From ff70339aadaac760281c85ea53be8b86420847a9 Mon Sep 17 00:00:00 2001 From: David Baker Date: Wed, 9 Oct 2019 16:29:24 +0100 Subject: [PATCH 01/13] Working branch for notarisation --- package.json | 3 ++- scripts/electron_afterSign.js | 25 +++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 scripts/electron_afterSign.js diff --git a/package.json b/package.json index bd05b090df..cd4f4cd282 100644 --- a/package.json +++ b/package.json @@ -188,6 +188,7 @@ "buildResources": "electron_app/build", "output": "electron_app/dist", "app": "electron_app" - } + }, + "afterSign": "scripts/electron_afterSign.js" } } diff --git a/scripts/electron_afterSign.js b/scripts/electron_afterSign.js new file mode 100644 index 0000000000..bb554219af --- /dev/null +++ b/scripts/electron_afterSign.js @@ -0,0 +1,25 @@ +const { notarize } = require('electron-notarize'); + +exports.default = async function(context) { + const { electronPlatformName, appOutDir } = context; + if (electronPlatformName !== 'darwin') { + return; + } + + // We get the password from keychain. The keychain stores + // user IDs too, but apparently altool can't get the user ID + // from the keychain, so we need to get it from the environment. + const userId = process.env.NOTARIZE_APPLE_ID; + if (userId === undefined) { + throw new Exception("User ID not found. Set NOTARIZE_APPLE_ID."); + } + + const appName = context.packager.appInfo.productFilename; + + return await notarize({ + appBundleId: 'im.riot.app', + appPath: `${appOutDir}/${appName}.app`, + appleId: userId, + appleIdPassword: '@keychain:NOTARIZE_CREDS, + }); +}; From bad97db3025ce910c2e9dde8c99f48ade6ca6771 Mon Sep 17 00:00:00 2001 From: David Baker Date: Wed, 9 Oct 2019 16:40:31 +0100 Subject: [PATCH 02/13] remove random spaces --- scripts/electron_afterSign.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/electron_afterSign.js b/scripts/electron_afterSign.js index bb554219af..78211d41bd 100644 --- a/scripts/electron_afterSign.js +++ b/scripts/electron_afterSign.js @@ -1,7 +1,7 @@ const { notarize } = require('electron-notarize'); exports.default = async function(context) { - const { electronPlatformName, appOutDir } = context; + const { electronPlatformName, appOutDir } = context; if (electronPlatformName !== 'darwin') { return; } @@ -13,9 +13,9 @@ exports.default = async function(context) { if (userId === undefined) { throw new Exception("User ID not found. Set NOTARIZE_APPLE_ID."); } - + const appName = context.packager.appInfo.productFilename; - + return await notarize({ appBundleId: 'im.riot.app', appPath: `${appOutDir}/${appName}.app`, From 7faba49f669bb5e3dc7a00d82c30518f6a39b62c Mon Sep 17 00:00:00 2001 From: David Baker Date: Thu, 10 Oct 2019 11:53:49 +0100 Subject: [PATCH 03/13] fix quotes --- scripts/electron_afterSign.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/electron_afterSign.js b/scripts/electron_afterSign.js index 78211d41bd..20bb867ddf 100644 --- a/scripts/electron_afterSign.js +++ b/scripts/electron_afterSign.js @@ -20,6 +20,6 @@ exports.default = async function(context) { appBundleId: 'im.riot.app', appPath: `${appOutDir}/${appName}.app`, appleId: userId, - appleIdPassword: '@keychain:NOTARIZE_CREDS, + appleIdPassword: '@keychain:NOTARIZE_CREDS', }); }; From 29f186bc18b6b6b26f9ff4c01df8e3b56f51be74 Mon Sep 17 00:00:00 2001 From: David Baker Date: Thu, 10 Oct 2019 11:57:39 +0100 Subject: [PATCH 04/13] add electron-notarize --- package.json | 1 + yarn.lock | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index cd4f4cd282..0836f624d2 100644 --- a/package.json +++ b/package.json @@ -111,6 +111,7 @@ "electron-builder": "^21.2.0", "electron-builder-squirrel-windows": "^21.2.0", "electron-devtools-installer": "^2.2.4", + "electron-notarize": "^0.1.1", "eslint": "^5.8.0", "eslint-config-google": "^0.7.1", "eslint-plugin-babel": "^4.1.2", diff --git a/yarn.lock b/yarn.lock index b1eb8246f8..c3cb2a7a77 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3134,6 +3134,14 @@ electron-devtools-installer@^2.2.4: rimraf "^2.5.2" semver "^5.3.0" +electron-notarize@^0.1.1: + version "0.1.1" + resolved "https://registry.yarnpkg.com/electron-notarize/-/electron-notarize-0.1.1.tgz#c3563d70c5e7b3315f44e8495b30050a8c408b91" + integrity sha512-TpKfJcz4LXl5jiGvZTs5fbEx+wUFXV5u8voeG5WCHWfY/cdgdD8lDZIZRqLVOtR3VO+drgJ9aiSHIO9TYn/fKg== + dependencies: + debug "^4.1.1" + fs-extra "^8.0.1" + electron-publish@21.2.0: version "21.2.0" resolved "https://registry.yarnpkg.com/electron-publish/-/electron-publish-21.2.0.tgz#cc225cb46aa62e74b899f2f7299b396c9802387d" @@ -4083,7 +4091,7 @@ fs-extra@^0.30.0: path-is-absolute "^1.0.0" rimraf "^2.2.8" -fs-extra@^8.1.0: +fs-extra@^8.0.1, fs-extra@^8.1.0: version "8.1.0" resolved "https://registry.yarnpkg.com/fs-extra/-/fs-extra-8.1.0.tgz#49d43c45a88cd9677668cb7be1b46efdb8d2e1c0" integrity sha512-yhlQgA6mnOJUKOsRUFsgJdQCvkKhcz8tlZG5HBQfReYZy46OwLcY+Zia0mtdHsOo9y/hP+CxMN0TU9QxoOtG4g== From a7d1d9880be3c37db137b9986f76e04b2424eb94 Mon Sep 17 00:00:00 2001 From: David Baker Date: Thu, 10 Oct 2019 14:56:35 +0100 Subject: [PATCH 05/13] Use my fork of electron-notarize if only to test it --- package.json | 2 +- yarn.lock | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index 0836f624d2..8b0b7ad92d 100644 --- a/package.json +++ b/package.json @@ -111,7 +111,7 @@ "electron-builder": "^21.2.0", "electron-builder-squirrel-windows": "^21.2.0", "electron-devtools-installer": "^2.2.4", - "electron-notarize": "^0.1.1", + "electron-notarize": "dbkr/electron-notarize", "eslint": "^5.8.0", "eslint-config-google": "^0.7.1", "eslint-plugin-babel": "^4.1.2", diff --git a/yarn.lock b/yarn.lock index c3cb2a7a77..1e4b0f1aff 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3134,10 +3134,9 @@ electron-devtools-installer@^2.2.4: rimraf "^2.5.2" semver "^5.3.0" -electron-notarize@^0.1.1: +electron-notarize@dbkr/electron-notarize: version "0.1.1" - resolved "https://registry.yarnpkg.com/electron-notarize/-/electron-notarize-0.1.1.tgz#c3563d70c5e7b3315f44e8495b30050a8c408b91" - integrity sha512-TpKfJcz4LXl5jiGvZTs5fbEx+wUFXV5u8voeG5WCHWfY/cdgdD8lDZIZRqLVOtR3VO+drgJ9aiSHIO9TYn/fKg== + resolved "https://codeload.github.com/dbkr/electron-notarize/tar.gz/1041444cf330a52e89077bae68745bfe47c8d2db" dependencies: debug "^4.1.1" fs-extra "^8.0.1" From 2bab328f8d85d9babe6bbff7c9cf8ead6c6e7400 Mon Sep 17 00:00:00 2001 From: David Baker Date: Thu, 10 Oct 2019 15:32:17 +0100 Subject: [PATCH 06/13] Check everything's in place for the notarising dance ...before we start the build process. --- scripts/electron-package.