Merge 'dbkr/windows_signing' into v1.5.0

electron_app/riot.im/env.sh

@@ -0,0 +1 @@
+export OSSLSIGNCODE_SIGNARGS='-pkcs11module /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib -pkcs11engine /usr/local/lib/engines/engine_pkcs11.so -certs electron_app/riot.im/New_Vector_Ltd.pem -key 0a3271cbc1ec0fd8afb37f6bbe0cd65ba08d3b4d -t http://timestamp.comodoca.com -h sha256 -verbose'

package.json

@@ -111,6 +111,7 @@
     "electron-builder": "^21.2.0",
     "electron-builder-squirrel-windows": "^21.2.0",
     "electron-devtools-installer": "^2.2.4",
+    "electron-notarize": "^0.1.1",
     "eslint": "^5.8.0",
     "eslint-config-google": "^0.7.1",
     "eslint-plugin-babel": "^4.1.2",
@@ -145,6 +146,7 @@
     "postcss-simple-vars": "^4.1.0",
     "postcss-strip-inline-comments": "^0.1.5",
     "rimraf": "^2.4.3",
+    "shell-escape": "^0.2.0",
     "source-map-loader": "^0.2.4",
     "webpack": "^4.23.1",
     "webpack-cli": "^3.1.2",
@@ -188,6 +190,7 @@
       "buildResources": "electron_app/build",
       "output": "electron_app/dist",
       "app": "electron_app"
-    }
+    },
+    "afterSign": "scripts/electron_afterSign.js"
   }
 }

scripts/electron-package.sh

@@ -1,26 +1,30 @@
 #!/bin/bash
 
-set -e
-
 usage() {
-    echo "Usage: $0 -v <version> -c <config file> [-n]"
+    echo "Usage: $0 -v <version> -d <config directory> [-n]"
     echo
     echo "version: commit-ish to check out and build"
-    echo "config file: a path to a json config file to"
-    echo "ship with the build. In addition, update_base_url:"
-    echo "from this file is used to set up auto-update."
+    echo "config directory: a path to a directory containing"
+    echo "config.json, a json config file to ship with the build"
+    echo "and env.sh, a file to source environment variables"
+    echo "from."
     echo "-n: build with no config file."
     echo
-    echo "Values may also be passed as environment variables"
+    echo "The update_base_url value from config.json is used to set up auto-update."
+    echo
+    echo "Environment variables:"
+    echo "   OSSLSIGNCODE_SIGNARGS: Arguments to pass to osslsigncode when signing"
+    echo "   NOTARIZE_APPLE_ID: Apple ID to use for notarisation. The password for"
+    echo "   this account must be set in NOTARIZE_CREDS in the keychain."
 }
 
-conffile=
+confdir=
 version=
 skipcfg=0
-while getopts "c:v:n" opt; do
+while getopts "d:v:n" opt; do
     case $opt in
-        c)
-            conffile=$OPTARG
+        d)
+            confdir=$OPTARG
             ;;
         v)
             version=$OPTARG
@@ -42,6 +46,8 @@ if [ -z "$version" ]; then
     exit
 fi
 
+conffile="$confdir/config.json"
+
 if [ -z "$conffile" ] && [ "$skipcfg" = 0 ]; then
     echo "No config file given. Use -c to supply a config file or"
     echo "-n to build with no config file (and no auto update)."
@@ -67,6 +73,31 @@ if [ ! -f package.json ]; then
     exit
 fi
 
