fix: Use fully-defined path /usr/bin/___ to macOS signing utilities (…

…#7998)
electron-userland · Jan 23, 2024 · 61dfe7f · 61dfe7f
1 parent adf97dc
commit 61dfe7f
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 10 deletions.
diff --git a/.changeset/thirty-bobcats-beg.md b/.changeset/thirty-bobcats-beg.md
@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+Use full path to macOS signing utilities
diff --git a/packages/app-builder-lib/src/codeSign/macCodeSign.ts b/packages/app-builder-lib/src/codeSign/macCodeSign.ts
@@ -87,7 +87,7 @@ export async function reportError(
   }
 
   if (qualifier != null || isAutoDiscoveryCodeSignIdentity()) {
-    logFields.allIdentities = (await exec("security", args))
+    logFields.allIdentities = (await exec("/usr/bin/security", args))
       .trim()
       .split("\n")
       .filter(it => !(it.includes("Policy: X.509 Basic") || it.includes("Matching identities")))
@@ -116,7 +116,7 @@ const bundledCertKeychainAdded = new Lazy<void>(async () => {
   ])
   const list = results[0]
   if (!list.includes(keychainPath)) {
-    await exec("security", ["list-keychains", "-d", "user", "-s", keychainPath].concat(list))
+    await exec("/usr/bin/security", ["list-keychains", "-d", "user", "-s", keychainPath].concat(list))
   }
 })
 
@@ -126,7 +126,7 @@ function getCacheDirectory(): string {
 }
 
 function listUserKeychains(): Promise<Array<string>> {
-  return exec("security", ["list-keychains", "-d", "user"]).then(it =>
+  return exec("/usr/bin/security", ["list-keychains", "-d", "user"]).then(it =>
     it
       .split("\n")
       .map(it => {
@@ -147,7 +147,7 @@ export interface CreateKeychainOptions {
 }
 
 export function removeKeychain(keychainFile: string, printWarn = true): Promise<any> {
-  return exec("security", ["delete-keychain", keychainFile]).catch((e: any) => {
+  return exec("/usr/bin/security", ["delete-keychain", keychainFile]).catch((e: any) => {
     if (printWarn) {
       log.warn({ file: keychainFile, error: e.stack || e }, "cannot delete keychain")
     }
@@ -193,19 +193,19 @@ export async function createKeychain({ tmpDir, cscLink, cscKeyPassword, cscILink
   await Promise.all([
     // we do not clear downloaded files - will be removed on tmpDir cleanup automatically. not a security issue since in any case data is available as env variables and protected by password.
     BluebirdPromise.map(certLinks, (link, i) => importCertificate(link, tmpDir, currentDir).then(it => (certPaths[i] = it))),
-    BluebirdPromise.mapSeries(securityCommands, it => exec("security", it)),
+    BluebirdPromise.mapSeries(securityCommands, it => exec("/usr/bin/security", it)),
   ])
   return await importCerts(keychainFile, certPaths, [cscKeyPassword, cscIKeyPassword].filter(it => it != null) as Array<string>)
 }
 
 async function importCerts(keychainFile: string, paths: Array<string>, keyPasswords: Array<string>): Promise<CodeSigningInfo> {
   for (let i = 0; i < paths.length; i++) {
     const password = keyPasswords[i]
-    await exec("security", ["import", paths[i], "-k", keychainFile, "-T", "/usr/bin/codesign", "-T", "/usr/bin/productbuild", "-P", password])
+    await exec("/usr/bin/security", ["import", paths[i], "-k", keychainFile, "-T", "/usr/bin/codesign", "-T", "/usr/bin/productbuild", "-P", password])
 
     // https://stackoverflow.com/questions/39868578/security-codesign-in-sierra-keychain-ignores-access-control-settings-and-ui-p
     // https://github.com/electron-userland/electron-packager/issues/701#issuecomment-322315996
-    await exec("security", ["set-key-partition-list", "-S", "apple-tool:,apple:", "-s", "-k", password, keychainFile])
+    await exec("/usr/bin/security", ["set-key-partition-list", "-S", "apple-tool:,apple:", "-s", "-k", password, keychainFile])
   }
 
   return {
@@ -219,7 +219,7 @@ export function sign(path: string, name: string, keychain: string): Promise<any>
   if (keychain != null) {
     args.push("--keychain", keychain)
   }
-  return exec("codesign", args)
+  return exec("/usr/bin/codesign", args)
 }
 
 export let findIdentityRawResult: Promise<Array<string>> | null = null
@@ -237,7 +237,7 @@ async function getValidIdentities(keychain?: string | null): Promise<Array<strin
     // https://github.com/electron-userland/electron-builder/issues/481
     // https://github.com/electron-userland/electron-builder/issues/535
     result = Promise.all<Array<string>>([
-      exec("security", addKeychain(["find-identity", "-v"])).then(it =>
+      exec("/usr/bin/security", addKeychain(["find-identity", "-v"])).then(it =>
         it
           .trim()
           .split("\n")
@@ -250,7 +250,7 @@ async function getValidIdentities(keychain?: string | null): Promise<Array<strin
             return false
           })
       ),
-      exec("security", addKeychain(["find-identity", "-v", "-p", "codesigning"])).then(it => it.trim().split("\n")),
+      exec("/usr/bin/security", addKeychain(["find-identity", "-v", "-p", "codesigning"])).then(it => it.trim().split("\n")),
     ]).then(it => {
       const array = it[0]
         .concat(it[1])