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/scripts/electron-package.sh b/scripts/electron-package.sh index 63c2fd72d7..9b796b9546 100755 --- a/scripts/electron-package.sh +++ b/scripts/electron-package.sh @@ -67,6 +67,14 @@ if [ ! -f package.json ]; then exit fi +if [ -z "$NOTARIZE_APPLE_ID" ]; then + echo "NOTARIZE_APPLE_ID is not set" + exit +fi + +# Test that altool can get its credentials for notarising the mac app +xcrun altool -u "$NOTARIZE_APPLE_ID" -p '@keychain:NOTARIZE_CREDS' --list-apps || exit + echo "Building $version using Update base URL $update_base_url" projdir=`pwd` From 0259eb64197e3332c78e4c979e2356df29a16e4f Mon Sep 17 00:00:00 2001 From: David Baker Date: Thu, 10 Oct 2019 18:34:26 +0100 Subject: [PATCH 07/13] Go back to upstream electron-notarize It doesn't work as a github dependency because the typescript doesn't get built. --- package.json | 2 +- yarn.lock | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index 8b0b7ad92d..0836f624d2 100644 --- a/package.json +++ b/package.json @@ -111,7 +111,7 @@ "electron-builder": "^21.2.0", "electron-builder-squirrel-windows": "^21.2.0", "electron-devtools-installer": "^2.2.4", - "electron-notarize": "dbkr/electron-notarize", + "electron-notarize": "^0.1.1", "eslint": "^5.8.0", "eslint-config-google": "^0.7.1", "eslint-plugin-babel": "^4.1.2", diff --git a/yarn.lock b/yarn.lock index 1e4b0f1aff..c3cb2a7a77 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3134,9 +3134,10 @@ electron-devtools-installer@^2.2.4: rimraf "^2.5.2" semver "^5.3.0" -electron-notarize@dbkr/electron-notarize: +electron-notarize@^0.1.1: version "0.1.1" - resolved "https://codeload.github.com/dbkr/electron-notarize/tar.gz/1041444cf330a52e89077bae68745bfe47c8d2db" + resolved "https://registry.yarnpkg.com/electron-notarize/-/electron-notarize-0.1.1.tgz#c3563d70c5e7b3315f44e8495b30050a8c408b91" + integrity sha512-TpKfJcz4LXl5jiGvZTs5fbEx+wUFXV5u8voeG5WCHWfY/cdgdD8lDZIZRqLVOtR3VO+drgJ9aiSHIO9TYn/fKg== dependencies: debug "^4.1.1" fs-extra "^8.0.1" From 071223120b39f026aadd502ceb284191345a1638 Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 11 Oct 2019 10:45:42 +0100 Subject: [PATCH 08/13] Warn that this might be a while --- scripts/electron_afterSign.js | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/electron_afterSign.js b/scripts/electron_afterSign.js index 20bb867ddf..0d42c55246 100644 --- a/scripts/electron_afterSign.js +++ b/scripts/electron_afterSign.js @@ -16,6 +16,7 @@ exports.default = async function(context) { const appName = context.packager.appInfo.productFilename; + console.log("Notarising macOS app. This may be some time."); return await notarize({ appBundleId: 'im.riot.app', appPath: `${appOutDir}/${appName}.app`, From 5a7efcd7381024380639261465c63169391a572b Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 11 Oct 2019 12:01:50 +0100 Subject: [PATCH 09/13] Sign the main executable on windows and automate the signing of the installers --- electron_app/riot.im/env.sh | 1 + package.json | 1 + scripts/electron-package.sh | 62 +++++++++++++++++------- scripts/electron_afterSign.js | 91 +++++++++++++++++++++++++++-------- yarn.lock | 5 ++ 5 files changed, 123 insertions(+), 37 deletions(-) create mode 100644 electron_app/riot.im/env.sh diff --git a/electron_app/riot.im/env.sh b/electron_app/riot.im/env.sh new file mode 100644 index 0000000000..92b65fe26e --- /dev/null +++ b/electron_app/riot.im/env.sh @@ -0,0 +1 @@ +export OSSLSIGNCODE_SIGNARGS='-pkcs11module /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib -pkcs11engine /usr/local/lib/engines/engine_pkcs11.so -certs "electron_app/riot.im/New Vector Ltd.pem" -key 0a3271cbc1ec0fd8afb37f6bbe0cd65ba08d3b4d -t "http://timestamp.comodoca.com" -h sha256 -verbose' diff --git a/package.json b/package.json index 0836f624d2..ee03637769 100644 --- a/package.json +++ b/package.json @@ -146,6 +146,7 @@ "postcss-simple-vars": "^4.1.0", "postcss-strip-inline-comments": "^0.1.5", "rimraf": "^2.4.3", + "shell-escape": "^0.2.0", "source-map-loader": "^0.2.4", "webpack": "^4.23.1", "webpack-cli": "^3.1.2", diff --git a/scripts/electron-package.sh b/scripts/electron-package.sh index 9b796b9546..5698dc7c6f 100755 --- a/scripts/electron-package.sh +++ b/scripts/electron-package.sh @@ -1,26 +1,30 @@ #!/bin/bash -set -e - usage() { - echo "Usage: $0 -v -c [-n]" + echo "Usage: $0 -v -d [-n]" echo echo "version: commit-ish to check out and build" - echo "config file: a path to a json config file to" - echo "ship with the build. In addition, update_base_url:" - echo "from this file is used to set up auto-update." + echo "config directory: a path to a directory containing" + echo "config.json, a json config file to ship with the build" + echo "and env.sh, a file to source environment variables" + echo "from." echo "-n: build with no config file." echo - echo "Values may also be passed as environment variables" + echo "The update_base_url value from config.json is used to set up auto-update." + echo + echo "Environment variables:" + echo " OSSLSIGNCODE_SIGNARGS: Arguments to pass to osslsigncode when signing" + echo " NOTARIZE_APPLE_ID: Apple ID to use for notarisation. The password for" + echo " this account must be set in NOTARIZE_CREDS in the keychain." } -conffile= +confdir= version= skipcfg=0 -while getopts "c:v:n" opt; do +while getopts "d:v:n" opt; do case $opt in - c) - conffile=$OPTARG + d) + confdir=$OPTARG ;; v) version=$OPTARG @@ -42,6 +46,8 @@ if [ -z "$version" ]; then exit fi +conffile="$confdir/config.json" + if [ -z "$conffile" ] && [ "$skipcfg" = 0 ]; then echo "No config file given. Use -c to supply a config file or" echo "-n to build with no config file (and no auto update)." @@ -67,14 +73,31 @@ if [ ! -f package.json ]; then exit fi +[ -f "$confdir/env.sh" ] && . "$confdir/env.sh" + if [ -z "$NOTARIZE_APPLE_ID" ]; then echo "NOTARIZE_APPLE_ID is not set" exit fi +osslsigncode -h 2> /dev/null +if [ $? -ne 255 ]; then # osslsigncode exits with 255 after printing usgae... + echo "osslsigncode not found" + exit +fi + # Test that altool can get its credentials for notarising the mac app xcrun altool -u "$NOTARIZE_APPLE_ID" -p '@keychain:NOTARIZE_CREDS' --list-apps || exit +# Get the token password: we'll need it later, but get it now so we fail early if it's not there +token_password=`security find-generic-password -s riot_signing_token -w` +if [ $? -ne 0 ]; then + echo "riot_signing_token not found in keychain" + exit +fi + +set -e + echo "Building $version using Update base URL $update_base_url" projdir=`pwd` @@ -115,14 +138,12 @@ mkdir -p "$projdir/electron_app/dist/unsigned/" mkdir -p "$pubdir/install/macos" cp $distdir/*.dmg "$pubdir/install/macos/" -# Windows installers go