Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support for the mojave hardened runtime #176

Merged
merged 1 commit into from Oct 23, 2018
Merged

feat: add support for the mojave hardened runtime #176

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 5 additions & 0 deletions README.md
View file
Open in desktop
Expand Up @@ -168,6 +168,11 @@ Flag to enable/disable Gatekeeper assessment after signing the app. Disabling it
Gatekeeper assessment is enabled by default on `darwin` platform.
Default to `true`.

`hardedRuntime` - *Boolean*

Flag to enable the Mojave hardened runtime when signing the app. Disabled by default, requires Xcode >= 10 and
macOS >= 10.13.6.

`identity` - *String*

Name of certificate to use when signing.
Expand Down
4 changes: 4 additions & 0 deletions bin/electron-osx-sign-usage.txt
View file
Open in desktop
Expand Up @@ -25,6 +25,10 @@ DESCRIPTION
Flag to enable/disable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates.
Gatekeeper assessment is enabled by default on ``darwin'' platform.

--hardened-runtime
Flag to enable the Mojave hardened runtime when signing the app. Disabled by default, requires Xcode >= 10 and macOS
>= 10.13.6.

--help
Flag to display all commands.

Expand Down
3 changes: 2 additions & 1 deletion bin/electron-osx-sign.js
View file
Open in desktop
Expand Up @@ -7,7 +7,8 @@ var args = require('minimist')(process.argv.slice(2), {
'help',
'pre-auto-entitlements',
'pre-embed-provisioning-profile',
'gatekeeper-assess'
'gatekeeper-assess',
'hardened-runtime'
],
'default': {
'pre-auto-entitlements': true,
Expand Down
11 changes: 10 additions & 1 deletion sign.js
View file
Open in desktop
Expand Up @@ -24,6 +24,8 @@ const ProvisioningProfile = require('./util-provisioning-profiles').Provisioning
const preEmbedProvisioningProfile = require('./util-provisioning-profiles').preEmbedProvisioningProfile
const preAutoEntitlements = require('./util-entitlements').preAutoEntitlements

const osRelease = require('os').release()

/**
* This function returns a promise validating opts.binaries, the additional binaries to be signed along with the discovered enclosed components.
* @function
Expand Down Expand Up @@ -82,7 +84,6 @@ function validateSignOptsAsync (opts) {
function verifySignApplicationAsync (opts) {
// Verify with codesign
var compareVersion = require('compare-version')
var osRelease = require('os').release()
debuglog('Verifying application bundle with codesign...')

var promise = execFileAsync('codesign', [
Expand Down Expand Up @@ -155,6 +156,14 @@ function signApplicationAsync (opts) {
if (opts.timestamp) {
args.push('--timestamp=' + opts.timestamp)
}
if (opts.hardenedRuntime || opts['hardened-runtime']) {
// 17.7.0 === 10.13.6
if (compareVersion(osRelease, '17.7.0') >= 0) {
args.push('--options', 'runtime')
} else {
debuglog('Not enabling hardened runtime, current macOS version too low, requires 10.13.6 and higher')
}
}

var promise
if (opts.entitlements) {
Expand Down