npm - electron-cli - Versions diffs - 0.3.0-alpha.16 → 0.3.0-alpha.17 - Mend

electron-cli 0.3.0-alpha.16 → 0.3.0-alpha.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/Cargo.toml CHANGED Viewed

@@ -1,6 +1,6 @@
 [package]
 name = "electron-cli"
-version = "0.3.0-alpha.16"
+version = "0.3.0-alpha.17"
 edition = "2021"
 description = "Experimental Rust CLI for Electron project diagnostics and workflow automation"
 license = "MIT"
@@ -8,6 +8,7 @@ repository = "https://github.com/Ikana/electron-cli"
 [dependencies]
 anyhow = "1.0"
+apple-codesign = { version = "0.29", default-features = false }
 apple-dmg = "0.5"
 cab = "0.6"
 camino = { version = "1.1", features = ["serde1"] }

package/README.md CHANGED Viewed

@@ -35,15 +35,15 @@ The Rust-native flow currently owns:
 - `init --template minimal`: writes a local Electron starter without Electron Forge.
 - `start`: launches the installed Electron runtime directly.
-- `package`: copies the installed Electron runtime, app files, installed production dependency closure, app metadata, macOS icon, and extra resources into a local app bundle for the current platform and architecture; it reads package metadata from `package.json`, JSON-shaped Forge config, and static Forge config files.
+- `package`: copies the installed Electron runtime, app files, installed production dependency closure, app metadata, macOS icon, and extra resources into a local app bundle for the current platform and architecture; it reads package metadata from `package.json`, JSON-shaped Forge config, and static Forge config files, and can apply experimental Rust-native ad-hoc macOS bundle signatures.
 - `make`: runs `package` and writes distributables under `out/make/<target>/<platform>/<arch>/`; it reads JSON-shaped `config.forge.makers` / `electronCli.makers` arrays and static Forge config files when `--target` is omitted, and `--target` still forces one maker. ZIP works on all platforms, `--target dmg` writes a basic macOS disk image, `--target deb` / `--target rpm` write Linux packages, and `--target msi` writes a basic Windows Installer package.
 - `publish`: runs `make` and publishes distributables to a local directory with a manifest or to GitHub Releases; it reads JSON-shaped `config.forge.publishers` / `electronCli.publishers` arrays and static Forge config files when `--publisher` is omitted, and `--publisher` still forces one publisher.
 The GitHub publisher creates or reuses a release, uploads selected make artifacts, and can replace an existing asset with `--force`. It reads `GITHUB_TOKEN` or `GH_TOKEN` and can infer `OWNER/REPO` from package metadata, Forge GitHub publisher config, or `package.json` `repository`. You can also pass `--github-repo`.
-The package command recognizes macOS `packagerConfig.osxSign` and `packagerConfig.osxNotarize` options and reports the signing/notarization plan without serializing credential values. Actual Rust-native signing and notarization execution is not implemented yet.
+The package command recognizes macOS `packagerConfig.osxSign` and `packagerConfig.osxNotarize` options and reports the signing/notarization plan without serializing credential values. When `osxSign` is enabled on macOS and no certificate identity is configured, or the identity is `"-"`, `package` writes an experimental Rust-native ad-hoc signature for the generated `.app` bundle. Developer ID certificate/keychain signing and notarization execution are not implemented yet.
-The DMG maker is currently a pure-Rust FAT32 image with the app bundle and an Applications entry. The MSI maker writes a compressed embedded CAB, Windows Installer database tables, and a Start Menu shortcut when the packaged executable is present. HFS+/APFS DMG layout customization, installer UI customization, Windows/Linux icon embedding, signing execution, and notarization execution are still TODO.
+The DMG maker is currently a pure-Rust FAT32 image with the app bundle and an Applications entry. The MSI maker writes a compressed embedded CAB, Windows Installer database tables, and a Start Menu shortcut when the packaged executable is present. HFS+/APFS DMG layout customization, installer UI customization, Windows/Linux icon embedding, Developer ID signing execution, and notarization execution are still TODO.
