MacOS Notarization

dpwatrous · gingi · commit 3e857d61ccde · 2023-06-12T21:44:32.000-04:00
Notarizes the MacOS build of the desktop app for distribution on MacOS 10.15 and later. Fixes #2182
diff --git a/.vsts/darwin/distribution.yml b/.vsts/darwin/distribution.yml
@@ -14,6 +14,23 @@ steps:
     displayName: Build packages
 
   - script: |
+      set -e
+      dir=$(Agent.TempDirectory)
+      keychain=$dir/buildagent.keychain
+      security create-keychain -p pwd $keychain
+      security default-keychain -s $keychain
+      security unlock-keychain -p pwd $keychain
+      echo "$(apple-developer-certificate)" | base64 -D > $dir/cert.p12
+      security import $dir/cert.p12 -k $keychain -P "$(apple-developer-certificate-key)" -T /usr/bin/codesign
+      security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $keychain
+
+      echo "##vso[task.setvariable variable=CSC_LINK]$dir/cert.p12
+      echo "##vso[task.setvariable variable=CSC_KEY_PASSWORD]$(apple-developer-certificate-key)
+    displayName: Prepare Apple Developer certificate
+
+  - script: |
+      set -e
+      . "$(Agent.WorkFolder)/.venv/batchexplorer/bin/activate"
       npm run build-python
       npm run package darwin-app
       cd ./release/mac
@@ -25,24 +42,27 @@ steps:
     workingDirectory: desktop
     displayName: Build .app
 
-  - template: ./sign.yml
   - script: |
       set -e
       . "$(Agent.WorkFolder)/.venv/batchexplorer/bin/activate"
       unzip ./release/BatchExplorer*.zip -d ./release/mac
       ls ./release/mac
       rm -f ./release/mac/*.pkg
-      # rm -rf ./release/*.zip
-      mv ./release/*.zip ./release/code-sign-results.zip
       npm run package darwin-dmg
       rm -rf ./release/mac/*
     workingDirectory: desktop
     displayName: Build dmg
 
+  - template: ./sign.yml
+
+  - template: ./notarize.yml
+
   - script: npm run package darwin-manifest
     workingDirectory: desktop
     displayName: Create manifest
+
   - template: ../common/generate-sbom.yml
+
   - template: ../common/publish-artifacts.yml
     parameters:
       folder: darwin
diff --git a/.vsts/darwin/entitlements.plist b/.vsts/darwin/entitlements.plist
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+</dict>
+</plist>
diff --git a/.vsts/darwin/notarize.yml b/.vsts/darwin/notarize.yml
@@ -0,0 +1,21 @@
+steps:
+  - task: EsrpCodeSigning@2
+    inputs:
+      ConnectedServiceName: 'ESRP CodeSign'
+      FolderPath: ./desktop/release
+      Pattern: 'BatchExplorer-mac.zip,*.dmg'
+      signConfigType: inlineSignParams
+      inlineOperation: |
+        [
+          {
+            "KeyCode" : "CP-401337-Apple",
+            "OperationCode" : "MacAppNotarize",
+            "Parameters" : {
+              "BundleId": "com.microsoft.azure.BatchExplorer"
+            },
+            "ToolName" : "sign",
+            "ToolVersion" : "1.0"
+          }
+        ]
+      SessionTimeout: 120
+    displayName: Notarization
diff --git a/.vsts/darwin/sign.yml b/.vsts/darwin/sign.yml
@@ -1,22 +1,18 @@
 steps:
-  - task: UseDotNet@2
-    displayName: 'Use .NET Core sdk'
-    inputs:
-      packageType: sdk
-      version: 2.1.x
-
-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+  - task: EsrpCodeSigning@2
     inputs:
       ConnectedServiceName: 'ESRP CodeSign'
       FolderPath: ./desktop/release
-      Pattern: 'BatchExplorer-mac.zip'
+      Pattern: 'BatchExplorer-mac.zip,*.dmg'
       signConfigType: inlineSignParams
       inlineOperation: |
         [
           {
             "keyCode": "CP-401337-Apple",
-            "operationSetCode": "MacAppDeveloperSign",
-            "parameters": [ ],
+            "operationCode": "MacAppDeveloperSign",
+            "parameters": {
+              "Hardening": "--options=runtime"
+            },
             "toolName": "sign",
             "toolVersion": "1.0"
           }
diff --git a/.vsts/distribution.yml b/.vsts/distribution.yml
@@ -39,6 +39,7 @@ stages:
           vmImage: macOS-11
           demands: xcode
         variables:
+          - group: BatchExplorer-Signing
           - name: EOCompliance-Mac
             value: true
         steps:
diff --git a/desktop/electron-builder.yml b/desktop/electron-builder.yml
@@ -1,8 +1,10 @@
 productName: "BatchExplorer"
-appId: "microsoft.azure.batch-explorer"
+appId: "com.microsoft.azure.BatchExplorer"
 
-# Package electron code into a asar archive. Set to false to debug issues.
+# Package electron code into a asar archive, except for .node binaries
+# (see https://github.com/electron-userland/electron-builder/issues/4656)
 asar: true
+asarUnpack: "**/*.node"
 
 files:
   - "build/"
@@ -31,6 +33,16 @@ protocols:
 # Mac OS configuration
 mac:
   icon: "src/app/assets/images/icon.icns"
+  target:
+    - "dmg"
+    - "zip"
+  hardenedRuntime: true
+  gatekeeperAssess: false
+  entitlements: "../.vsts/darwin/entitlements.plist"
+  entitlementsInherit: "../.vsts/darwin/entitlements.plist"
+  extendInfo:
+    # Required for hardening via ESRP
+    - CSFlags: 65536
 
 # Config for OSX dmg
 dmg:
