diff --git a/build/darwin/sign.js b/build/darwin/sign.js index 6bf6eb23e2b..fb55b8aa03d 100644 --- a/build/darwin/sign.js +++ b/build/darwin/sign.js @@ -9,14 +9,32 @@ var __importDefault = (this && this.__importDefault) || function (mod) { Object.defineProperty(exports, "__esModule", { value: true }); const fs_1 = __importDefault(require("fs")); const path_1 = __importDefault(require("path")); -const electron_osx_sign_1 = __importDefault(require("electron-osx-sign")); +const osx_sign_1 = require("@electron/osx-sign"); const cross_spawn_promise_1 = require("@malept/cross-spawn-promise"); const root = path_1.default.dirname(path_1.default.dirname(__dirname)); +const baseDir = path_1.default.dirname(__dirname); +const product = JSON.parse(fs_1.default.readFileSync(path_1.default.join(root, 'product.json'), 'utf8')); +const helperAppBaseName = product.nameShort; +const gpuHelperAppName = helperAppBaseName + ' Helper (GPU).app'; +const rendererHelperAppName = helperAppBaseName + ' Helper (Renderer).app'; +const pluginHelperAppName = helperAppBaseName + ' Helper (Plugin).app'; function getElectronVersion() { const npmrc = fs_1.default.readFileSync(path_1.default.join(root, '.npmrc'), 'utf8'); const target = /^target="(.*)"$/m.exec(npmrc)[1]; return target; } +function getEntitlementsForFile(filePath) { + if (filePath.includes(gpuHelperAppName)) { + return path_1.default.join(baseDir, 'azure-pipelines', 'darwin', 'helper-gpu-entitlements.plist'); + } + else if (filePath.includes(rendererHelperAppName)) { + return path_1.default.join(baseDir, 'azure-pipelines', 'darwin', 'helper-renderer-entitlements.plist'); + } + else if (filePath.includes(pluginHelperAppName)) { + return path_1.default.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist'); + } + return path_1.default.join(baseDir, 'azure-pipelines', 'darwin', 'app-entitlements.plist'); +} async function main(buildDir) { const tempDir = process.env['AGENT_TEMPDIRECTORY']; const arch = process.env['VSCODE_ARCH']; @@ -27,55 +45,21 @@ async function main(buildDir) { if (!tempDir) { throw new Error('$AGENT_TEMPDIRECTORY not set'); } - const product = JSON.parse(fs_1.default.readFileSync(path_1.default.join(root, 'product.json'), 'utf8')); - const baseDir = path_1.default.dirname(__dirname); const appRoot = path_1.default.join(buildDir, `VSCode-darwin-${arch}`); const appName = product.nameLong + '.app'; - const appFrameworkPath = path_1.default.join(appRoot, appName, 'Contents', 'Frameworks'); - const helperAppBaseName = product.nameShort; - const gpuHelperAppName = helperAppBaseName + ' Helper (GPU).app'; - const rendererHelperAppName = helperAppBaseName + ' Helper (Renderer).app'; - const pluginHelperAppName = helperAppBaseName + ' Helper (Plugin).app'; const infoPlistPath = path_1.default.resolve(appRoot, appName, 'Contents', 'Info.plist'); - const defaultOpts = { + const appOpts = { app: path_1.default.join(appRoot, appName), platform: 'darwin', - entitlements: path_1.default.join(baseDir, 'azure-pipelines', 'darwin', 'app-entitlements.plist'), - 'entitlements-inherit': path_1.default.join(baseDir, 'azure-pipelines', 'darwin', 'app-entitlements.plist'), - hardenedRuntime: true, - 'pre-auto-entitlements': false, - 'pre-embed-provisioning-profile': false, + optionsForFile: (filePath) => ({ + entitlements: getEntitlementsForFile(filePath), + hardenedRuntime: true, + }), + preAutoEntitlements: false, + preEmbedProvisioningProfile: false, keychain: path_1.default.join(tempDir, 'buildagent.keychain'), version: getElectronVersion(), identity, - 'gatekeeper-assess': false - }; - const appOpts = { - ...defaultOpts, - // TODO(deepak1556): Incorrectly