following the altool tutorial is
The 3 approaches I have tried have promising results as 1) I always get a correctly signed 2) I manage to submit the file to apple service (APPLE SPECIFIC PASSWORD, CERTIFICATES AND SO ON ARE NOT AN ISSUE) The 3 approaches end up with the same problem As explained in the electron builder repository It looks like the pkg file has some stuff in their internal files that are not right for apple... Any ideas...? |
|
@alanning also I wonder...the solution you provided me is about using apple Electron builder guy just answered me questioning the |
|
@daniboomerang OK, here's the steps I would recommend:
For what it's worth I used electron-builder for our company, outputting both a DMG and a PKG, then manually notarizing the PKG. Once you have gotten through Step 4 and are working on Step 5... Just a guess but I suspect the issue you are running into is that the contents of the pkg need to be notarized in addition to the pkg itself. Seems like something I read about before but I don't have a source. One reference I found talked about having to specify binaries and "extraResources" as part of the build config so may be something for you to look into: |
|
PR #95 allows any file extension with notarytool. Similar changes may allow the same support with the legacy tool |
|
@alanning
Doesn't this mean that the @alanning you said
Could you share with me how do you exactly generate that PKG file? Do you use electron-builder? which options? @alanning I have also pushed my hello world example Do you think you could have a look at my configuration? Or even try to notarize it manually? |
|
Hello @devsibwarra Do you mean that before electron notarize didn't support pkg files and now it does? Thanks |
|
@daniboomerang I ran into this issue and the linked PR when searching for a way to notarize my PKG file built by Regarding #60 (comment) and your previous comment with the notarization errors, it feels like the underlying files are not completely code signed before being rolled into the PKG file. I'm not familiar with how electron-builder handles the signing, but it looks to be using The ElectronJS Community Discord may be a better area for help |
|
@daniboomerang I'm happy to report that I was able to successfully notarize the example Electron app from your repo above using the manual method outlined here: The only changes I made were in package.json:
Running Then I followed the steps in the linked tutorial and after signing the apple docs again (because there are always new versions to sign) requesting the notarization worked. So the good new is that the process works as expected with the demo electron app. If you are having trouble with it locally I would suggest first trying on a different machine just to see if that makes a difference. And then if its still not working try looking into what certificate you are signing with. I used my company's cert so if you are trying with a personal one maybe that is causing issues? |
|
Thanks so much @alanning !! Just tried again
Certificates should be fine!
I will try in a different environment. But...One question... Thanks a lot @alanning for trying this! |
|
This is actually a very important question @alanning |
|
@daniboomerang Looks like the issue is the signing step for you. From your last screenshot it looks like electron-builder is not able to find the proper cert to sign the app with. The app that is bundled up in the PKG file also needs to be signed by electron-builder. Here's what it looked like for me: Other, not as important stuff:
|
|
My god. I did it alanning What I was missing was the Developer ID Application certificate Thanks to electron notarize I have now my *.app file signed and notarized Here is my code However my I'd love if I could include the notarization request for the generated Is that possible? Do you know the best way to do that? @alanning @devsibwarra Thanks guys! |
|
Hi all, /* eslint-disable @typescript-eslint/no-var-requires */
require("dotenv").config();
const { spawn } = require("node:child_process");
const os = require("os");
exports.default = async function notarizing(context) {
const { artifactPaths } = context;
if (os.platform() !== "darwin") {
console.log("Not notarizing app because not running on MacOS.");
return;
}
console.log("Notarizing app...");
const filename = artifactPaths.find((p) => p.endsWith(".pkg"));
if (!filename) {
console.log("Could not find pkg artifact. Exit");
process.exit(1);
}
console.log(`Found artifact: ${filename}`);
const auth = `--apple-id ${process.env.APPLEID_EMAIL} --password "${process.env.APPLEID_PASSWORD}" --team-id ${process.env.APPLEID_TEAM_ID}`;
const content = await exec(`xcrun notarytool submit ${filename} ${auth} --wait`);
const uuid = content.match(/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/g)[0];
await exec(`xcrun notarytool log ${uuid} ${auth}`);
await exec(`xcrun stapler staple ${filename}`);
console.log("App notarized successfully.");
};
function exec(cmd) {
return new Promise((resolve, reject) => {
console.log(cmd);
const proc = spawn(cmd, [], { shell: true });
const chunks = [];
proc.stdout.on("data", (data) => {
console.log(data.toString());
chunks.push(data);
});
proc.stderr.on("data", (data) => {
console.error(data.toString());
chunks.push(data);
});
proc.on("close", (code) => {
console.log(`Process exited with code ${code}.`);
resolve(Buffer.concat(chunks).toString("utf8"));
});
});
}Not that this must be called in the "afterAllArtifactBuild": "notarize.js",Hope that helps someone 👍 |
|
Hm, as I just found out, this introduces two new problems:
tracked in electron-userland/electron-builder#7145 |
It seems using |
|
PR for support file: #154. |
|
Closed in #169 |
In a sub-article to Apple's "Notarizing macOS Software Before Distribution" article, called "Customizing the Notarization Workflow", Apple says this:
An "installer package" or a "flat installer package" is a
.pkgfile, it seems (article). Would you accept a PR that letselectron-notarizeeasily handle.pkgfiles?electron-builderis easily configurable to output a signed.pkgfile (doc), and notarizing it seems to be the natural thing to do. If I download and try to open a.pkgthat hasn't been notarized, I get this message:And I get no such message with a
.pkgthat has been notarized (more manually, with these steps, except using Xcode 12 instead of Xcode 10).The text was updated successfully, but these errors were encountered: