npm - electron-cli - Versions diffs - 0.3.0-alpha.18 → 0.3.0-alpha.19 - Mend

electron-cli 0.3.0-alpha.18 → 0.3.0-alpha.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/Cargo.lock CHANGED Viewed

@@ -953,7 +953,7 @@ checksum = "91622ff5e7162018101f2fea40d6ebf4a78bbe5a49736a2020649edf9693679e"
 [[package]]
 name = "electron-cli"
-version = "0.3.0-alpha.18"
+version = "0.3.0-alpha.19"
 dependencies = [
  "anyhow",
  "apple-codesign",

package/Cargo.toml CHANGED Viewed

@@ -1,6 +1,6 @@
 [package]
 name = "electron-cli"
-version = "0.3.0-alpha.18"
+version = "0.3.0-alpha.19"
 edition = "2021"
 description = "Experimental Rust CLI for Electron project diagnostics and workflow automation"
 license = "MIT"

package/README.md CHANGED Viewed

@@ -41,9 +41,9 @@ The Rust-native flow currently owns:
 The GitHub publisher creates or reuses a release, uploads selected make artifacts, and can replace an existing asset with `--force`. It reads `GITHUB_TOKEN` or `GH_TOKEN` and can infer `OWNER/REPO` from package metadata, Forge GitHub publisher config, or `package.json` `repository`. You can also pass `--github-repo`.
-The package command recognizes macOS `packagerConfig.osxSign` and `packagerConfig.osxNotarize` options and reports the signing/notarization plan without serializing credential values. When `osxSign` is enabled on macOS and no certificate identity is configured, or the identity is `"-"`, `package` writes an experimental Rust-native ad-hoc signature for the generated `.app` bundle. When `osxSign.p12File` points at a `.p12`/PFX certificate export, `package` can sign the bundle with that certificate. macOS keychain identity lookup and notarization execution are not implemented yet.
+The package command recognizes macOS `packagerConfig.osxSign` and `packagerConfig.osxNotarize` options and reports the signing/notarization plan without serializing credential values. When `osxSign` is enabled on macOS and no certificate identity is configured, or the identity is `"-"`, `package` writes an experimental Rust-native ad-hoc signature for the generated `.app` bundle. When `osxSign.p12File` points at a `.p12`/PFX certificate export, `package` can sign the bundle with that certificate and can request a CMS timestamp token for notarization-compatible signatures. macOS keychain identity lookup and notarization submission/stapling are not implemented yet.
-The DMG maker is currently a pure-Rust FAT32 image with the app bundle and an Applications entry. The MSI maker writes a compressed embedded CAB, Windows Installer database tables, and a Start Menu shortcut when the packaged executable is present. HFS+/APFS DMG layout customization, installer UI customization, Windows/Linux icon embedding, macOS keychain signing, timestamping, and notarization execution are still TODO.
+The DMG maker is currently a pure-Rust FAT32 image with the app bundle and an Applications entry. The MSI maker writes a compressed embedded CAB, Windows Installer database tables, and a Start Menu shortcut when the packaged executable is present. HFS+/APFS DMG layout customization, installer UI customization, Windows/Linux icon embedding, macOS keychain signing, and notarization execution are still TODO.
 Package metadata can be configured in `package.json`:
@@ -59,6 +59,7 @@ Package metadata can be configured in `package.json`:
       "osxSign": {
         "p12File": "certs/developer-id.p12",
         "p12PasswordEnv": "ELECTRON_CLI_P12_PASSWORD",
+        "timestamp": true,
         "entitlements": "assets/entitlements.plist",
         "hardenedRuntime": true
       },
@@ -98,7 +99,7 @@ Package metadata can be configured in `package.json`:
 }
 ```
-Use `p12PasswordEnv`, `p12PasswordFile`, or `p12Password` for the `.p12` password; password values are not serialized in package reports. Set `identity` to a Developer ID certificate name when you want the plan to reflect Forge-style keychain release signing, but this project will report it as not executable until Rust-native keychain lookup exists. Use `identity: "-"` or omit `identity` for the current ad-hoc signing path.