 Package metadata can be configured in `package.json`:
@@ -57,7 +57,7 @@ Package metadata can be configured in `package.json`:
       "icon": "assets/icon",
       "extraResource": "assets/config.json",
       "osxSign": {
-        "identity": "Developer ID Application: Example, Inc. (TEAMID1234)",
+        "identity": "-",
         "entitlements": "assets/entitlements.plist",
         "hardenedRuntime": true
       },
@@ -97,6 +97,8 @@ Package metadata can be configured in `package.json`:
 }
 ```
+Set `identity` to a Developer ID certificate name when you want the plan to reflect Forge-style release signing, but this project will report it as not executable until Rust-native certificate/keychain signing exists. Use `identity: "-"` or omit `identity` for the current ad-hoc signing path.
 The package command also reads JSON-shaped `config.forge.packagerConfig` and `electronPackagerConfig` entries for the same fields. The make command maps JSON-shaped Forge maker names to the Rust-native targets it supports: zip, dmg, deb, rpm, and wix/msi. The publish command maps JSON-shaped publisher names to local and GitHub.
 Static `forge.config.js`, `forge.config.cjs`, `forge.config.mjs`, and `forge.config.ts` files are parsed in Rust when they export an object literal directly or via a local `const`/`let`/`var` identifier. Dynamic JavaScript config that calls functions, reads environment state, or computes the config at runtime is not evaluated.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "electron-cli",
-  "version": "0.3.0-alpha.16",
+  "version": "0.3.0-alpha.17",
   "description": "Experimental Rust CLI for Electron project diagnostics and workflow automation",
   "license": "MIT",
   "repository": {

package/src/commands/package.rs CHANGED Viewed

@@ -5,6 +5,7 @@ use std::{
 };
 use anyhow::{bail, Context, Result};
+use apple_codesign::{BundleSigner, CodeSignatureFlags, SettingsScope, SigningSettings};
 use camino::Utf8PathBuf;
 use plist::{Dictionary as PlistDictionary, Value as PlistValue};
 use serde::Serialize;
@@ -71,6 +72,8 @@ struct MacosSigningPlan {
 struct MacosSignPlan {
     configured: bool,
     enabled: bool,
+    will_execute: bool,
+    method: Option<String>,
     identity: Option<String>,
     entitlements: Vec<Utf8PathBuf>,
     entitlements_inherit: Option<Utf8PathBuf>,
@@ -363,10 +366,111 @@ pub(crate) fn execute_package(report: &PackageReport, force: bool) -> Result<()>
         &app_dir,
         &report.project,
     )?;
+    execute_macos_signing(report)?;
     Ok(())
 }
+fn execute_macos_signing(report: &PackageReport) -> Result<()> {
+    if report.platform != "darwin" || !report.signing.macos.sign.will_execute {
+        return Ok(());
+    }
+    let bundle_dir = Path::new(report.bundle_dir.as_str());
+    let bundle_parent = bundle_dir
+        .parent()
+        .context("macOS bundle output has no parent directory")?;
+    let bundle_name = bundle_dir
+        .file_name()
+        .context("macOS bundle output has no bundle directory name")?;
+    let unique_suffix = std::time::SystemTime::now()
+        .duration_since(std::time::UNIX_EPOCH)
+        .context("system clock is before the Unix epoch")?
