macOS: bug in the multi-architecture target specification

[sprout2000]

• Electron-Builder Version: 24.6.2

• Node Version: 18.17.0

• Electron Version: 25.3.1
• Electron Type (current, beta, nightly): current

• Target: macOS arm64 and x64

When multiple architectures are specified in target, electron-notarize's notarytool mode is not enabled.
It seems like a bug in builder.

Please see @electron/notarize's issues: #148 and #150.

require("electron-builder").build({
  config: {
    mac: {
      target: [
        {
          target: "default",
          arch: ["x64", "arm64"],
        },
      ],
    },
    afterSign: "notarizer.js",
  },
});

const { notarize } = require("@electron/notarize");

const notarizer = async (context) => {
  const { appOutDir } = context;
  const appName = context.packager.appInfo.productFilename;

  return await notarize({
    tool: "notarytool",
    appPath: ...,
    teamId: ...,
    appleId: ...,
    appleIdPassword: ...,
  });
};

module.exports = notarizer;

[mmaietta]

Can you try the direct notarize integration within electron-builder?
https://www.electron.build/configuration/mac

notarize module:app-builder-lib/out/options/macOptions.NotarizeOptions | Boolean | “undefined” - Options to use for @electron/notarize (ref: https://github.com/electron/notarize). Supports both legacy and notarytool notarization tools. Use false to explicitly disable

Note: You MUST specify APPLE_ID and APPLE_APP_SPECIFIC_PASSWORD via environment variables to activate notarization step

[sprout2000]

Thank you very much for your response.
I am about to try direct notarize integration and have one question.

Aside from NotarizeOptions giving a type error, could you please tell me how to specify the appPath option (mac/x64/App.app, mac/arch64/App.app)?

import dotenv from "dotenv";
import { build } from "electron-builder";

dotenv.config();

build({
  config: {
    productName: "App",
    artifactName: "${productName}-${version}-${platform}-${arch}.${ext}",
    directories: {
      output: "release",
    },
    mac: {
      notarize: {
        // @ts-ignore
        tool: "notarytool",
        teamId: process.env.TEAM_ID,
        appleId: process.env.APPLE_ID,
        appleIdPassword: process.env.APPLE_APP_SPECIFIC_PASSWORD,
      },
    },
  },
});

[mmaietta]

You only need these vars:

electron-builder/packages/app-builder-lib/src/options/macOptions.ts

Lines 218 to 234 in e641ec9

	export interface NotarizeOptions {
	/**
	* The app bundle identifier your Electron app is using. E.g. com.github.electron. Useful if notarization ID differs from app ID (unlikely).
	* Only used by `legacy` notarization tool
	*/
	readonly appBundleId?: string | null
	/**
	* Your Team Short Name. Only used by `legacy` notarization tool
	*/
	readonly ascProvider?: string | null
	/**
	* The team ID you want to notarize under. Only needed if using `notarytool`
	*/
	readonly teamId?: string | null
	}

The apple ID and password just are pulled from the environment automatically (it was deliberate to not allow them be stored in the config for security reasons)

[sprout2000]

I am very sorry for the delay in responding to you.
Finally everything just worked!!!
Thank you so so much.

import dotenv from "dotenv";
import { build } from "electron-builder";

dotenv.config();

build({
  config: {
    productName: "Sample",
    artifactName: "${productName}-${version}-${platform}-${arch}.${ext}",
    mac: {
      appId: "jp.wassabie64.Sample",
      category: "public.app-category.developer-tools",
      target: [
        {
          target: "default",
          arch: ["arm64", "x64"],
        },
      ],
      notarize: {
        appBundleId: "jp.wassabie64.Sample",
        teamId: "**********",
      },
    },
  },
});

[raul-guerrero]

How come this bug is closed if it's still happening? on package.json notarizing using notarytool doesn't work and altool's EOL date. keeps getting closer.
Is there a way to contribiute to fixing this?

[mmaietta]

Wait, so what's the bug? Using the afterSign hook? Or using the direct integration of electron/notarize package via notarize configuration option?

To contribute, it's easy to set up a dev environment
https://github.com/electron-userland/electron-builder/blob/master/CONTRIBUTING.md#to-setup-a-local-dev-environment

[raul-guerrero]

@mmaietta direct integration of electron/notarize package via notarize configuration option doesn't work if setting tool as notarytool, it always ends up using altool, once we reach Nov. 1st. this will be broken entirely, as altool won't be able to upload files to notarize on Apple's servers.

EDIT: When also using the afterSign hook, even if setting the options in the notarize function where tool: "notarytool", also calls altool and get the warning regarding Nov. 1st.

[duereg]

Looking at the notary code, it appears that if you include legacy fields in the configuration (such asappBundleId), it will effectively force you into legacy mode (even if you include valid non-legacy fields in your install).

[duereg]

It looks like these are the only fields you can include that won't trigger legacy mode:

export interface NotaryToolPasswordCredentials {
  appleId: string;
  appleIdPassword: string;
  teamId: string;
}

export interface NotaryToolApiKeyCredentials {
  appleApiKey: string;
  appleApiKeyId: string;
  appleApiIssuer: string;
}

Plus appPath: string.

[duereg]

Ok, I've got a working solution, but it took me reading the source for both this project and @electron\notarize to figure it out.

Set these two environment variables on your build environment, as shown used here:

    APPLE_ID
    APPLE_APP_SPECIFIC_PASSWORD

Then, in your config file, set ONLY the teamId field and nothing else:

"build": {
    ...
    "mac": {
      ...
      "notarize": {
        "teamId": "YOUR_TEAM_ID_HERE"
      }
    }

If you set additional fields (such as appBundleId) the notarize tool will automatically convert you to using the legacy signing tool (even if teamId is present). This is due to the logic in types.ts in the @electron\notary project.

[mmaietta]

Nice work @duereg!
Maybe I can split the notarize configuration object to be 2 separate interfaces, if so, it'll allow you to only set teamId when using the new notary tool. That way we don't end up in this weird state. Thoughts?

Something like #7797