fix(mac): use hash instead of identity name to sign

Close #1629

Author: develar

packages/electron-builder/src/codeSign.ts

@@ -185,7 +185,7 @@ async function getValidIdentities(keychain?: string | null): Promise<Array<strin
   return result
 }
 
-async function _findIdentity(type: CertType, qualifier?: string | null, keychain?: string | null): Promise<string | null> {
+async function _findIdentity(type: CertType, qualifier?: string | null, keychain?: string | null): Promise<Identity | null> {
   // https://github.com/electron-userland/electron-builder/issues/484
   //noinspection SpellCheckingInspection
   const lines = await getValidIdentities(keychain)
@@ -196,7 +196,7 @@ async function _findIdentity(type: CertType, qualifier?: string | null, keychain
     }
 
     if (line.includes(namePrefix)) {
-      return line.substring(line.indexOf('"') + 1, line.lastIndexOf('"'))
+      return parseIdentity(line)
     }
   }
 
@@ -218,13 +218,29 @@ async function _findIdentity(type: CertType, qualifier?: string | null, keychain
         }
       }
 
-      return line.substring(line.indexOf('"') + 1, line.lastIndexOf('"'))
+      return parseIdentity(line)
     }
   }
   return null
 }
 
-export function findIdentity(certType: CertType, qualifier?: string | null, keychain?: string | null): Promise<string | null> {
+export declare class Identity {
+  readonly name: string
+  readonly hash: string
+
+  constructor(name: string, hash: string)
+}
+
+const _Identity = require("electron-osx-sign/util-identities").Identity
+
+function parseIdentity(line: string): Identity {
+  const firstQuoteIndex = line.indexOf('"')
+  const name = line.substring(firstQuoteIndex + 1, line.lastIndexOf('"'))
+  const hash = line.substring(0, firstQuoteIndex - 1)
+  return new _Identity(name, hash)
+}
+
+export function findIdentity(certType: CertType, qualifier?: string | null, keychain?: string | null): Promise<Identity | null> {
   let identity = qualifier || process.env.CSC_NAME
   if (isEmptyOrSpaces(identity)) {
     if (keychain == null && !isCi && process.env.CSC_IDENTITY_AUTO_DISCOVERY === "false") {

packages/electron-builder/src/macPackager.ts

@@ -6,7 +6,7 @@ import { signAsync, SignOptions } from "electron-osx-sign"
 import { ensureDir } from "fs-extra-p"
 import * as path from "path"
 import { AppInfo } from "./appInfo"
-import { appleCertificatePrefixes, CodeSigningInfo, createKeychain, findIdentity } from "./codeSign"
+import { appleCertificatePrefixes, CodeSigningInfo, createKeychain, findIdentity, Identity } from "./codeSign"
 import { Arch, DIR_TARGET, Platform, Target } from "./core"
 import { MacOptions, MasBuildOptions } from "./options/macOptions"
 import { BuildInfo } from "./packagerApi"
@@ -158,19 +158,19 @@ export default class MacPackager extends PlatformPackager<MacOptions> {
     const explicitType = masOptions == null ? macOptions.type : masOptions.type
     const type = explicitType || "distribution"
     const isDevelopment = type === "development"
-    let name = await findIdentity(isDevelopment ? "Mac Developer" : (isMas ? "3rd Party Mac Developer Application" : "Developer ID Application"), isMas ? masQualifier : qualifier, keychainName)
-    if (name == null) {
+    let identity = await findIdentity(isDevelopment ? "Mac Developer" : (isMas ? "3rd Party Mac Developer Application" : "Developer ID Application"), isMas ? masQualifier : qualifier, keychainName)
+    if (identity == null) {
       if (!isMas && !isDevelopment && explicitType !== "distribution") {
-        name = await findIdentity("Mac Developer", qualifier, keychainName)
-        if (name != null) {
+        identity = await findIdentity("Mac Developer", qualifier, keychainName)
+        if (identity != null) {
           warn("Mac Developer is used to sign app — it is only for development and testing, not for production")
         }
         else if (qualifier != null) {
           throw new Error(`Identity name "${qualifier}" is specified, but no valid identity with this name in the keychain`)
         }
       }
 
-      if (name == null) {
+      if (identity == null) {
         const message = process.env.CSC_IDENTITY_AUTO_DISCOVERY === "false" ?
           `App is not signed: env CSC_IDENTITY_AUTO_DISCOVERY is set to false` :
           `App is not signed: cannot find valid ${isMas ? '"3rd Party Mac Developer Application" identity' : `"Developer ID Application" identity or custom non-Apple code signing certificate`}, see https://github.com/electron-userland/electron-builder/wiki/Code-Signing`
@@ -186,15 +186,15 @@ export default class MacPackager extends PlatformPackager<MacOptions> {
 
     const signOptions: any = {
       "identity-validation": false,
-      identity: name!,
+      identity: identity!,
       type: type,
       platform: isMas ? "mas" : "darwin",
       version: this.info.electronVersion,
       app: appPath,
       keychain: keychainName || undefined,
       binaries:  (isMas && masOptions != null ? masOptions.binaries : macOptions.binaries) || undefined,
       requirements: isMas || macOptions.requirements == null ? undefined : await this.getResource(macOptions.requirements),
-      "gatekeeper-assess": appleCertificatePrefixes.find(it => name!.startsWith(it)) != null
+      "gatekeeper-assess": appleCertificatePrefixes.find(it => identity!.name.startsWith(it)) != null
     }
 
     const resourceList = await this.resourceList
@@ -226,7 +226,7 @@ export default class MacPackager extends PlatformPackager<MacOptions> {
       signOptions["entitlements-inherit"] = customSignOptions.entitlementsInherit
     }
 
-    await task(`Signing app (identity: ${name})`, this.doSign(signOptions))
+    await task(`Signing app (identity: ${identity.hash} ${identity.name})`, this.doSign(signOptions))
 
     if (masOptions != null) {
       const certType = "3rd Party Mac Developer Installer"
@@ -247,7 +247,7 @@ export default class MacPackager extends PlatformPackager<MacOptions> {
   }
 
   //noinspection JSMethodCanBeStatic
-  protected async doFlat(appPath: string, outFile: string, identity: string, keychain: string | n): Promise<any> {
+  protected async doFlat(appPath: string, outFile: string, identity: Identity, keychain: string | n): Promise<any> {
     // productbuild doesn't created directory for out file
     await ensureDir(path.dirname(outFile))
 

packages/electron-builder/src/targets/pkg.ts

@@ -3,7 +3,7 @@ import { exec, use } from "electron-builder-util"
 import { statOrNull } from "electron-builder-util/out/fs"
 import { unlink } from "fs-extra-p"
 import * as path from "path"
-import { findIdentity } from "../codeSign"
+import { findIdentity, Identity } from "../codeSign"
 import { Arch, Target } from "../core"
 import MacPackager from "../macPackager"
 import { PkgOptions } from "../options/macOptions"
@@ -79,10 +79,10 @@ export class PkgTarget extends Target {
   }
 }
 
-export function prepareProductBuildArgs(identity: string | n, keychain: string | n) {
-  const args = []
+export function prepareProductBuildArgs(identity: Identity | null, keychain: string | null | undefined): Array<string> {
+  const args: Array<string> = []
   if (identity != null) {
-    args.push("--sign", identity)
+    args.push("--sign", identity.hash)
     if (keychain != null) {
       args.push("--keychain", keychain)
     }

test/src/helpers/CheckingPackager.ts

@@ -1,5 +1,6 @@
 import { Arch, BuildInfo, MacOptions, Target } from "electron-builder"
 import SquirrelWindowsTarget from "electron-builder-squirrel-windows"
+import { Identity } from "electron-builder/out/codeSign"
 import OsXPackager from "electron-builder/out/macPackager"
 import { DmgTarget } from "electron-builder/out/targets/dmg"
 import { SignOptions } from "electron-builder/out/windowsCodeSign"
@@ -65,7 +66,7 @@ export class CheckingMacPackager extends OsXPackager {
   }
 
   //noinspection JSUnusedGlobalSymbols,JSUnusedLocalSymbols
-  async doFlat(appPath: string, outFile: string, identity: string, keychain?: string | null): Promise<any> {
+  async doFlat(appPath: string, outFile: string, identity: Identity, keychain?: string | null): Promise<any> {
     // skip
   }
 

yarn.lock

@@ -547,10 +547,6 @@ binary@^0.3.0:
     buffers "~0.1.1"
     chainsaw "~0.1.0"
 
-bit-buffer@^0.1.0:
-  version "0.1.0"
-  resolved "https://registry.yarnpkg.com/bit-buffer/-/bit-buffer-0.1.0.tgz#8164c15dbd218eea74e0843da70efa555a4402c4"
-
 bl@^1.0.0:
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/bl/-/bl-1.2.1.tgz#cac328f7bee45730d404b692203fcb590e172d5e"