+Use `p12PasswordEnv`, `p12PasswordFile`, or `p12Password` for the `.p12` password; password values are not serialized in package reports. Set `osxSign.timestamp` to a timestamp server URL, `true` for Apple's default `http://timestamp.apple.com/ts01`, or `"none"` / `false` to disable timestamping. When `osxNotarize` is enabled with p12 signing, `electron-cli` automatically enables notarization-compatible signing and uses Apple's timestamp server unless timestamping is disabled explicitly. Set `identity` to a Developer ID certificate name when you want the plan to reflect Forge-style keychain release signing, but this project will report it as not executable until Rust-native keychain lookup exists. Use `identity: "-"` or omit `identity` for the current ad-hoc signing path.
 The package command also reads JSON-shaped `config.forge.packagerConfig` and `electronPackagerConfig` entries for the same fields. The make command maps JSON-shaped Forge maker names to the Rust-native targets it supports: zip, dmg, deb, rpm, and wix/msi. The publish command maps JSON-shaped publisher names to local and GitHub.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "electron-cli",
-  "version": "0.3.0-alpha.18",
+  "version": "0.3.0-alpha.19",
   "description": "Experimental Rust CLI for Electron project diagnostics and workflow automation",
   "license": "MIT",
   "repository": {

package/src/commands/package.rs CHANGED Viewed

@@ -16,6 +16,8 @@ use serde_json::Value as JsonValue;
 use crate::{cli::PackageArgs, output, project::ProjectSnapshot};
+const APPLE_TIMESTAMP_URL: &str = "http://timestamp.apple.com/ts01";
 #[derive(Clone, Debug, Serialize)]
 pub(crate) struct PackageReport {
     project: ProjectSnapshot,
@@ -84,6 +86,8 @@ struct MacosSignPlan {
     p12_password_file: Option<Utf8PathBuf>,
     #[serde(skip)]
     p12_password: RedactedSecret,
+    timestamp_url: Option<String>,
+    for_notarization: bool,
     entitlements: Vec<Utf8PathBuf>,
     entitlements_inherit: Option<Utf8PathBuf>,
     hardened_runtime: Option<bool>,
@@ -163,12 +167,20 @@ struct MacosSignConfig {
     p12_password: Option<String>,
     p12_password_env: Option<String>,
     p12_password_file: Option<String>,
+    timestamp: Option<MacosTimestampConfig>,
     entitlements: Vec<String>,
     entitlements_inherit: Option<String>,
     hardened_runtime: Option<bool>,
     gatekeeper_assess: Option<bool>,
 }
+#[derive(Clone, Debug)]
+enum MacosTimestampConfig {
+    Default,
+    Disabled,
+    Url(String),
+}
 #[derive(Clone, Debug, Default)]
 struct MacosNotarizeConfig {
     configured: bool,
@@ -457,6 +469,9 @@ fn execute_macos_signing(report: &PackageReport) -> Result<()> {
             settings.set_signing_key(signing_key.as_key_info_signer(), certificate);
             settings.chain_apple_certificates();
             settings.set_team_id_from_signing_certificate();
+            settings
+                .ensure_for_notarization_settings()
+                .context("macOS signing settings are not compatible with notarization")?;
             signer
                 .write_signed_bundle(&signed_bundle_dir, &settings)
                 .with_context(|| {
@@ -502,6 +517,13 @@ fn macos_signing_settings<'key>(report: &PackageReport) -> Result<SigningSetting
     let sign = &report.signing.macos.sign;
     let mut settings = SigningSettings::default();
     settings.set_binary_identifier(SettingsScope::Main, &report.metadata.bundle_identifier);
+    settings.set_for_notarization(sign.for_notarization);
+    if let Some(timestamp_url) = &sign.timestamp_url {
+        settings
+            .set_time_stamp_url(timestamp_url)
+            .with_context(|| format!("Invalid macOS signing timestamp URL: {timestamp_url}"))?;
+    }
     if sign.hardened_runtime.unwrap_or(false) {
         settings.add_code_signature_flags(SettingsScope::Main, CodeSignatureFlags::RUNTIME);
@@ -601,6 +623,12 @@ fn print_report(report: &PackageReport, json: bool) -> Result<()> {
         if let Some(source) = &report.signing.macos.sign.p12_password_source {
             println!("  p12 password: {source}");
         }
+        if let Some(timestamp_url) = &report.signing.macos.sign.timestamp_url {