+        .as_nanos();
+    let signing_parent = bundle_parent.join(format!(
+        ".electron-cli-signing-{}-{unique_suffix}",
+        std::process::id()
+    ));
+    let signed_bundle_dir = signing_parent.join(bundle_name);
+    if signing_parent.exists() {
+        fs::remove_dir_all(&signing_parent)
+            .with_context(|| format!("Could not remove {}", signing_parent.display()))?;
+    }
+    let signing_result = (|| -> Result<()> {
+        let mut signer = BundleSigner::new_from_path(bundle_dir).with_context(|| {
+            format!(
+                "Could not prepare macOS bundle signing for {}",
+                bundle_dir.display()
+            )
+        })?;
+        signer
+            .collect_nested_bundles()
+            .context("Could not discover nested macOS bundles for signing")?;
+        let settings = macos_signing_settings(report)?;
+        signer
+            .write_signed_bundle(&signed_bundle_dir, &settings)
+            .with_context(|| {
+                format!(
+                    "Could not write signed macOS bundle to {}",
+                    signed_bundle_dir.display()
+                )
+            })?;
+        Ok(())
+    })();
+    if let Err(error) = signing_result {
+        let _ = fs::remove_dir_all(&signing_parent);
+        return Err(error);
+    }
+    fs::remove_dir_all(bundle_dir)
+        .with_context(|| format!("Could not remove {}", bundle_dir.display()))?;
+    fs::rename(&signed_bundle_dir, bundle_dir).with_context(|| {
+        format!(
+            "Could not move signed macOS bundle from {} to {}",
+            signed_bundle_dir.display(),
+            bundle_dir.display()
+        )
+    })?;
+    let _ = fs::remove_dir_all(&signing_parent);
+    Ok(())
+}
+fn macos_signing_settings(report: &PackageReport) -> Result<SigningSettings<'static>> {
+    let sign = &report.signing.macos.sign;
+    let mut settings = SigningSettings::default();
+    settings.set_binary_identifier(SettingsScope::Main, &report.metadata.bundle_identifier);
+    if sign.hardened_runtime.unwrap_or(false) {
+        settings.add_code_signature_flags(SettingsScope::Main, CodeSignatureFlags::RUNTIME);
+    }
+    if let Some(entitlements) = sign.entitlements.first() {
+        let entitlements_path = Path::new(entitlements.as_str());
+        let entitlements_xml = fs::read_to_string(entitlements_path).with_context(|| {
+            format!(
+                "Could not read macOS entitlements file {}",
+                entitlements_path.display()
+            )
+        })?;
+        settings
+            .set_entitlements_xml(SettingsScope::Main, entitlements_xml)
+            .with_context(|| {
+                format!(
+                    "Could not parse macOS entitlements file {}",
+                    entitlements_path.display()
+                )
+            })?;
+    }
+    Ok(settings)
+}
 fn print_report(report: &PackageReport, json: bool) -> Result<()> {
     if json {
         return output::json(report);
@@ -403,6 +507,17 @@ fn print_report(report: &PackageReport, json: bool) -> Result<()> {
         if let Some(identity) = &report.signing.macos.sign.identity {
             println!("  identity: {identity}");
         }
+        if let Some(method) = &report.signing.macos.sign.method {
+            println!("  signing method: {method}");
+        }
+        println!(
+            "  signing execution: {}",
+            if report.signing.macos.sign.will_execute {
+                "enabled"
+            } else {
+                "not available"
+            }
+        );
         println!(
             "  macOS notarization: {}",
             if report.signing.macos.notarize.enabled {
@@ -720,20 +835,59 @@ fn macos_sign_plan(
         .filter(|path| !path.trim().is_empty())
         .map(|path| utf8_path(resolve_project_path(root, path)))
         .transpose()?;
+    if let Some(path) = &entitlements_inherit {
+        if !Path::new(path.as_str()).exists() {
+            warnings.push(format!(
+                "Configured macOS inherited entitlements file does not exist: {}.",
+                path
+            ));
+        }
+    }
+    let identity = config.identity.as_deref().map(str::trim);
+    let ad_hoc_identity = matches!(identity, None | Some("-"));
+    let will_execute = config.enabled && platform == "darwin" && ad_hoc_identity;
+    let method = if config.enabled && platform == "darwin" {
+        if ad_hoc_identity {
+            Some("ad-hoc".to_string())
+        } else {
+            Some("certificate-identity".to_string())
+        }
+    } else {
+        None
+    };
     if config.configured && platform != "darwin" {
         warnings.push(format!(
             "macOS signing is configured but ignored for target platform {platform}."