+[ -f "$confdir/env.sh" ] && . "$confdir/env.sh"
+
+if [ -z "$NOTARIZE_APPLE_ID" ]; then
+    echo "NOTARIZE_APPLE_ID is not set"
+    exit
+fi
+
+osslsigncode -h 2> /dev/null
+if [ $? -ne 255 ]; then # osslsigncode exits with 255 after printing usage...
+    echo "osslsigncode not found"
+    exit
+fi
+
+# Test that altool can get its credentials for notarising the mac app
+xcrun altool -u "$NOTARIZE_APPLE_ID" -p '@keychain:NOTARIZE_CREDS' --list-apps || exit
+
+# Get the token password: we'll need it later, but get it now so we fail early if it's not there
+token_password=`security find-generic-password -s riot_signing_token -w`
+if [ $? -ne 0 ]; then
+    echo "riot_signing_token not found in keychain"
+    exit
+fi
+
+set -e
+
 echo "Building $version using Update base URL $update_base_url"
 
 projdir=`pwd`
@@ -107,14 +138,12 @@ mkdir -p "$projdir/electron_app/dist/unsigned/"
 mkdir -p "$pubdir/install/macos"
 cp $distdir/*.dmg "$pubdir/install/macos/"
 
-# Windows installers go to the dist dir because they need signing
+# Windows installers need signing, this comes later
 mkdir -p "$pubdir/install/win32/ia32/"
 mkdir -p "$projdir/electron_app/dist/unsigned/ia32/"
-cp $distdir/squirrel-windows-ia32/*.exe "$projdir/electron_app/dist/unsigned/ia32/"
 
 mkdir -p "$pubdir/install/win32/x64/"
 mkdir -p "$projdir/electron_app/dist/unsigned/x64/"
-cp $distdir/squirrel-windows/*.exe "$projdir/electron_app/dist/unsigned/x64/"
 
 # Packages for auto-update
 mkdir -p "$pubdir/update/macos"
@@ -136,9 +165,21 @@ cp $distdir/squirrel-windows/RELEASES "$pubdir/update/win32/x64/"
 # longer appears to work).
 cp $distdir/*_amd64.deb "$projdir/electron_app/dist/"
 
+# Now we sign the windows installer executables (as opposed to the main binary which
+# is signed in the electron afteSign hook)
+echo "Signing Windows installers..."
+
+exe32=( "$distdir"/squirrel-windows-ia32/*.exe )
+basename32=`basename "$exe32"`
+osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$exe32" -out "$projdir/electron_app/pub/install/win32/ia32/$basename32"
+
+exe64=( "$distdir"/squirrel-windows/*.exe )
+basename64=`basename "$exe64"`
+osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$exe64" -out "$projdir/electron_app/pub/install/win32/x64/$basename64"
+
+echo "Installers signed"
+
 rm -rf "$builddir"
 
-echo "Unsigned Windows installers have been placed in electron_app/dist/unsigned/ - sign them,"
-echo "or just copy them to "$pubdir/install/win32/\<arch\>/""
-echo "Once you've done this, $pubdir can be hosted on your web server."
+echo "$pubdir can now be hosted on your web server."
 echo "deb archives are in electron_app/dist/ - these should be added into your debian repository"

scripts/electron_afterSign.js

@@ -0,0 +1,76 @@
+const { notarize } = require('electron-notarize');
+const { exec, execFile } = require('child_process');
+const fs = require('fs');
+const shellescape = require('shell-escape');
+
+exports.default = async function(context) {
+    const { electronPlatformName, appOutDir } = context;
+
+    if (electronPlatformName === 'darwin') {
+        const appName = context.packager.appInfo.productFilename;
+        // We get the password from keychain. The keychain stores
+        // user IDs too, but apparently altool can't get the user ID
+        // from the keychain, so we need to get it from the environment.
+        const userId = process.env.NOTARIZE_APPLE_ID;
+        if (userId === undefined) {
+            throw new Exception("User ID not found. Set NOTARIZE_APPLE_ID.");
+        }
+
+        console.log("Notarising macOS app. This may be some time.");
+        return await notarize({
+            appBundleId: 'im.riot.app',
+            appPath: `${appOutDir}/${appName}.app`,
+            appleId: userId,
+            appleIdPassword: '@keychain:NOTARIZE_CREDS',
+        });
+    } else if (electronPlatformName === 'win32') {
+        // This signs the actual Riot executable
+        const appName = context.packager.appInfo.productFilename;
+
+        // get the token passphrase from the keychain
+        const tokenPassphrase = await new Promise((resolve, reject) => {
+            execFile(
+                'security',
+                ['find-generic-password', '-s', 'riot_signing_token', '-w'],
+                {},
+                (err, stdout) => {
+                    if (err) {
+                        reject(err);
+                    } else {
+                        resolve(stdout.trim());
+                    }
+                },
+            );
+        });
+
+        return new Promise((resolve, reject) => {
+            let cmdLine = 'osslsigncode sign ';
+            if (process.env.OSSLSIGNCODE_SIGNARGS) {
+                cmdLine += process.env.OSSLSIGNCODE_SIGNARGS + ' ';
+            }
+            const tmpFile = 'tmp_' + Math.random().toString(36).substring(2, 15) + '.exe';
+            cmdLine += shellescape([
+                '-pass', tokenPassphrase,
+                '-in', `${appOutDir}/${appName}.exe`,
+                '-out', `${appOutDir}/${tmpFile}`,
+            ]);
+
+            const signproc = exec(cmdLine, {}, (error, stdout) => {
+                console.log(stdout);
+            });
+            signproc.on('exit', (code) => {
+                if (code !== 0) {
+                    reject("osslsigncode failed with code " + code);
+                    return;
+                }
+                fs.rename(`${appOutDir}/${tmpFile}`, `${appOutDir}/${appName}.exe`, (err) => {
+                    if (err) {
+                        reject(err);
+                    } else {
+                        resolve();
+                    }
+                });
+            });
+        });
+    }
+};

