Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
electron-notarize
Advanced tools
Notarize your Electron apps seamlessly
# npm
npm i electron-notarize --save-dev
# yarn
yarn add electron-notarize --dev
From apple's docs, the definition of a "notarized app"
A notarized app is a macOS app that was uploaded to Apple for processing before it was distributed. When you export a notarized app from Xcode, it code signs the app with a Developer ID certificate and staples a ticket from Apple to the app. The ticket confirms that you previously uploaded the app to Apple.
On macOS 10.14 and later, the user can launch notarized apps when Gatekeeper is enabled. When the user first launches a notarized app, Gatekeeper looks for the app’s ticket online. If the user is offline, Gatekeeper looks for the ticket that was stapled to the app.
Basically Apple are going to make this a hard requirement soon, may as well get on the train early.
notarize(opts): Promise<void>
options
Object
appBundleId
String - The app bundle identifier your Electron app is using. E.g. com.github.electron
appPath
String - The absolute path to your .app
fileappleId
String - The username of your apple developer accountappleIdPassword
String - The password for your apple developer accountascProvider
String (optional) - Your Team ID in App Store Connect. This is necessary if you are part of multiple teamsFor notarization, you need the following things:
appleIdPassword
const password = `@keychain:"Application Loader: ${appleId}"`;
Another option is that you can add a new keychain item using either the Keychain Access app or from the command line using the security
utility:
security add-generic-password -a "AC_USERNAME" -w <app_specific_password> -s "AC_PASSWORD"
where AC_USERNAME
should be replaced with your Apple ID, and then in your code you can use:
const password = `@keychain:AC_PASSWORD`;
import { notarize } from 'electron-notarize';
async function packageTask () {
// Package your app here, and code side with hardened runtime
await notarize({
appBundleId,
appPath,
appleId,
appleIdPassword,
ascProvider, // This parameter is optional
});
}
FAQs
Notarize your Electron app
The npm package electron-notarize receives a total of 47,953 weekly downloads. As such, electron-notarize popularity was classified as popular.
We found that electron-notarize demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.