to the dist dir because they need signing +# Windows installers need signing, this comes later mkdir -p "$pubdir/install/win32/ia32/" mkdir -p "$projdir/electron_app/dist/unsigned/ia32/" -cp $distdir/squirrel-windows-ia32/*.exe "$projdir/electron_app/dist/unsigned/ia32/" mkdir -p "$pubdir/install/win32/x64/" mkdir -p "$projdir/electron_app/dist/unsigned/x64/" -cp $distdir/squirrel-windows/*.exe "$projdir/electron_app/dist/unsigned/x64/" # Packages for auto-update mkdir -p "$pubdir/update/macos" @@ -144,9 +165,16 @@ cp $distdir/squirrel-windows/RELEASES "$pubdir/update/win32/x64/" # longer appears to work). cp $distdir/*_amd64.deb "$projdir/electron_app/dist/" +# Now we sign the windows installer executables (as opposed to the main binary which +# is signed in the electron afteSign hook) +echo "Signing Windows installers..." + +osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$distdir/squirrel-windows-ia32/*.exe" -out "$projdir/electron_app/dist/unsigned/ia32/" +osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$distdir/squirrel-windows/*.exe" -out "$projdir/electron_app/dist/unsigned/x64/" + +echo "Installers signed" + rm -rf "$builddir" -echo "Unsigned Windows installers have been placed in electron_app/dist/unsigned/ - sign them," -echo "or just copy them to "$pubdir/install/win32/\/"" -echo "Once you've done this, $pubdir can be hosted on your web server." +echo "$pubdir can now be hosted on your web server." echo "deb archives are in electron_app/dist/ - these should be added into your debian repository" diff --git a/scripts/electron_afterSign.js b/scripts/electron_afterSign.js index 0d42c55246..0149d7c4bf 100644 --- a/scripts/electron_afterSign.js +++ b/scripts/electron_afterSign.js @@ -1,26 +1,77 @@ const { notarize } = require('electron-notarize'); +const { exec, execFile } = require('child_process'); +const fs = require('fs'); +const shellescape = require('shell-escape'); exports.default = async function(context) { const { electronPlatformName, appOutDir } = context; - if (electronPlatformName !== 'darwin') { - return; + + if (electronPlatformName === 'darwin') { + const appName = context.packager.appInfo.productFilename; + // We get the password from keychain. The keychain stores + // user IDs too, but apparently altool can't get the user ID + // from the keychain, so we need to get it from the environment. + const userId = process.env.NOTARIZE_APPLE_ID; + if (userId === undefined) { + throw new Exception("User ID not found. Set NOTARIZE_APPLE_ID."); + } + + console.log("Notarising macOS app. This may be some time."); + return await notarize({ + appBundleId: 'im.riot.app', + appPath: `${appOutDir}/${appName}.app`, + appleId: userId, + appleIdPassword: '@keychain:NOTARIZE_CREDS', + }); + } else if (electronPlatformName === 'win32') { + // This signs the actual Riot executable + const appName = context.packager.appInfo.productFilename; + + // get the token passphrase from the keychain + const tokenPassphrase = await new Promise((resolve, reject) => { + execFile( + 'security', + ['find-generic-password', '-s', 'riot_signing_token', '-w'], + {}, + (err, stdout) => { + if (err) { + reject(err); + } else { + resolve(stdout.trim()); + } + }, + ); + }); + + return new Promise((resolve, reject) => { + let cmdLine = 'osslsigncode sign '; + if (process.env.OSSLSIGNCODE_SIGNARGS) { + cmdLine += process.env.OSSLSIGNCODE_SIGNARGS + ''; + } + const tmpFile = 'tmp_' + Math.random().toString(36).substring(2, 15) + '.exe'; + cmdLine += shellescape([ + '-pass', tokenPassphrase, + '-in', `${appOutDir}/${appName}.exe`, + '-out', `${appOutDir}/${tmpFile}`, + ]); + console.log(cmdLine); + + const signproc = exec(cmdLine, {}, (error, stdout) => { + console.log(stdout); + }); + signproc.on('exit', (code) => { + if (code !