electron-osx-sign

electron-osx-sign

Code-signing for packaged Electron OS X apps.

About

electron-osx-sign minimizes the extra work needed to eventually prepare your apps for shipping, providing the most basic tools and assets. Note that the bare necessities here are sufficient for enabling app sandbox, yet other configurations for like network access require additional work.

It is worth noting as well that starting from Electron v1.1.1, a new mechanism was introduced to satisfy IPC communications (see electron#5601); wishing to have full support of various Electron versions, please utilize opts.version, which brings less hassle with making default settings among releases.

We are trying to keep updated to the Electron specifications; please file us an issue if having any suggestions or experiencing difficulties code signing your products.

Please visit our Wiki hosted here on GitHub for walk-throughs and notes from past projects shipped with electron-packager and electron-osx-sign.

NB: The signing procedure implemented in this package is based on what described in Mac App Store Submission Guide.

An OPEN Open Source Project

Individuals making significant and valuable contributions are given commit-access to the project to contribute as they see fit. This project is more like an open wiki than a standard guarded open source project.

Collaborators

Thanks to seanchas116, jasonhinkle, and develar for improving the usability of this project implementation.

Installation

# For use in npm scripts
npm install --save electron-osx-sign

# For use from CLI
npm install -g electron-osx-sign

Note: electron-osx-sign is a dependency of electron-packager as of 6.0.0 for signing apps on OS X. However, feel free to install this package globally for more customization beyond specifying identity and entitlements.

Usage

electron-osx-sign

From the Command Line

electron-osx-sign <app> [additional-binaries...] [--options...]

Example:

electron-osx-sign path/to/my.app

The script above being sufficient, it is, however, recommended to make use of opts.version while signing for example:

electron-osx-sign path/to/my.app --version=1.2.0

For details on the optional flags, run electron-osx-sign --help or see electron-osx-sign-usage.txt.

From the API

var sign = require('electron-osx-sign')
sign(opts[, function done (err) {}])

Example:

var sign = require('electron-osx-sign')
sign({
  app: 'path/to/my.app'
}, function done (err) {
  if (err) {
    // Handle the error
    return;
  }
  // Application signed
})

From release v0.4.0-beta, Bluebird promises are introduced for better async method calls; the following is also available for use.

var signAsync = require('electron-osx-sign').signAsync
signAsync(opts)
  [.then(function () {})
  [.catch(function (err) {})]]

Example:

var signAsync = require('electron-osx-sign').signAsync
signAsync({
  app: 'path/to/my.app'
})
  .then(function () {
    // Application signed
  })
  .catch(function (err) {
    // Handle the error
  })

opts - Options

Required

app - String

Path to the application package. Needs file extension .app.

Optional

binaries - Array

Path to additional binaries that will be signed along with built-ins of Electron. Default to null.

entitlements - String

Path to entitlements file for signing the app. See default.mas.entitlements or default.darwin.entitlements for default.

entitlements-inherit - String

Path to child entitlements which inherit the security settings for signing frameworks and bundles of a distribution. This option only applies when signing with entitlements provided, or for a mas platform version. See default.mas.inherit.entitlements or default.darwin.inherit.entitlements for default.

identity - String

Name of certificate to use when signing. Default to retrieve from keychain (see below) or system default keychain.

Signing platform mas will look for 3rd Party Mac Developer Application: * (*), and platform darwin will look for Developer ID Application: * (*) by default.

keychain - String

The keychain name. Default to system default keychain.

ignore - String

Regex or function that signals ignoring a file before signing. Default to undefined.

platform - String

Build platform of Electron. Allowed values: darwin, mas. Default to auto detect by presence of Squirrel.framework within the application bundle.

pre-auto-entitlements - Boolean

Flag to enable automation of com.apple.security.application-groups in entitlements file and update Info.plist with ElectronTeamID. Allowed values: true, false. Default to true.

version - String

Build version of Electron. Values may be like: 1.1.1, 1.2.0. Default to latest Electron version.

It is recommended to utilize this option for best support of specific Electron versions. This may trigger pre/post operations for signing: For example, automation of setting com.apple.security.application-groups in entitlements file and of updating Info.plist with ElectronTeamID is enabled for all versions starting from 1.1.1; set pre-auto-entitlements option to false to disable this feature.

cb - Callback

err - Error

electron-osx-flat

From the Command Line

electron-osx-flat <app> [--options...]

Example:

electron-osx-flat path/to/my.app

For details on the optional flags, run electron-osx-flat --help or see electron-osx-flat-usage.txt.

