@solcreek/dew 0.5.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/scripts/postinstall.js +37 -22
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@solcreek/dew",
3
- "version": "0.5.0",
3
+ "version": "0.5.1",
4
4
  "description": "Ultra-lightweight VM + deploy tool. One Go binary for local dev and production.",
5
5
  "license": "MIT",
6
6
  "repository": {
package/scripts/postinstall.js CHANGED
@@ -69,13 +69,34 @@ function printInvocationHint() {
69
69
  }
70
70
  printInvocationHint();
71
71
 
72
- // macOS: codesign with virtualization entitlement
72
+ // macOS: check whether the downloaded binary already has a Developer ID
73
+ // signature. Release binaries (≥v0.5.0) are notarized + Developer-ID-signed
74
+ // in CI, so we MUST NOT re-sign them — `codesign --force -s -` would strip
75
+ // the Developer ID and replace it with an ad-hoc signature, which macOS
76
+ // rejects for the virtualization entitlement.
77
+ //
78
+ // We only fall back to ad-hoc signing if the binary lacks any usable
79
+ // signature (e.g. a custom build from source, or a hypothetical fork).
73
80
  if (os.platform() === "darwin" && existsSync(binary) && !binary.endsWith(".exe")) {
74
- const entitlements = path.join(__dirname, "entitlements.plist");
75
- if (!existsSync(entitlements)) {
76
- writeFileSync(
77
- entitlements,
78
- `<?xml version="1.0" encoding="UTF-8"?>
81
+ let hasDeveloperID = false;
82
+ try {
83
+ const info = execSync(`codesign -dv "${binary}" 2>&1`, { encoding: "utf8" });
84
+ hasDeveloperID = /Developer ID Application/.test(info) && !/Signature=adhoc/.test(info);
85
+ } catch (_) {
86
+ // not signed at all
87
+ }
88
+
89
+ if (hasDeveloperID) {
90
+ console.log("dew: Developer ID signature detected — leaving binary untouched");
91
+ } else {
92
+ console.log("dew: binary is unsigned, falling back to ad-hoc signing");
93
+ console.log("dew: NOTE — ad-hoc signing means VM commands won't work.");
94
+ console.log("dew: download a release binary from https://github.com/solcreek/dew/releases/latest for full functionality.");
95
+ const entitlements = path.join(__dirname, "entitlements.plist");
96
+ if (!existsSync(entitlements)) {
97
+ writeFileSync(
98
+ entitlements,
99
+ `<?xml version="1.0" encoding="UTF-8"?>
79
100
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
80
101
  <plist version="1.0">
81
102
  <dict>
@@ -83,21 +104,15 @@ if (os.platform() === "darwin" && existsSync(binary) && !binary.endsWith(".exe")
83
104
  <true/>
84
105
  </dict>
85
106
  </plist>`
86
- );
87
- }
88
-
89
- try {
90
- execSync(
91
- `codesign --entitlements "${entitlements}" --force -s - "${binary}"`,
92
- { stdio: "pipe" }
93
- );
94
- console.log("dew: signed with virtualization entitlement");
95
- } catch (e) {
96
- console.log("");
97
- console.log("dew: ⚠️ codesign failed — VM commands (dew up, dew app run) will not work");
98
- console.log("dew: this happens in sandboxed environments (some IDE terminals, CI)");
99
- console.log("dew: try running in a regular Terminal/iTerm, or:");
100
- console.log(`dew: codesign --entitlements "${entitlements}" --force -s - "${binary}"`);
101
- console.log("");
107
+ );
108
+ }
109
+ try {
110
+ execSync(
111
+ `codesign --entitlements "${entitlements}" --force -s - "${binary}"`,
112
+ { stdio: "pipe" }
113
+ );
114
+ } catch (e) {
115
+ console.log("dew: ⚠️ ad-hoc codesign also failed (sandboxed terminal?)");
116
+ }
102
117
  }
103
118
  }