feat: add codesign verification and assessment prior to notarizing

[jonluca]

Prior to stapling, we should run an spctl --assess and codesign check to verify that the stapling will work. This caused major issues for us twice - electron builder would modify some files in the build, and that was causing stapling and notarization to fail. This will verify that the app is signed properly.

One potential change is to only run these if stapling fails - open to suggestions on that.

[erickzhao]

Merged in the main branch to try to kick CI

[dsanders11]

Looks like lint is failing. I also pushed a change to turn an import type into just import - I think the version of prettier on this repo is too old to understand that syntax.

[dsanders11]

@jonluca, I think you need to log out of CircleCI and back in again, then push something to trigger CI (empty commit should do it). This is the CircleCI run associated with your last push. Happens from time to time with CircleCI unfortunately.

⚠️ Could not find a usable config.yml, you may have revoked the CircleCI OAuth app.
Please sign out of CircleCI and log back in with your VCS before triggering a new pipeline.

[jonluca]

done!

[felixrieseberg]

This looks good!

@jonluca Thanks for adding this 🙇

[continuous-auth]

🎉 This PR is included in version 2.2.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[DanielMcAssey]

This has broken our .pkg signing, it throws an error, where it was working before (Using a patch to sign pkg's and dmg's)

[jonluca]

@DanielMcAssey what is the error? If spctl or codesign return non-zero exit codes that implies there were issues with the bundle, so I'd be interested if it's a warning or something idiosyncratic

I'll prep a revert in the meantime though

[DanielMcAssey]

So its a non-zero error, error code 1 ***.pkg: code object is not signed at all.

[erickzhao]

@DanielMcAssey is the patch that you have the same as #154?

[DanielMcAssey]

@DanielMcAssey is the patch that you have the same as #154?

See attachment, pretty much, slight variation, it specifically checks for .dmg and .pkg, instead of doing fs.stat.

NOTE: patch below also removes the sig check, temporarily.

@electron+notarize+2.2.0.patch

[dlmartens]

I'm getting the same error for my signed installer ".pkg." (code object is not signed at all)

It looks like codesign cannot verify the signature of an installer package. Without this check, my installer is able to be notarized without a problem. I can verify its signature with pkgutil --check-signature installer.pkg, which returns a non-zero exit code on verification error.

This same installer package can be notarized without issue with "@electron/notarize": "2.1.0".