== 0) { + reject("osslsigncode failed with code " + code); + return; + } + fs.rename(`${appOutDir}/${tmpFile}`, `${appOutDir}/${appName}.exe`, (err) => { + if (err) { + reject(err); + } else { + resolve(); + } + }); + }); + }); } - - // We get the password from keychain. The keychain stores - // user IDs too, but apparently altool can't get the user ID - // from the keychain, so we need to get it from the environment. - const userId = process.env.NOTARIZE_APPLE_ID; - if (userId === undefined) { - throw new Exception("User ID not found. Set NOTARIZE_APPLE_ID."); - } - - const appName = context.packager.appInfo.productFilename; - - console.log("Notarising macOS app. This may be some time."); - return await notarize({ - appBundleId: 'im.riot.app', - appPath: `${appOutDir}/${appName}.app`, - appleId: userId, - appleIdPassword: '@keychain:NOTARIZE_CREDS', - }); }; diff --git a/yarn.lock b/yarn.lock index c3cb2a7a77..b7b0abd4f8 100644 --- a/yarn.lock +++ b/yarn.lock @@ -8239,6 +8239,11 @@ shebang-regex@^1.0.0: resolved "https://registry.yarnpkg.com/shebang-regex/-/shebang-regex-1.0.0.tgz#da42f49740c0b42db2ca9728571cb190c98efea3" integrity sha1-2kL0l0DAtC2yypcoVxyxkMmO/qM= +shell-escape@^0.2.0: + version "0.2.0" + resolved "https://registry.yarnpkg.com/shell-escape/-/shell-escape-0.2.0.tgz#68fd025eb0490b4f567a027f0bf22480b5f84133" + integrity sha1-aP0CXrBJC09WegJ/C/IkgLX4QTM= + shell-quote@^1.6.1: version "1.7.2" resolved "https://registry.yarnpkg.com/shell-quote/-/shell-quote-1.7.2.tgz#67a7d02c76c9da24f99d20808fcaded0e0e04be2" From 1ff06c4be44d868147b51ddb91f847d2f38f1f83 Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 11 Oct 2019 12:21:28 +0100 Subject: [PATCH 10/13] Missing space also don't print the signing command line as it has the token password --- scripts/electron_afterSign.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scripts/electron_afterSign.js b/scripts/electron_afterSign.js index 0149d7c4bf..8966ca7f99 100644 --- a/scripts/electron_afterSign.js +++ b/scripts/electron_afterSign.js @@ -46,7 +46,7 @@ exports.default = async function(context) { return new Promise((resolve, reject) => { let cmdLine = 'osslsigncode sign '; if (process.env.OSSLSIGNCODE_SIGNARGS) { - cmdLine += process.env.OSSLSIGNCODE_SIGNARGS + ''; + cmdLine += process.env.OSSLSIGNCODE_SIGNARGS + ' '; } const tmpFile = 'tmp_' + Math.random().toString(36).substring(2, 15) + '.exe'; cmdLine += shellescape([ @@ -54,7 +54,6 @@ exports.default = async function(context) { '-in', `${appOutDir}/${appName}.exe`, '-out', `${appOutDir}/${tmpFile}`, ]); - console.log(cmdLine); const signproc = exec(cmdLine, {}, (error, stdout) => { console.log(stdout); From d6884d5b0ffe1516eeaa635dd24f28936c240711 Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 11 Oct 2019 16:08:04 +0100 Subject: [PATCH 11/13] Make window signing work Almost certainly