From the API

var flat = require('electron-osx-sign').flat
flat(opts[, function done (err) {}])

Example:

var flat = require('electron-osx-sign').flat
flat({
  app: 'path/to/my.app'
}, function done (err) {
  if (err) {
    // Handle the error
    return;
  }
  // Application flattened
})

From release v0.4.0-beta, Bluebird promises are introduced for better async method calls; the following is also available for use.

var flatAsync = require('electron-osx-sign').flatAsync
flatAsync(opts)
  [.then(function () {})
  [.catch(function (err) {})]]

Example:

var flatAsync = require('electron-osx-sign').flatAsync
flatAsync({
  app: 'path/to/my.app'
})
  .then(function () {
    // Application flattened
  })
  .catch(function (err) {
    // Handle the error
  })

opts - Options

Required

app - String

Path to the application bundle. Needs file extension .app.

Optional

identity - String

Name of certificate to use when flattening. Default to retrieve from keychain(see below) or system default keychain.

Flattening platform mas will look for 3rd Party Mac Developer Installer: * (*), and platform darwin will look for Developer ID Installer: * (*) by default.

install - String

Path to install for the bundle. Default to /Applications.

keychain - String

The keychain name. Default to system default keychain.

platform - String

Build platform of Electron. Allowed values: darwin, mas. Default to auto detect by presence of Squirrel.framework within the application bundle.

pkg - String

Path to the output flattened package. Needs file extension .pkg.

cb - Callback

err - Error

Debug

As of release v0.3.1, external module debug is used to display logs and messages; remember to export DEBUG=electron-osx-sign* when necessary.

Test

As developer certificates are required for codesign in OS X, this module may not be tested via online build services. If you wish to test out this module, enter:

npm test

from the dev directory, and tell us if all tests should pass.

When this command is fun for the first time: electron-download will download all major releases of Electron available for OS X from 0.24.0, and save to ~/.electron/, which might take up less than 1GB of disk space.

A successful testing should look something like:

$ npm test

> electron-osx-sign@0.4.0-beta2 pretest electron-osx-sign
> rimraf test/work

> electron-osx-sign@0.4.0-beta2 test electron-osx-sign
> standard && tape test

Calling electron-download before running tests...
Running tests...
TAP version 13
# setup
# defaults-test:v0.24.0-darwin-x64
ok 1 app signed
ok 2 app flattened
# defaults-test:v0.25.3-darwin-x64
ok 3 app signed
ok 4 app flattened
# defaults-test:v0.26.1-darwin-x64
ok 5 app signed
ok 6 app flattened
# defaults-test:v0.27.3-darwin-x64
ok 7 app signed
ok 8 app flattened
# defaults-test:v0.28.3-darwin-x64
ok 9 app signed
ok 10 app flattened
# defaults-test:v0.29.2-darwin-x64
ok 11 app signed
ok 12 app flattened
# defaults-test:v0.30.8-darwin-x64
ok 13 app signed
ok 14 app flattened
# defaults-test:v0.31.2-darwin-x64
ok 15 app signed
ok 16 app flattened
# defaults-test:v0.32.3-darwin-x64
ok 17 app signed
ok 18 app flattened
# defaults-test:v0.33.9-darwin-x64
ok 19 app signed
ok 20 app flattened
# defaults-test:v0.34.5-darwin-x64
ok 21 app signed
ok 22 app flattened
# defaults-test:v0.34.5-mas-x64
ok 23 app signed
ok 24 app flattened
# defaults-test:v0.35.6-darwin-x64
ok 25 app signed
ok 26 app flattened
# defaults-test:v0.35.6-mas-x64
ok 27 app signed
ok 28 app flattened
# defaults-test:v0.36.12-darwin-x64
ok 29 app signed
ok 30 app flattened
# defaults-test:v0.36.12-mas-x64
ok 31 app signed
ok 32 app flattened
# defaults-test:v0.37.8-darwin-x64
ok 33 app signed
ok 34 app flattened
# defaults-test:v0.37.8-mas-x64
ok 35 app signed
ok 36 app flattened
# defaults-test:v1.0.2-darwin-x64
ok 37 app signed
ok 38 app flattened
# defaults-test:v1.0.2-mas-x64
ok 39 app signed
ok 40 app flattened
# defaults-test:v1.1.3-darwin-x64
ok 41 app signed
ok 42 app flattened
# defaults-test:v1.1.3-mas-x64
ok 43 app signed
ok 44 app flattened
# defaults-test:v1.2.0-darwin-x64
ok 45 app signed
ok 46 app flattened
# defaults-test:v1.2.0-mas-x64
ok 47 app signed
ok 48 app flattened
# teardown

1..48
# tests 48
# pass  48

# ok

Related

• electron-packager - Package your electron app in OS executables (.app, .exe, etc) via JS or CLI.
• electron-builder - Complete solution to build ready for distribution and "auto update" installers of your app for OS X, Windows and Linux.