declared type in electron-osx-sign - ignore: (filePath) => { - return filePath.includes(gpuHelperAppName) || - filePath.includes(rendererHelperAppName) || - filePath.includes(pluginHelperAppName); - } - }; - const gpuHelperOpts = { - ...defaultOpts, - app: path_1.default.join(appFrameworkPath, gpuHelperAppName), - entitlements: path_1.default.join(baseDir, 'azure-pipelines', 'darwin', 'helper-gpu-entitlements.plist'), - 'entitlements-inherit': path_1.default.join(baseDir, 'azure-pipelines', 'darwin', 'helper-gpu-entitlements.plist'), - }; - const rendererHelperOpts = { - ...defaultOpts, - app: path_1.default.join(appFrameworkPath, rendererHelperAppName), - entitlements: path_1.default.join(baseDir, 'azure-pipelines', 'darwin', 'helper-renderer-entitlements.plist'), - 'entitlements-inherit': path_1.default.join(baseDir, 'azure-pipelines', 'darwin', 'helper-renderer-entitlements.plist'), - }; - const pluginHelperOpts = { - ...defaultOpts, - app: path_1.default.join(appFrameworkPath, pluginHelperAppName), - entitlements: path_1.default.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist'), - 'entitlements-inherit': path_1.default.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist'), }; // Only overwrite plist entries for x64 and arm64 builds, // universal will get its copy from the x64 build. @@ -102,10 +86,7 @@ async function main(buildDir) { `${infoPlistPath}` ]); } - await electron_osx_sign_1.default.signAsync(gpuHelperOpts); - await electron_osx_sign_1.default.signAsync(rendererHelperOpts); - await electron_osx_sign_1.default.signAsync(pluginHelperOpts); - await electron_osx_sign_1.default.signAsync(appOpts); + await (0, osx_sign_1.sign)(appOpts); } if (require.main === module) { main(process.argv[2]).catch(async (err) => { diff --git a/build/darwin/sign.ts b/build/darwin/sign.ts index 9f23660b289..83f18c6a5a7 100644 --- a/build/darwin/sign.ts +++ b/build/darwin/sign.ts @@ -5,10 +5,16 @@ import fs from 'fs'; import path from 'path'; -import codesign from 'electron-osx-sign'; +import { sign, SignOptions } from '@electron/osx-sign'; import { spawn } from '@malept/cross-spawn-promise'; const root = path.dirname(path.dirname(__dirname)); +const baseDir = path.dirname(__dirname); +const product = JSON.parse(fs.readFileSync(path.join(root, 'product.json'), 'utf8')); +const helperAppBaseName = product.nameShort; +const gpuHelperAppName = helperAppBaseName + ' Helper (GPU).app'; +const rendererHelperAppName = helperAppBaseName + ' Helper (Renderer).app'; +const pluginHelperAppName = helperAppBaseName + ' Helper (Plugin).app'; function getElectronVersion(): string { const npmrc = fs.readFileSync(path.join(root, '.npmrc'), 'utf8'); @@ -16,6 +22,17 @@ function getElectronVersion(): string { return target; } +function getEntitlementsForFile(filePath: string): string { + if (filePath.includes(gpuHelperAppName)) { + return path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-gpu-entitlements.plist'); + } else if (filePath.includes(rendererHelperAppName)) { + return path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-renderer-entitlements.plist'); + } else if (filePath.includes(pluginHelperAppName)) { + return path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist'); + } + return path.join(baseDir, 'azure-pipelines', 'darwin', 'app-entitlements.plist'); +} + async function main(buildDir?: string): Promise { const tempDir = process.env['AGENT_TEMPDIRECTORY']; const arch = process.env['VSCODE_ARCH']; @@ -29,60 +46,22 @@ async function main(buildDir?: string): Promise { throw new Error('$AGENT_TEMPDIRECTORY not set'); } - const product = JSON.parse(fs.readFileSync(path.join(root, 