         ));
-    } else if config.enabled {
+    } else if config.enabled && !will_execute {
         warnings.push(
-            "macOS signing is configured, but Rust-native signing is not implemented yet; package output will be unsigned.".to_string(),
+            "macOS signing identity is configured, but Rust-native certificate/keychain signing is not implemented yet; package output will be unsigned. Use identity '-' or omit identity for experimental ad-hoc signing.".to_string(),
         );
+    } else if will_execute {
+        if config.entitlements.len() > 1 {
+            warnings.push(
+                "Rust-native ad-hoc signing applies the first macOS entitlements file only; inherited/login-helper entitlement scoping is not implemented yet.".to_string(),
+            );
+        }
+        if config.entitlements_inherit.is_some() {
+            warnings.push(
+                "packagerConfig.osxSign.entitlementsInherit is recognized but not applied to nested bundles by Rust-native ad-hoc signing yet.".to_string(),
+            );
+        }
+        if config.gatekeeper_assess.is_some() {
+            warnings.push(
+                "packagerConfig.osxSign.gatekeeperAssess is recognized but Gatekeeper assessment is not implemented yet.".to_string(),
+            );
+        }
     }
     Ok(MacosSignPlan {
         configured: config.configured,
         enabled: config.enabled,
+        will_execute,
+        method,
         identity: config.identity.clone(),
         entitlements,
         entitlements_inherit,
@@ -769,6 +923,23 @@ fn macos_notarize_plan(
             "macOS notarization requires packagerConfig.osxSign to be enabled first.".to_string(),
         );
     }
+    if config.enabled
+        && platform == "darwin"
+        && package_config.packager.osx_sign.enabled
+        && matches!(
+            package_config
+                .packager
+                .osx_sign
+                .identity
+                .as_deref()
+                .map(str::trim),
+            None | Some("-")
+        )
+    {
+        warnings.push(
+            "macOS notarization requires a Developer ID signature; Rust-native ad-hoc signing is not notarizable.".to_string(),
+        );
+    }
     if config.enabled && auth_method.is_none() {
         warnings.push(
             "macOS notarization config is missing a complete notarytool authentication set: appleId/appleIdPassword/teamId, appleApiKey/appleApiKeyId/appleApiIssuer, or keychainProfile.".to_string(),
@@ -1134,6 +1305,7 @@ fn apply_macos_metadata(report: &PackageReport) -> Result<()> {
         "CFBundleIdentifier",
         &report.metadata.bundle_identifier,
     );
+    set_plist_string(&mut dictionary, "CFBundlePackageType", "APPL");
     if let Some(version) = &report.metadata.app_version {
         set_plist_string(&mut dictionary, "CFBundleShortVersionString", version);
@@ -1816,6 +1988,11 @@ mod tests {
         assert!(report.signing.macos.sign.configured);
         assert!(report.signing.macos.sign.enabled);
+        assert!(!report.signing.macos.sign.will_execute);
+        assert_eq!(
+            report.signing.macos.sign.method.as_deref(),
+            Some("certificate-identity")
+        );
         assert_eq!(
             report.signing.macos.sign.identity.as_deref(),
             Some("Developer ID Application: Example, Inc. (TEAMID1234)")
@@ -1831,7 +2008,7 @@ mod tests {
         assert!(report
             .warnings
             .iter()
-            .any(|warning| warning.contains("Rust-native signing is not implemented")));
+            .any(|warning| warning.contains("Rust-native certificate/keychain signing")));
         assert!(report
             .warnings
             .iter()
@@ -1845,6 +2022,54 @@ mod tests {
         let _ = fs::remove_dir_all(root);
     }
+    #[test]
+    fn plans_macos_ad_hoc_signing_execution() {
+        let root = unique_temp_dir("macos-ad-hoc-signing-plan");
+        write_package_json(&root);
+        fs::write(
+            root.join("forge.config.js"),
+            r#"
+            module.exports = {
+              packagerConfig: {
+                osxSign: {
+                  identity: '-',
+                  hardenedRuntime: true,
+                },
+              },
+            };
+            "#,
+        )
+        .expect("forge config should be written");
+        write_app_file(&root);
+        write_fake_electron_dist(&root);
+        let args = PackageArgs {
+            cwd: root.clone(),
+            out_dir: PathBuf::from("out"),
