Notarize macOS app

.github/workflows/release.yml

@@ -28,9 +28,20 @@ jobs:
           # Log in to Snap Store
           snapcraft_token: ${{ secrets.snapcraft_token }}
 
+      - name: Prepare for app notarization (macOS)
+        if: startsWith(matrix.os, 'macos')
+        # Import Apple API key for app notarization on macOS
+        run: |
+          mkdir -p ~/private_keys/
+          echo '${{ secrets.apple_api_key }}' > ~/private_keys/AuthKey_${{ secrets.apple_api_key_id }}.p8
+
       - name: Build/release Electron app
         uses: samuelmeuli/action-electron-builder@v1
         with:
+          # macOS notarization API key
+          apple_api_key_id: ${{ secrets.apple_api_key_id }}
+          apple_api_key_issuer: ${{ secrets.apple_api_key_issuer }}
+
           # GitHub token, automatically provided to the action
           # (No need to define this secret in the repo settings)
           github_token: ${{ secrets.github_token }}

build/entitlements.mac.plist

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+</dict>
+</plist>

package.json

@@ -96,7 +96,7 @@
 		"css-loader": "^3.0.0",
 		"electron": "^6.0.12",
 		"electron-builder": "^22.1.0",
-		"env-cmd": "^10.0.1",
+		"electron-notarize": "^0.2.0",
 		"eslint": "6.5.1",
 		"eslint-config-airbnb": "18.0.1",
 		"eslint-config-prettier": "^6.4.0",
@@ -215,6 +215,10 @@
 	},
 	"build": {
 		"appId": "com.samuelmeuli.minidiary",
+		"files": [
+			"!**/*",
+			"./bundle/**/*"
+		],
 		"extraResources": [
 			{
 				"from": "./bundle/licenses-main.txt",
@@ -225,11 +229,8 @@
 				"to": "./licenses-renderer.txt"
 			}
 		],
-		"files": [
-			"!**/*",
-			"./bundle/**/*"
-		],
 		"afterPack": "./scripts/after-pack.js",
+		"afterSign": "./scripts/notarize.js",
 		"mac": {
 			"category": "public.app-category.lifestyle",
 			"darkModeSupport": true,
@@ -258,7 +259,11 @@
 				"pt_PT",
 				"tr",
 				"zh"
-			]
+			],
+			"entitlements": "./build/entitlements.mac.plist",
+			"entitlementsInherit": "./build/entitlements.mac.plist",
+			"hardenedRuntime": true,
+			"gatekeeperAssess": false
 		},
 		"linux": {
 			"category": "Utility"

scripts/notarize.js

@@ -0,0 +1,17 @@
+/* eslint-disable */
+
+const { notarize } = require("electron-notarize");
+const pkg = require("../package.json");
+
+exports.default = async context => {
+	const { appOutDir, electronPlatformName } = context;
+
+	if (electronPlatformName === "darwin") {
+		return notarize({
+			appBundleId: pkg.build.appId,
+			appPath: `${appOutDir}/${pkg.productName}.app`,
+			appleApiKey: process.env.INPUT_APPLE_API_KEY_ID,
+			appleApiIssuer: process.env.INPUT_APPLE_API_KEY_ISSUER,
+		});
+	}
+};

yarn.lock

@@ -2860,11 +2860,6 @@ commander@^2.11.0, commander@^2.20.0, commander@~2.20.3:
   resolved "https://registry.yarnpkg.com/commander/-/commander-2.20.3.tgz#fd485e84c03eb4881c20722ba48035e8531aeb33"
   integrity sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==
 
-commander@^3.0.0:
-  version "3.0.2"
-  resolved "https://registry.yarnpkg.com/commander/-/commander-3.0.2.tgz#6837c3fb677ad9933d1cfba42dd14d5117d6b39e"
-  integrity sha512-Gar0ASD4BDyKC4hl4DwHqDrmvjoxWKZigVnAbn5H1owvm4CxCPdb0HQDehwNYMJpla5+M2tPmPARzhtYuwpHow==
-
 commander@~2.19.0:
   version "2.19.0"
   resolved "https://registry.yarnpkg.com/commander/-/commander-2.19.0.tgz#f6198aa84e5b83c46054b94ddedbfed5ee9ff12a"
@@ -3664,6 +3659,14 @@ electron-md-to-pdf@^2.0.0:
     "@types/showdown" "^1.9.3"
     showdown "^1.9.0"
 
+electron-notarize@^0.2.0:
+  version "0.2.0"
+  resolved "https://registry.yarnpkg.com/electron-notarize/-/electron-notarize-0.2.0.tgz#676c71688ee84149bab27b22426d0a9452e7e262"
+  integrity sha512-u3KdEMOEcGMF9yCML8ej4ZF+O29VmGYIjrs/DoOi23neTWOMiIc5YCeFs4vxq3JG496omcw7Y5pimPm0sH9A7g==
+  dependencies:
+    debug "^4.1.1"
+    fs-extra "^8.1.0"
+
 [email protected]:
   version "21.2.0"
   resolved "https://registry.yarnpkg.com/electron-publish/-/electron-publish-21.2.0.tgz#cc225cb46aa62e74b899f2f7299b396c9802387d"
@@ -3824,14 +3827,6 @@ entities@^2.0.0:
   resolved "https://registry.yarnpkg.com/entities/-/entities-2.0.0.tgz#68d6084cab1b079767540d80e56a39b423e4abf4"
   integrity sha512-D9f7V0JSRwIxlRI2mjMqufDrRDnx8p+eEOz7aUM9SuvF8gsBzra0/6tbjl1m8eQHrZlYj6PxqE00hZ1SAIKPLw==
 
-env-cmd@^10.0.1:
-  version "10.0.1"
-  resolved "https://registry.yarnpkg.com/env-cmd/-/env-cmd-10.0.1.tgz#bcaedad78a0172c62113890dd4efec36d2ba0775"
-  integrity sha512-vaV0BRwj+6+fd8NmcvSoRhrTxQl07fS3jxIdPYe7d+NlJj4hV/FSMmWcKau/qpbe5jeFdDI757//ToJW70ad2Q==
-  dependencies:
-    commander "^3.0.0"
-    cross-spawn "^6.0.0"
-
 env-paths@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/env-paths/-/env-paths-1.0.0.tgz#4168133b42bb05c38a35b1ae4397c8298ab369e0"