Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 76 additions & 8 deletions .github/workflows/desktop-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,11 @@ on:
required: true
default: false
type: boolean
allow_unsigned_test_release:
description: "Allow unsigned macOS/Windows artifacts only for prerelease testing."
required: true
default: false
type: boolean
clobber:
description: "Replace same-named assets when uploading to an existing release."
required: true
Expand Down Expand Up @@ -281,11 +286,18 @@ jobs:
- name: Configure optional signing secrets
shell: bash
env:
IS_DRY_RUN: ${{ inputs.dry_run }}
APPLE_APP_SPECIFIC_PASSWORD_SECRET: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
APPLE_ID_SECRET: ${{ secrets.APPLE_ID }}
APPLE_TEAM_ID_SECRET: ${{ secrets.APPLE_TEAM_ID }}
ALLOW_UNSIGNED_TEST_RELEASE: ${{ inputs.allow_unsigned_test_release }}
IS_PRERELEASE: ${{ inputs.prerelease }}
MAC_CSC_KEY_PASSWORD_SECRET: ${{ secrets.MAC_CSC_KEY_PASSWORD }}
MAC_CSC_LINK_SECRET: ${{ secrets.MAC_CSC_LINK }}
CSC_KEY_PASSWORD_SECRET: ${{ secrets.CSC_KEY_PASSWORD }}
CSC_LINK_SECRET: ${{ secrets.CSC_LINK }}
WIN_CSC_KEY_PASSWORD_SECRET: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
WIN_CSC_LINK_SECRET: ${{ secrets.WIN_CSC_LINK }}
SENTRY_ELECTRON_INGEST_URL_SECRET: ${{ secrets.SENTRY_ELECTRON_INGEST_URL }}
run: |
set -euo pipefail
Expand All @@ -305,15 +317,71 @@ jobs:
} >> "$GITHUB_ENV"
}

if [ -n "$CSC_LINK_SECRET" ]; then
append_env "CSC_LINK" "$CSC_LINK_SECRET"
append_env "CSC_KEY_PASSWORD" "$CSC_KEY_PASSWORD_SECRET"
append_env "APPLE_ID" "$APPLE_ID_SECRET"
append_env "APPLE_APP_SPECIFIC_PASSWORD" "$APPLE_APP_SPECIFIC_PASSWORD_SECRET"
append_env "APPLE_TEAM_ID" "$APPLE_TEAM_ID_SECRET"
echo "CSC_IDENTITY_AUTO_DISCOVERY=true" >> "$GITHUB_ENV"
mac_csc_link="${MAC_CSC_LINK_SECRET:-$CSC_LINK_SECRET}"
mac_csc_key_password="${MAC_CSC_KEY_PASSWORD_SECRET:-$CSC_KEY_PASSWORD_SECRET}"

allow_unsigned_artifacts() {
if [ "$IS_DRY_RUN" = "true" ]; then
return 0
fi

if [ "$ALLOW_UNSIGNED_TEST_RELEASE" = "true" ] && [ "$IS_PRERELEASE" = "true" ]; then
return 0
fi

return 1
}

if [ "$RUNNER_OS" = "macOS" ]; then
if [ -n "$mac_csc_link" ]; then
if [ -z "$mac_csc_key_password" ]; then
echo "::error::MAC_CSC_LINK/CSC_LINK is configured, but MAC_CSC_KEY_PASSWORD/CSC_KEY_PASSWORD is missing."
exit 1
fi

append_env "CSC_LINK" "$mac_csc_link"
append_env "CSC_KEY_PASSWORD" "$mac_csc_key_password"
append_env "APPLE_ID" "$APPLE_ID_SECRET"
append_env "APPLE_APP_SPECIFIC_PASSWORD" "$APPLE_APP_SPECIFIC_PASSWORD_SECRET"
append_env "APPLE_TEAM_ID" "$APPLE_TEAM_ID_SECRET"
echo "CSC_IDENTITY_AUTO_DISCOVERY=true" >> "$GITHUB_ENV"
else
if ! allow_unsigned_artifacts; then
echo "::error::Published macOS desktop releases require MAC_CSC_LINK/CSC_LINK and MAC_CSC_KEY_PASSWORD/CSC_KEY_PASSWORD so auto-update signature validation can pass."
exit 1
fi

if [ "$IS_DRY_RUN" = "false" ]; then
echo "::warning::Publishing an unsigned macOS prerelease for manual testing. Auto-update validation is not supported for this artifact."
fi

echo "CSC_IDENTITY_AUTO_DISCOVERY=false" >> "$GITHUB_ENV"
fi
elif [ "$RUNNER_OS" = "Windows" ]; then
if [ -n "$WIN_CSC_LINK_SECRET" ]; then
if [ -z "$WIN_CSC_KEY_PASSWORD_SECRET" ]; then
echo "::error::WIN_CSC_LINK is configured, but WIN_CSC_KEY_PASSWORD is missing."
exit 1
fi