+            println!("  timestamp server: {timestamp_url}");
+        }
+        if report.signing.macos.sign.for_notarization {
+            println!("  signing mode: notarization-compatible");
+        }
         if let Some(method) = &report.signing.macos.sign.method {
             println!("  signing method: {method}");
         }
@@ -762,6 +790,12 @@ fn parse_macos_sign_config(value: Option<&JsonValue>) -> MacosSignConfig {
                     .or_else(|| object.get("pfxPasswordFile"))
                     .and_then(JsonValue::as_str)
                     .map(ToOwned::to_owned),
+                timestamp: parse_macos_timestamp_config(
+                    object
+                        .get("timestamp")
+                        .or_else(|| object.get("timestampUrl"))
+                        .or_else(|| object.get("timestampURL")),
+                ),
                 entitlements,
                 entitlements_inherit: object
                     .get("entitlementsInherit")
@@ -779,6 +813,22 @@ fn parse_macos_sign_config(value: Option<&JsonValue>) -> MacosSignConfig {
     }
 }
+fn parse_macos_timestamp_config(value: Option<&JsonValue>) -> Option<MacosTimestampConfig> {
+    match value {
+        Some(JsonValue::String(value)) => {
+            let value = value.trim();
+            if value.is_empty() || value.eq_ignore_ascii_case("none") {
+                Some(MacosTimestampConfig::Disabled)
+            } else {
+                Some(MacosTimestampConfig::Url(value.to_string()))
+            }
+        }
+        Some(JsonValue::Bool(true)) => Some(MacosTimestampConfig::Default),
+        Some(JsonValue::Bool(false)) => Some(MacosTimestampConfig::Disabled),
+        _ => None,
+    }
+}
 fn parse_macos_notarize_config(value: Option<&JsonValue>) -> MacosNotarizeConfig {
     match value {
         None => MacosNotarizeConfig::default(),
@@ -907,7 +957,13 @@ fn package_signing(
     platform: &str,
 ) -> Result<(PackageSigningPlan, Vec<String>)> {
     let mut warnings = Vec::new();
-    let sign = macos_sign_plan(root, &config.packager.osx_sign, platform, &mut warnings)?;
+    let sign = macos_sign_plan(
+        root,
+        &config.packager.osx_sign,
+        &config.packager.osx_notarize,
+        platform,
+        &mut warnings,
+    )?;
     let notarize = macos_notarize_plan(root, config, platform, &mut warnings);
     Ok((
@@ -921,6 +977,7 @@ fn package_signing(
 fn macos_sign_plan(
     root: &Path,
     config: &MacosSignConfig,
+    notarize_config: &MacosNotarizeConfig,
     platform: &str,
     warnings: &mut Vec<String>,
 ) -> Result<MacosSignPlan> {
@@ -1008,6 +1065,9 @@ fn macos_sign_plan(
     let ad_hoc_identity = matches!(identity, None | Some("-"));
     let p12_identity = p12_file.is_some();
     let will_execute = config.enabled && platform == "darwin" && (ad_hoc_identity || p12_identity);
+    let timestamp_url = macos_timestamp_url(config, p12_identity, notarize_config.enabled);
+    let for_notarization =
+        will_execute && p12_identity && notarize_config.enabled && timestamp_url.is_some();
     let method = if config.enabled && platform == "darwin" {
         if p12_identity {
             Some("certificate-p12".to_string())
@@ -1049,6 +1109,16 @@ fn macos_sign_plan(
                 "packagerConfig.osxSign.gatekeeperAssess is recognized but Gatekeeper assessment is not implemented yet.".to_string(),
             );
         }
+        if config.timestamp.is_some() && !p12_identity {
+            warnings.push(
+                "packagerConfig.osxSign.timestamp is recognized but ignored without p12File certificate signing.".to_string(),
+            );
+        }
+        if notarize_config.enabled && p12_identity && timestamp_url.is_none() {
+            warnings.push(
+                "macOS notarization requires a secure timestamp; packagerConfig.osxSign.timestamp disabled timestamping.".to_string(),
+            );
+        }
     }
     Ok(MacosSignPlan {
@@ -1062,6 +1132,8 @@ fn macos_sign_plan(
         p12_password_env: config.p12_password_env.clone(),
         p12_password_file,
         p12_password: RedactedSecret::new(config.p12_password.clone()),
+        timestamp_url,