+            name: None,
+            platform: Some("darwin".to_string()),
+            arch: Some("arm64".to_string()),
+            force: false,
+            dry_run: true,
+            json: true,
+        };
+        let snapshot = crate::project::inspect(&root).expect("project should inspect");
+        let report = build_report(snapshot, &args).expect("report should build");
+        assert!(report.signing.macos.sign.configured);
+        assert!(report.signing.macos.sign.enabled);
+        assert!(report.signing.macos.sign.will_execute);
+        assert_eq!(report.signing.macos.sign.method.as_deref(), Some("ad-hoc"));
+        assert_eq!(report.signing.macos.sign.identity.as_deref(), Some("-"));
+        assert_eq!(report.signing.macos.sign.hardened_runtime, Some(true));
+        assert!(!report.warnings.iter().any(|warning| {
+            warning.contains("Rust-native certificate/keychain signing")
+                || warning.contains("Rust-native signing is not implemented")
+        }));
+        let _ = fs::remove_dir_all(root);
+    }
     #[test]
     fn warns_when_macos_notarization_is_configured_without_signing() {
         let root = unique_temp_dir("notarize-without-sign");
@@ -1947,6 +2172,10 @@ mod tests {
             plist_string(dictionary, "CFBundleIdentifier"),
             Some("com.example.starter")
         );
+        assert_eq!(
+            plist_string(dictionary, "CFBundlePackageType"),
+            Some("APPL")
+        );
         assert_eq!(
             plist_string(dictionary, "CFBundleShortVersionString"),
             Some("2.3.4")
@@ -1970,6 +2199,59 @@ mod tests {
         let _ = fs::remove_dir_all(root);
     }
+    #[test]
+    fn packages_macos_bundle_with_ad_hoc_signature() {
+        if current_platform() != "darwin" {
+            return;
+        }
+        let root = unique_temp_dir("macos-ad-hoc-signing-execute");
+        fs::write(
+            root.join("package.json"),
+            r#"{"name":"starter-app","version":"0.1.0","main":"src/main.js","devDependencies":{"electron":"30.0.0"},"electronCli":{"packagerConfig":{"appBundleId":"com.example.signed","osxSign":true}}}"#,
+        )
+        .expect("package.json should be written");
+        write_app_file(&root);
+        write_macho_electron_dist(&root);
+        let args = PackageArgs {
+            cwd: root.clone(),
+            out_dir: PathBuf::from("out"),
+            name: None,
+            platform: None,
+            arch: None,
+            force: false,
+            dry_run: false,
+            json: false,
+        };
+        let snapshot = crate::project::inspect(&root).expect("project should inspect");
+        let report = build_report(snapshot, &args).expect("report should build");
+        assert!(report.signing.macos.sign.will_execute);
+        assert_eq!(report.signing.macos.sign.method.as_deref(), Some("ad-hoc"));
+        assert!(report.warnings.is_empty());
+        execute_package(&report, false).expect("package should succeed");
+        let bundle_dir = Path::new(report.bundle_dir.as_str());
+        assert!(bundle_dir
+            .join("Contents/_CodeSignature/CodeResources")
+            .exists());
+        let executable = bundle_dir
+            .join("Contents/MacOS")
+            .join(&report.executable_name);
+        let executable_data = fs::read(executable).expect("signed executable should read");
+        let macho = apple_codesign::MachFile::parse(&executable_data)
+            .expect("signed executable should parse as Mach-O");
+        assert!(macho.iter_macho().all(|binary| binary
+            .code_signature()
+            .expect("code signature should parse")
+            .is_some()));
+        let _ = fs::remove_dir_all(root);
+    }
     #[test]
     fn missing_required_runtime_dependency_fails() {
         let root = unique_temp_dir("runtime-deps");
@@ -2123,6 +2405,16 @@ mod tests {
         }
     }
+    fn write_macho_electron_dist(root: &Path) {
+        let app = root.join("node_modules/electron/dist/Electron.app/Contents/MacOS");
+        fs::create_dir_all(&app).expect("macOS Electron app should be created");
+        fs::copy(
+            std::env::current_exe().expect("current test executable should resolve"),
+            app.join("Electron"),
+        )
+        .expect("Mach-O test executable should be copied");
+    }
     fn unique_temp_dir(label: &str) -> PathBuf {
         let nanos = std::time::SystemTime::now()
             .duration_since(std::time::UNIX_EPOCH)