append_env "WIN_CSC_LINK" "$WIN_CSC_LINK_SECRET"
append_env "WIN_CSC_KEY_PASSWORD" "$WIN_CSC_KEY_PASSWORD_SECRET"
else
if ! allow_unsigned_artifacts; then
echo "::error::Published Windows desktop releases require WIN_CSC_LINK and WIN_CSC_KEY_PASSWORD."
exit 1
fi

if [ "$IS_DRY_RUN" = "false" ]; then
echo "::warning::Publishing an unsigned Windows prerelease for manual testing. Windows may show Unknown Publisher / SmartScreen warnings."
else
echo "Windows signing certificate is not configured; Windows dry-run artifacts will be unsigned."
fi
fi
else
echo "CSC_IDENTITY_AUTO_DISCOVERY=false" >> "$GITHUB_ENV"
if [ "$RUNNER_OS" != "Linux" ] && [ -n "$CSC_LINK_SECRET" ]; then
echo "::warning::CSC_LINK is configured but not used on $RUNNER_OS."
fi
fi

append_env "SENTRY_ELECTRON_INGEST_URL" "$SENTRY_ELECTRON_INGEST_URL_SECRET"
Expand Down
44 changes: 44 additions & 0 deletions apps/electron/src/main/__tests__/auto-update-signature.test.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
import { describe, expect, it } from 'bun:test'

import {
getMacAppBundlePath,
parseMacCodeSignatureStatus,
} from '../auto-update-signature'

describe('auto-update-signature', () => {
it('maps an executable path back to the macOS app bundle', () => {
expect(getMacAppBundlePath('/Applications/OpenWork.app/Contents/MacOS/OpenWork'))
.toBe('/Applications/OpenWork.app')
})

it('rejects ad-hoc signatures because they pin updates to a cdhash', () => {
const status = parseMacCodeSignatureStatus('/Applications/OpenWork.app', 0, [
'Signature=adhoc',
'TeamIdentifier=not set',
].join('\n'))

expect(status.trustedForAutoUpdate).toBe(false)
expect(status.reason).toBe('adhoc-signature')
})

it('rejects unsigned apps', () => {
const status = parseMacCodeSignatureStatus(
'/Applications/OpenWork.app',
1,
'/Applications/OpenWork.app: code object is not signed at all',
)

expect(status.trustedForAutoUpdate).toBe(false)
expect(status.reason).toBe('codesign-failed')
})

it('accepts signed apps with a TeamIdentifier', () => {
const status = parseMacCodeSignatureStatus('/Applications/OpenWork.app', 0, [
'Authority=Developer ID Application: Example Inc (ABCDE12345)',
'TeamIdentifier=ABCDE12345',
].join('\n'))

expect(status.trustedForAutoUpdate).toBe(true)
expect(status.teamIdentifier).toBe('ABCDE12345')
})
})
75 changes: 75 additions & 0 deletions apps/electron/src/main/auto-update-signature.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
import { spawnSync } from 'child_process'
import * as path from 'path'

export interface MacCodeSignatureStatus {
trustedForAutoUpdate: boolean
appBundlePath: string
reason?: 'codesign-failed' | 'adhoc-signature' | 'missing-team-identifier'
signature?: string
teamIdentifier?: string
diagnostic?: string
}

function parseCodesignField(output: string, field: string): string | undefined {
const match = output.match(new RegExp(`^${field}=(.*)$`, 'm'))
return match?.[1]?.trim()
}

export function getMacAppBundlePath(executablePath: string): string {
return path.dirname(path.dirname(path.dirname(executablePath)))
}

export function parseMacCodeSignatureStatus(
appBundlePath: string,
exitStatus: number | null,
output: string,
): MacCodeSignatureStatus {
if (exitStatus !== 0) {
return {
trustedForAutoUpdate: false,
appBundlePath,
reason: 'codesign-failed',
diagnostic: output.trim(),
}
}

const signature = parseCodesignField(output, 'Signature')
const teamIdentifier = parseCodesignField(output, 'TeamIdentifier')

if (signature === 'adhoc') {
return {
trustedForAutoUpdate: false,
appBundlePath,
reason: 'adhoc-signature',
signature,
teamIdentifier,
}
}

if (!teamIdentifier || teamIdentifier === 'not set') {
return {
trustedForAutoUpdate: false,
appBundlePath,
reason: 'missing-team-identifier',
signature,
teamIdentifier,
}
}

return {
trustedForAutoUpdate: true,
appBundlePath,
signature,
teamIdentifier,
}
}

export function getCurrentMacCodeSignatureStatus(executablePath: string): MacCodeSignatureStatus {
const appBundlePath = getMacAppBundlePath(executablePath)
const result = spawnSync('/usr/bin/codesign', ['-d', '-vvv', appBundlePath], {
encoding: 'utf8',
})
const output = `${result.stdout ?? ''}${result.stderr ?? ''}`

return parseMacCodeSignatureStatus(appBundlePath, result.status, output)
}
Loading