fix(codeSign): signing with 'Mac Developer' failed #1103
Conversation
Removed codes of throwing exceptions inside `findIdentity()`, and let the `sign()` in `macPackager.ts` itself handle the returned value of `findIdentity()` (which should be string|null) and then try to sign with certType==='Mac Developer' before exporting unsigned application;
| @@ -10,7 +10,7 @@ import { homedir } from "os" | |||
| import { statOrNull } from "electron-builder-util/out/fs" | |||
| import isCi from "is-ci" | |||
|
|
|||
| export const appleCertificatePrefixes = ["Developer ID Application:", "Developer ID Installer:", "3rd Party Mac Developer Application:", "3rd Party Mac Developer Installer:"] | |||
| export const appleCertificatePrefixes = ["Developer ID Application:", "Developer ID Installer:", "3rd Party Mac Developer Application:", "3rd Party Mac Developer Installer:", "Mac Developer:"] | |||
There was a problem hiding this comment.
Not necessary and can lead to major issues.
| throw new Error(`Identity name "${identity}" is specified, but no valid identity with this name in the keychain`) | ||
| } | ||
| return result | ||
| return await _findIdentity(certType, identity, keychain) |
There was a problem hiding this comment.
If check removed here, it should be added to macPackager.ts
There was a problem hiding this comment.
let name = await findIdentity(isMas ? "3rd Party Mac Developer Application" : "Developer ID Application", isMas ? masQualifier : this.platformSpecificBuildOptions.identity, keychainName)
if (name == null) {
if (!isMas) {
name = await findIdentity("Mac Developer", this.platformSpecificBuildOptions.identity, keychainName)
if (name != null) {
warn("Mac Developer is used to sign app — it is only for development and testing, not for production")
}
}
if (name == null) {
const message = process.env.CSC_IDENTITY_AUTO_DISCOVERY === "false" ?
`App is not signed: env CSC_IDENTITY_AUTO_DISCOVERY is set to false` :
`App is not signed: cannot find valid ${isMas ? '"3rd Party Mac Developer Application" identity' : `"Developer ID Application" identity or custom non-Apple code signing certificate`}, see https://github.com/electron-userland/electron-builder/wiki/Code-Signing`
if (isMas || this.platformSpecificBuildOptions.forceCodeSigning) {
throw new Error(message)
}
else {
warn(message)
return
}
}
}
As for the current logic in macPackager.ts, when provided with an identity string, it first try to get it as a "3rd Party Mac Developer Installer"/"Developer ID Installer"; If returns null, it will do an additional identity query for Darwin as 'Mac Developer'; If returns null again, it will decide to either throw an error or display a warning message depending on the build options(isMas || this.platformSpecificBuildOptions.forceCodeSigning);
So here in findIdentity() I don't see why it should throw an error when failed to get identity. It can just return string|null denoting whether it find the requested identity or not, and let macPackager.ts do the result checking part. findIdentity() should not throw error before every options are tried in macPackager.ts.
There was a problem hiding this comment.
if this.platformSpecificBuildOptions.identity is specified explicitly, we must throw error. Currently, we will throw error in the macPackager only for mas. If check removed from findIdentity, here, in the macPackager, we must add corresponding check.
|
@ericzhangjx Thank you for investigation. |
Removed codes of throwing exceptions inside
findIdentity(), and let thesign()inmacPackager.tsitself handle the returned value offindIdentity()(which should be string|null) and then try to sign with certType==='Mac Developer' before exporting unsigned application;