yarn.lock

@@ -3134,6 +3134,14 @@ electron-devtools-installer@^2.2.4:
     rimraf "^2.5.2"
     semver "^5.3.0"
 
+electron-notarize@^0.1.1:
+  version "0.1.1"
+  resolved "https://registry.yarnpkg.com/electron-notarize/-/electron-notarize-0.1.1.tgz#c3563d70c5e7b3315f44e8495b30050a8c408b91"
+  integrity sha512-TpKfJcz4LXl5jiGvZTs5fbEx+wUFXV5u8voeG5WCHWfY/cdgdD8lDZIZRqLVOtR3VO+drgJ9aiSHIO9TYn/fKg==
+  dependencies:
+    debug "^4.1.1"
+    fs-extra "^8.0.1"
+
 electron-publish@21.2.0:
   version "21.2.0"
   resolved "https://registry.yarnpkg.com/electron-publish/-/electron-publish-21.2.0.tgz#cc225cb46aa62e74b899f2f7299b396c9802387d"
@@ -4083,7 +4091,7 @@ fs-extra@^0.30.0:
     path-is-absolute "^1.0.0"
     rimraf "^2.2.8"
 
-fs-extra@^8.1.0:
+fs-extra@^8.0.1, fs-extra@^8.1.0:
   version "8.1.0"
   resolved "https://registry.yarnpkg.com/fs-extra/-/fs-extra-8.1.0.tgz#49d43c45a88cd9677668cb7be1b46efdb8d2e1c0"
   integrity sha512-yhlQgA6mnOJUKOsRUFsgJdQCvkKhcz8tlZG5HBQfReYZy46OwLcY+Zia0mtdHsOo9y/hP+CxMN0TU9QxoOtG4g==
@@ -8233,6 +8241,11 @@ shebang-regex@^1.0.0:
   resolved "https://registry.yarnpkg.com/shebang-regex/-/shebang-regex-1.0.0.tgz#da42f49740c0b42db2ca9728571cb190c98efea3"
   integrity sha1-2kL0l0DAtC2yypcoVxyxkMmO/qM=
 
+shell-escape@^0.2.0:
+  version "0.2.0"
+  resolved "https://registry.yarnpkg.com/shell-escape/-/shell-escape-0.2.0.tgz#68fd025eb0490b4f567a027f0bf22480b5f84133"
+  integrity sha1-aP0CXrBJC09WegJ/C/IkgLX4QTM=
+
 shell-quote@^1.6.1:
   version "1.7.2"
   resolved "https://registry.yarnpkg.com/shell-quote/-/shell-quote-1.7.2.tgz#67a7d02c76c9da24f99d20808fcaded0e0e04be2"