won't work for cert names with spaces in them --- electron_app/riot.im/{New Vector Ltd.pem => New_Vector_Ltd.pem} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename electron_app/riot.im/{New Vector Ltd.pem => New_Vector_Ltd.pem} (100%) diff --git a/electron_app/riot.im/New Vector Ltd.pem b/electron_app/riot.im/New_Vector_Ltd.pem similarity index 100% rename from electron_app/riot.im/New Vector Ltd.pem rename to electron_app/riot.im/New_Vector_Ltd.pem From 3545b2751d39a4847b5d568dc829a227d1f68aa1 Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 18 Oct 2019 10:08:43 +0100 Subject: [PATCH 12/13] typo Co-Authored-By: Travis Ralston --- scripts/electron-package.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/electron-package.sh b/scripts/electron-package.sh index 5698dc7c6f..a7aa56d071 100755 --- a/scripts/electron-package.sh +++ b/scripts/electron-package.sh @@ -81,7 +81,7 @@ if [ -z "$NOTARIZE_APPLE_ID" ]; then fi osslsigncode -h 2> /dev/null -if [ $? -ne 255 ]; then # osslsigncode exits with 255 after printing usgae... +if [ $? -ne 255 ]; then # osslsigncode exits with 255 after printing usage... echo "osslsigncode not found" exit fi From 94e721acf22bed87b1bc8ae815b440fb5d896de7 Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 18 Oct 2019 10:09:55 +0100 Subject: [PATCH 13/13] Update cert name & do bash globbing correctly --- electron_app/riot.im/env.sh | 2 +- scripts/electron-package.sh | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/electron_app/riot.im/env.sh b/electron_app/riot.im/env.sh index 92b65fe26e..79cb6e4e83 100644 --- a/electron_app/riot.im/env.sh +++ b/electron_app/riot.im/env.sh @@ -1 +1 @@ -export OSSLSIGNCODE_SIGNARGS='-pkcs11module /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib -pkcs11engine /usr/local/lib/engines/engine_pkcs11.so -certs "electron_app/riot.im/New Vector Ltd.pem" -key 0a3271cbc1ec0fd8afb37f6bbe0cd65ba08d3b4d -t "http://timestamp.comodoca.com" -h sha256 -verbose' +export OSSLSIGNCODE_SIGNARGS='-pkcs11module /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib -pkcs11engine /usr/local/lib/engines/engine_pkcs11.so -certs electron_app/riot.im/New_Vector_Ltd.pem -key 0a3271cbc1ec0fd8afb37f6bbe0cd65ba08d3b4d -t http://timestamp.comodoca.com -h sha256 -verbose' diff --git a/scripts/electron-package.sh b/scripts/electron-package.sh index a7aa56d071..7a8a5ca7b7 100755 --- a/scripts/electron-package.sh +++ b/scripts/electron-package.sh @@ -169,8 +169,13 @@ cp $distdir/*_amd64.deb "$projdir/electron_app/dist/" # is signed in the electron afteSign hook) echo "Signing Windows installers..." -osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$distdir/squirrel-windows-ia32/*.exe" -out "$projdir/electron_app/dist/unsigned/ia32/" -osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$distdir/squirrel-windows/*.exe" -out "$projdir/electron_app/dist/unsigned/x64/" +exe32=( "$distdir"/squirrel-windows-ia32/*.exe ) +basename32=`basename "$exe32"` +osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$exe32" -out "$projdir/electron_app/pub/install/win32/ia32/$basename32" + +exe64=( "$distdir"/squirrel-windows/*.exe ) +basename64=`basename "$exe64"` +osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$exe64" -out "$projdir/electron_app/pub/install/win32/x64/$basename64" echo "Installers signed"