'product.json'), 'utf8')); - const baseDir = path.dirname(__dirname); const appRoot = path.join(buildDir, `VSCode-darwin-${arch}`); const appName = product.nameLong + '.app'; - const appFrameworkPath = path.join(appRoot, appName, 'Contents', 'Frameworks'); - const helperAppBaseName = product.nameShort; - const gpuHelperAppName = helperAppBaseName + ' Helper (GPU).app'; - const rendererHelperAppName = helperAppBaseName + ' Helper (Renderer).app'; - const pluginHelperAppName = helperAppBaseName + ' Helper (Plugin).app'; const infoPlistPath = path.resolve(appRoot, appName, 'Contents', 'Info.plist'); - const defaultOpts: codesign.SignOptions = { + const appOpts: SignOptions = { app: path.join(appRoot, appName), platform: 'darwin', - entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'app-entitlements.plist'), - 'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'app-entitlements.plist'), - hardenedRuntime: true, - 'pre-auto-entitlements': false, - 'pre-embed-provisioning-profile': false, + optionsForFile: (filePath) => ({ + entitlements: getEntitlementsForFile(filePath), + hardenedRuntime: true, + }), + preAutoEntitlements: false, + preEmbedProvisioningProfile: false, keychain: path.join(tempDir, 'buildagent.keychain'), version: getElectronVersion(), identity, - 'gatekeeper-assess': false - }; - - const appOpts = { - ...defaultOpts, - // TODO(deepak1556): Incorrectly declared type in electron-osx-sign - ignore: (filePath: string) => { - return filePath.includes(gpuHelperAppName) || - filePath.includes(rendererHelperAppName) || - filePath.includes(pluginHelperAppName); - } - }; - - const gpuHelperOpts: codesign.SignOptions = { - ...defaultOpts, - app: path.join(appFrameworkPath, gpuHelperAppName), - entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-gpu-entitlements.plist'), - 'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-gpu-entitlements.plist'), - }; - - const rendererHelperOpts: codesign.SignOptions = { - ...defaultOpts, - app: path.join(appFrameworkPath, rendererHelperAppName), - entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-renderer-entitlements.plist'), - 'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-renderer-entitlements.plist'), - }; - - const pluginHelperOpts: codesign.SignOptions = { - ...defaultOpts, - app: path.join(appFrameworkPath, pluginHelperAppName), - entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist'), - 'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist'), }; // Only overwrite plist entries for x64 and arm64 builds, @@ -111,10 +90,7 @@ async function main(buildDir?: string): Promise { ]); } - await codesign.signAsync(gpuHelperOpts); - await codesign.signAsync(rendererHelperOpts); - await codesign.signAsync(pluginHelperOpts); - await codesign.signAsync(appOpts as any); + await sign(appOpts); } if (require.main === module) { diff --git a/build/package-lock.json b/build/package-lock.json index 8a01fc58fcb..c4f99c2fefc 100644 --- a/build/package-lock.json +++ b/build/package-lock.json @@ -15,6 +15,7 @@ "@azure/msal-node": "^2.16.1", "@azure/storage-blob": "^12.25.0", "@electron/get": "^2.0.0", + "@electron/osx-sign": "^2.0.0", "@types/ansi-colors": "^3.2.0", "@types/byline": "^4.2.32", "@types/debounce": "^1.0.0", @@ -47,7 +48,6 @@ "ansi-colors": "^3.2.3", "byline": "^5.0.0", "debug": "^4.3.2", - "electron-osx-sign": "^0.4.16", "esbuild": "0.25.5", "extract-zip": "^2.0.1", "gulp-merge-json": "^2.1.1", @@ -488,6 +488,54 @@ "global-agent": "^3.0.0" } }, + "node_modules/@electron/osx-sign": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@electron/osx-sign/-/osx-sign-2.0.0.tgz", + "integrity": "sha512-jZSzWH21QYbdTy2QxMMtRFlMafyuBRH5EnpC1LJU3uaQV05oo7ldtBRcSI/Eznhw9kFWjjCf2RvC+Nxc1/kQyA==", + "dev": true, + "license": "BSD-2-Clause", + "dependencies": { + "@types/graceful-fs": "^4.1.9", + "debug": "^4.3.4", + "graceful-fs": "^4.2.11", + "isbinaryfile": "^4.0.8", + "plist": "^3.0.5", + "semver": "^7.7.1" + }, + "bin": { + "electron-osx-flat": "bin/electron-osx-flat.mjs", + "electron-osx-sign": "bin/electron-osx-sign.mjs" + }, + "engines": { + "node": ">=22.12.0" + } + }, + "node_modules/@electron/osx-sign/node_modules/isbinaryfile": { + "version": "4.0.10", + "resolved": "https://registry.npmjs.org/isbinaryfile/-/isbinaryfile-4.0.10.tgz", + "integrity": "sha512-iHrqe5shvBUcFbmZq9zOQHBoeOhZJu6RQGrDpBgenUm/Am+F3JM2MgQj+rK3Z601fzrL5gLZWtAPH2OBaSVcyw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 8.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/gjtorikian/" + } + }, + "node_modules/@electron/osx-sign/node_modules/semver": { + "version": "7.7.2", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz", + "integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==", + "dev": true, + "license": "ISC", + "bin": { + "semver": "bin/semver.js" + }, + "engines": { + "node": ">=10" + } + }, "node_modules/@esbuild/aix-ppc64": { "version": "0.25.5", "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.25.5.tgz", @@ -1049,6 +1097,16 @@ "@types/node": "*" } }, + "node_modules/@types/graceful-fs": { + "version": "4.1.9", + "resolved": "https://registry.npmjs.org/@types/graceful-fs/-/graceful-fs-4.1.9.tgz", + "integrity": "sha512-olP3sd1qOEe5dXTSaFvQG+02VdRXcdytWLAZsAq1PecU8uqQAhkrnbli7DagjtXKW/Bl7YJbUsa8MPcuc8LHEQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/node": "*" + } + }, "node_modules/@types/gulp": { "version": "4.0.17", "resolved": "https://registry.npmjs.org/@types/gulp/-/gulp-4.0.17.tgz", @@ -1588,12 +1646,6 @@ "readable-stream": "^3.4.0" } }, - "node_modules/bluebird": { - "version": "3.7.2", - "resolved": "https://registry.npmjs.org/bluebird/-/bluebird-3.7.2.tgz", - "integrity": "sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg==", - "dev": true - }, "node_modules/boolbase": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/boolbase/-/boolbase-1.0.0.tgz", @@ -1655,22 +1707,6 @@ "ieee754": "^1.1.13" } }, - "node_modules/buffer-alloc": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/buffer-alloc/-/buffer-alloc-1.2.0.tgz", - "integrity": "sha512-CFsHQgjtW1UChdXgbyJGtnm+O/uLQeZdtbDo8mfUgYXCHSM1wgrVxXm6bSyrUuErEb+4sYVGCzASBRot7zyrow==", - "dev": true, - "dependencies": { - "buffer-alloc-unsafe": "^1.1.0", - "buffer-fill": "^1.0.0" - } - }, - "node_modules/buffer-alloc-unsafe": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/buffer-alloc-unsafe/-/buffer-alloc-unsafe-1.1.0.tgz", - "integrity": "sha512-TEM2iMIEQdJ2yjPJoSIsldnleVaAk1oW3DBVUykyOLsEsFmEc9kn+SFFPz+gl54KQNxlDnAwCXosOS9Okx2xAg==", - "dev": true - }, "node_modules/buffer-crc32": { "version": "0.2.13", "resolved": "https://registry.npmjs.org/buffer-crc32/-/buffer-crc32-0.2.13.tgz", @@ -1686,12 +1722,6 @@ "integrity": "sha1-+OcRMvf/5uAaXJaXpMbz5I1cyBk= sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA==", "dev": true }, - "node_modules/buffer-fill": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/buffer-fill/-/buffer-fill-1.0.0.tgz", - "integrity": "sha1-+PeLdniYiO858gXNY39o5wISKyw= sha512-T7zexNBwiiaCOGDg9xNX9PBmjrubblRkENuptryuI64URkXDFum9il/JGL8Lm8wYfAXpredVXXZz7eMHilimiQ==", - "dev": true - }, "node_modules/byline": { "version": "5.0.0", "resolved": "https://registry.npmjs.org/byline/-/byline-5.0.0.tgz", @@ -1910,15 +1940,6 @@ "color-support": "bin.js" } }, - "node_modules/compare-version": { - "version": "0.1.2", - "resolved": "https://registry.npmjs.org/compare-version/-/compare-version-0.1.2.tgz", - "integrity": "sha1-AWLsLZNR9d3VmpICy6k1NmpyUIA= sha512-pJDh5/4wrEnXX/VWRZvruAGHkzKdr46z11OlTPN+VrATlWWhSKewNCJ1futCO5C7eJB3nPMFZA1LeYtcFboZ2A==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", @@ -2179,43 +2200,6 @@ "safe-buffer": "^5.0.1" } }, - "node_modules/electron-osx-sign": { - "version": "0.4.16", - "resolved": "https://registry.npmjs.org/electron-osx-sign/-/electron-osx-sign-0.4.16.tgz", - "integrity": "sha512-ziMWfc3NmQlwnWLW6EaZq8nH2BWVng/atX5GWsGwhexJYpdW6hsg//MkAfRTRx1kR3Veiqkeiog1ibkbA4x0rg==", - "deprecated": "Please use @electron/osx-sign moving forward. Be aware the API is slightly different", - "dev": true, - "dependencies": { - "bluebird": "^3.5.0", - "compare-version": "^0.1.2", - "debug": "^2.6.8", - "isbinaryfile": "^3.0.2", - "minimist": "^1.2.0", - "plist": "^3.0.1" - }, - "bin": { - "electron-osx-flat": "bin/electron-osx-flat.js", - "electron-osx-sign": "bin/electron-osx-sign.js" - }, - "engines": { - "node": ">=4.0.0" - } - }, - "node_modules/electron-osx-sign/node_modules/debug": { - "version": "2.6.9", - "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz", - "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==", - "dev": true, - "dependencies": { - "ms": "2.0.0" - } - }, - "node_modules/electron-osx-sign/node_modules/ms": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", - "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g= sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==", - "dev": true - }, "node_modules/end-of-stream": { "version": "1.4.4", "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.4.tgz", @@ -2685,10 +2669,11 @@ } }, "node_modules/graceful-fs": { - "version": "4.2.8", - "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.8.tgz", - "integrity": "sha512-qkIilPUYcNhJpd33n0GBXTB1MMPp14TxEsEs0pTrsSVucApsYzW5V+Q8Qxhik6KU3evy+qkAAowTByymK0avdg==", - "devOptional": true + "version": "4.2.11", + "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz", + "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==", + "devOptional": true, + "license": "ISC" }, "node_modules/gulp-merge-json": { "version": "2.1.1", @@ -3022,18 +3007,6 @@ "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE= sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==", "devOptional": true }, - "node_modules/isbinaryfile": { - "version": "3.0.3", - "resolved": "https://registry.npmjs.org/isbinaryfile/-/isbinaryfile-3.0.3.tgz", - "integrity": "sha512-8cJBL5tTd2OS0dM4jz07wQd5g0dCCqIhUxPIGtZfa5L6hWlvV5MHTITy/DBAsF+Oe2LS1X3krBUhNwaGUWpWxw==", - "dev": true, - "dependencies": { - "buffer-alloc": "^1.2.0" - }, - "engines": { - "node": ">=0.6.0" - } - }, "node_modules/isexe": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", @@ -3341,7 +3314,8 @@ "version": "1.2.6", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz", "integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==", - "dev": true + "dev": true, + "optional": true }, "node_modules/mkdirp-classic": { "version": "0.5.3", diff --git a/build/package.json b/build/package.json index 4096a1fdb30..987beb0baf0 100644 --- a/build/package.json +++ b/build/package.json @@ -9,6 +9,7 @@ "@azure/msal-node": "^2.16.1", "@azure/storage-blob": "^12.25.0", "@electron/get": "^2.0.0", + "@electron/osx-sign": "^2.0.0", "@types/ansi-colors": "^3.2.0", "@types/byline": "^4.2.32", "@types/debounce": "^1.0.0", @@ -41,7 +42,6 @@ "ansi-colors": "^3.2.3", "byline": "^5.0.0", "debug": "^4.3.2", - "electron-osx-sign": "^0.4.16", "esbuild": "0.25.5", "extract-zip": "^2.0.1", "gulp-merge-json": "^2.1.1",