Skip to content

Commit

Permalink
fix: Use fully-defined path /usr/bin/___ to macOS signing utilities (
Browse files Browse the repository at this point in the history
  • Loading branch information
dbrnz authored Jan 23, 2024
1 parent adf97dc commit 61dfe7f
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 10 deletions.
5 changes: 5 additions & 0 deletions .changeset/thirty-bobcats-beg.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"app-builder-lib": patch
---

Use full path to macOS signing utilities
20 changes: 10 additions & 10 deletions packages/app-builder-lib/src/codeSign/macCodeSign.ts
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ export async function reportError(
}

if (qualifier != null || isAutoDiscoveryCodeSignIdentity()) {
logFields.allIdentities = (await exec("security", args))
logFields.allIdentities = (await exec("/usr/bin/security", args))
.trim()
.split("\n")
.filter(it => !(it.includes("Policy: X.509 Basic") || it.includes("Matching identities")))
Expand Down Expand Up @@ -116,7 +116,7 @@ const bundledCertKeychainAdded = new Lazy<void>(async () => {
])
const list = results[0]
if (!list.includes(keychainPath)) {
await exec("security", ["list-keychains", "-d", "user", "-s", keychainPath].concat(list))
await exec("/usr/bin/security", ["list-keychains", "-d", "user", "-s", keychainPath].concat(list))
}
})

Expand All @@ -126,7 +126,7 @@ function getCacheDirectory(): string {
}

function listUserKeychains(): Promise<Array<string>> {
return exec("security", ["list-keychains", "-d", "user"]).then(it =>
return exec("/usr/bin/security", ["list-keychains", "-d", "user"]).then(it =>
it
.split("\n")
.map(it => {
Expand All @@ -147,7 +147,7 @@ export interface CreateKeychainOptions {
}

export function removeKeychain(keychainFile: string, printWarn = true): Promise<any> {
return exec("security", ["delete-keychain", keychainFile]).catch((e: any) => {
return exec("/usr/bin/security", ["delete-keychain", keychainFile]).catch((e: any) => {
if (printWarn) {
log.warn({ file: keychainFile, error: e.stack || e }, "cannot delete keychain")
}
Expand Down Expand Up @@ -193,19 +193,19 @@ export async function createKeychain({ tmpDir, cscLink, cscKeyPassword, cscILink
await Promise.all([
// we do not clear downloaded files - will be removed on tmpDir cleanup automatically. not a security issue since in any case data is available as env variables and protected by password.
BluebirdPromise.map(certLinks, (link, i) => importCertificate(link, tmpDir, currentDir).then(it => (certPaths[i] = it))),
BluebirdPromise.mapSeries(securityCommands, it => exec("security", it)),
BluebirdPromise.mapSeries(securityCommands, it => exec("/usr/bin/security", it)),
])
return await importCerts(keychainFile, certPaths, [cscKeyPassword, cscIKeyPassword].filter(it => it != null) as Array<string>)
}

async function importCerts(keychainFile: string, paths: Array<string>, keyPasswords: Array<string>): Promise<CodeSigningInfo> {
for (let i = 0; i < paths.length; i++) {
const password = keyPasswords[i]
await exec("security", ["import", paths[i], "-k", keychainFile, "-T", "/usr/bin/codesign", "-T", "/usr/bin/productbuild", "-P", password])
await exec("/usr/bin/security", ["import", paths[i], "-k", keychainFile, "-T", "/usr/bin/codesign", "-T", "/usr/bin/productbuild", "-P", password])

// https://stackoverflow.com/questions/39868578/security-codesign-in-sierra-keychain-ignores-access-control-settings-and-ui-p
// https://github.com/electron-userland/electron-packager/issues/701#issuecomment-322315996
await exec("security", ["set-key-partition-list", "-S", "apple-tool:,apple:", "-s", "-k", password, keychainFile])
await exec("/usr/bin/security", ["set-key-partition-list", "-S", "apple-tool:,apple:", "-s", "-k", password, keychainFile])
}

return {
Expand All @@ -219,7 +219,7 @@ export function sign(path: string, name: string, keychain: string): Promise<any>
if (keychain != null) {
args.push("--keychain", keychain)
}
return exec("codesign", args)
return exec("/usr/bin/codesign", args)
}

export let findIdentityRawResult: Promise<Array<string>> | null = null
Expand All @@ -237,7 +237,7 @@ async function getValidIdentities(keychain?: string | null): Promise<Array<strin
// https://github.com/electron-userland/electron-builder/issues/481
// https://github.com/electron-userland/electron-builder/issues/535
result = Promise.all<Array<string>>([
exec("security", addKeychain(["find-identity", "-v"])).then(it =>
exec("/usr/bin/security", addKeychain(["find-identity", "-v"])).then(it =>
it
.trim()
.split("\n")
Expand All @@ -250,7 +250,7 @@ async function getValidIdentities(keychain?: string | null): Promise<Array<strin
return false
})
),
exec("security", addKeychain(["find-identity", "-v", "-p", "codesigning"])).then(it => it.trim().split("\n")),
exec("/usr/bin/security", addKeychain(["find-identity", "-v", "-p", "codesigning"])).then(it => it.trim().split("\n")),
]).then(it => {
const array = it[0]
.concat(it[1])
Expand Down

0 comments on commit 61dfe7f

Please sign in to comment.