[PM-33578] Mac OS arm builds#1077
Conversation
…rate from keytar. Update .gitignore for Rust artifacts, adjust package.json for new build scripts, and modify workflows for native module compilation. Enhance state versioning to support migration of credentials from keytar to desktop_core.
…Script configurations and package dependencies. Refactor native binding logic and enhance error handling. Remove legacy keytar references and adjust package-lock.json for new native module structure.
…removing unnecessary semicolons. Update build scripts in package.json to exclude JavaScript during native module compilation.
…ule directly in the renderer process, removing the need for the credential storage listener. Update TypeScript definitions and enhance error handling in password management functions. Adjust Cargo dependencies and versions for improved compatibility.
… into ac/pm-12436-replace-node-keytar-sonnet-attempt
…tory-connector into ac/pm-12436-replace-node-keytar-sonnet-attempt
… desktop_core for consistency in error messaging.
… to ensure clean state management.
| // Shim: proper-lockfile expects require('signal-exit') to return the onExit function | ||
| // directly (signal-exit v3 behavior). signal-exit v4 uses named exports only. | ||
| // This shim re-exports the function as the module default. |
There was a problem hiding this comment.
Can you help me understand this? Presumably proper-lockfile depends on signal-exit v3, not v4; why are we using v4 with a shim instead of v3?
I asked Claude and it said that webpack flattens dependencies, but that would be pretty drastic behavior so I'm not sure about that answer - but happy to be wrong if this is what you've verified. If that is the case - is there any way to override this and package both?
It would be better to use the correct dependency version, as we don't know what other breaking changes there may be.
There was a problem hiding this comment.
afaik its purely a transitive dependency b/c proper-lockfile ships their own v3 bundled into their app, so we can't control it. Other deps bundle v4 so we can't blanket change over to v3. But I think the better alternative is aliasing directly to the version in proper-lockfiles node_modules maybe. I'll see if I can get it working without the this "shim" as I was already not a fan of this.
| // ships its own nested v3. Point webpack directly at that copy. | ||
| "signal-exit": path.resolve( | ||
| __dirname, | ||
| "node_modules/proper-lockfile/node_modules/signal-exit/index.js", |
There was a problem hiding this comment.
@eliykat I think this ends up being a global alias (including for deps that expect v4) but the build pass in CI and the app seems fine. I didn't think this would work but apparantly it does, but I'm not sure why. I'll follow up if i figure it out.
edit: this breaks login functionality (b/c thats where we use inquirer, which uses v4 I believe)
| execFileSync("codesign", ["--sign", "-", "--force", outputBinary], { | ||
| stdio: "inherit", | ||
| }); | ||
| } |
There was a problem hiding this comment.
Do the native modules need to be code signed? The bwdc binary gets signed (line 76), but the native .node modules that get copied to the output directory (lines 64-69) don't appear to be signed.
On macOS, unsigned binaries can potentially trigger Gatekeeper warnings, something like "cannot be opened because the developer cannot be verified" etc.
There was a problem hiding this comment.
Some of this was going to be handled in #1051, but I've decided to roll it into this PR because they fit nicely together.
The native module did indeed need to be signed, the latest changes should have that set now. The build artifacts in https://github.com/bitwarden/directory-connector/actions/runs/24476942691/job/71531511465?pr=1078 show this working
|
🎟️ Tracking
https://bitwarden.atlassian.net/browse/PM-33578
📔 Objective
Summary
This PR adds native macOS ARM64 (Apple Silicon) support for both the CLI and GUI builds. It also replaces
pkgwith Node.js SEA (Single Executable Applications).Key Changes
macOS ARM64 Support
macos-arm64-cliandmacos-arm64-guiCI jobs running onmacos-15(Apple Silicon runners)pack:cli:mac:arm64,dist:cli:mac:arm64,dist:mac:arm64, andpack:mac:arm64npm scriptselectron-builder.jsonto use${arch}in artifact names so x64 and ARM64 artifacts are distinguishable (e.g.Bitwarden-Connector-X.Y.Z-arm64.dmg)resources/entitlements.mac.plistrequired for Apple Silicon code signingCLI Packaging:
pkg→ Node.js SEApkgwith a customscripts/pack-sea.mjsscript using Node.js SEA (Single Executable Applications).node-sea-base/) as SEA base to avoid issues with Homebrew/nvm-installed binariesbwdc(launcher script),node,bwdc.js, and*.nodenative addondist-cli/<platform>/*) to include all bundle files📸 Screenshots