feat: add codesign verification and assessment prior to notarizing (#152

) * feat: add spctl and codesign verificatin prior to stapling * fix output * fix output * chore: resolve comments * Update src/check-signature.ts * chore: fix lint * chore: address comments --------- Co-authored-by: Erick Zhao <[email protected]> Co-authored-by: David Sanders <[email protected]>
electron · Nov 14, 2023 · b1b2ca1 · b1b2ca1
1 parent 1c9790f
commit b1b2ca1
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 0 deletions.
diff --git a/src/check-signature.ts b/src/check-signature.ts
@@ -0,0 +1,44 @@
+import * as path from 'path';
+
+import { spawn } from './spawn';
+import { NotarizeStapleOptions } from './types';
+import debug from 'debug';
+const d = debug('electron-notarize');
+
+const codesignDisplay = async (opts: NotarizeStapleOptions) => {
+  const result = await spawn('codesign', ['-dv', '-vvvv', '--deep', path.basename(opts.appPath)], {
+    cwd: path.dirname(opts.appPath),
+  });
+  return result;
+};
+
+const codesign = async (opts: NotarizeStapleOptions) => {
+  d('attempting to check codesign of app:', opts.appPath);
+  const result = await spawn(
+    'codesign',
+    ['-vvv', '--deep', '--strict', path.basename(opts.appPath)],
+    {
+      cwd: path.dirname(opts.appPath),
+    },
+  );
+
+  return result;
+};
+export async function checkSignatures(opts: NotarizeStapleOptions): Promise<void> {
+  const [codesignResult, codesignInfo] = await Promise.all([codesign(opts), codesignDisplay(opts)]);
+  let error = '';
+
+  if (codesignInfo.code !== 0) {
+    d('codesignInfo failed');
+    error = `Failed to display codesign info on your application with code: ${codesignInfo.code}\n\n${codesignInfo.output}\n`;
+  }
+  if (codesignResult.code !== 0) {
+    d('codesign check failed');
+    error += `Failed to codesign your application with code: ${codesignResult.code}\n\n${codesignResult.output}\n\n${codesignInfo.output}`;
+  }
+
+  if (error) {
+    throw new Error(error);
+  }
+  d('codesign assess succeeded');
+}
diff --git a/src/index.ts b/src/index.ts
@@ -1,6 +1,7 @@
 import debug from 'debug';
 import retry from 'promise-retry';
 
+import { checkSignatures } from './check-signature';
 import { delay } from './helpers';
 import { startLegacyNotarize, waitForLegacyNotarize } from './legacy';
 import { isNotaryToolAvailable, notarizeAndWaitForNotaryTool } from './notarytool';
@@ -14,6 +15,8 @@ export { NotarizeOptions };
 export { validateLegacyAuthorizationArgs as validateAuthorizationArgs } from './validate-args';
 
 export async function notarize({ appPath, ...otherOptions }: NotarizeOptions) {
+  await checkSignatures({ appPath });
+
   if (otherOptions.tool === 'legacy') {
     console.warn(
       'Notarizing using the legacy altool system. The altool system will be disabled on November 1 2023. Please switch to the notarytool system before then.',