+        for_notarization,
         entitlements,
         entitlements_inherit,
         hardened_runtime: config.hardened_runtime,
@@ -1069,6 +1141,24 @@ fn macos_sign_plan(
     })
 }
+fn macos_timestamp_url(
+    config: &MacosSignConfig,
+    p12_identity: bool,
+    notarize_enabled: bool,
+) -> Option<String> {
+    if !p12_identity {
+        return None;
+    }
+    match &config.timestamp {
+        Some(MacosTimestampConfig::Default) => Some(APPLE_TIMESTAMP_URL.to_string()),
+        Some(MacosTimestampConfig::Disabled) => None,
+        Some(MacosTimestampConfig::Url(url)) => Some(url.clone()),
+        None if notarize_enabled => Some(APPLE_TIMESTAMP_URL.to_string()),
+        None => None,
+    }
+}
 fn macos_notarize_plan(
     root: &Path,
     package_config: &PackageJsonConfig,
@@ -2259,6 +2349,7 @@ mod tests {
                   identity: 'Developer ID Application: Example, Inc. (TEAMID1234)',
                   p12File: 'developer-id.p12',
                   p12Password: 'p12-secret',
+                  timestamp: 'http://timestamp.example.test/tsa',
                   hardenedRuntime: true,
                 },
               },
@@ -2293,6 +2384,11 @@ mod tests {
             report.signing.macos.sign.p12_password_source.as_deref(),
             Some("config")
         );
+        assert_eq!(
+            report.signing.macos.sign.timestamp_url.as_deref(),
+            Some("http://timestamp.example.test/tsa")
+        );
+        assert!(!report.signing.macos.sign.for_notarization);
         assert!(report.signing.macos.sign.p12_file.is_some());
         assert!(report
             .warnings
@@ -2305,6 +2401,124 @@ mod tests {
         let _ = fs::remove_dir_all(root);
     }
+    #[test]
+    fn plans_macos_p12_signing_for_notarization_with_default_timestamp() {
+        let root = unique_temp_dir("macos-p12-notarization-signing-plan");
+        write_package_json(&root);
+        fs::write(root.join("developer-id.p12"), "not a real p12")
+            .expect("p12 placeholder should be written");
+        fs::write(
+            root.join("forge.config.js"),
+            r#"
+            module.exports = {
+              packagerConfig: {
+                appBundleId: 'com.example.notarized',
+                osxSign: {
+                  p12File: 'developer-id.p12',
+                  p12PasswordEnv: 'P12_PASSWORD',
+                },
+                osxNotarize: {
+                  keychainProfile: 'notary-profile',
+                },
+              },
+            };
+            "#,
+        )
+        .expect("forge config should be written");
+        write_app_file(&root);
+        write_fake_electron_dist(&root);
+        let args = PackageArgs {
+            cwd: root.clone(),
+            out_dir: PathBuf::from("out"),
+            name: None,
+            platform: Some("darwin".to_string()),
+            arch: Some("arm64".to_string()),
+            force: false,
+            dry_run: true,
+            json: true,
+        };
+        let snapshot = crate::project::inspect(&root).expect("project should inspect");
+        let report = build_report(snapshot, &args).expect("report should build");
+        assert!(report.signing.macos.sign.will_execute);
+        assert_eq!(
+            report.signing.macos.sign.timestamp_url.as_deref(),
+            Some(APPLE_TIMESTAMP_URL)
+        );
+        assert!(report.signing.macos.sign.for_notarization);
+        assert_eq!(
+            report.signing.macos.notarize.auth_method.as_deref(),
+            Some("keychain-profile")
+        );
+        assert!(!report
+            .warnings
+            .iter()
+            .any(|warning| warning.contains("ad-hoc signing is not notarizable")));
+        let settings = macos_signing_settings(&report).expect("signing settings should build");
+        assert!(settings.for_notarization());
+        assert_eq!(
+            settings.time_stamp_url().map(|url| url.as_str()),
+            Some(APPLE_TIMESTAMP_URL)
+        );
+        let json = serde_json::to_string(&report).expect("report should serialize");
+        assert!(!json.contains("P12_PASSWORD="));
+        let _ = fs::remove_dir_all(root);
+    }
+    #[test]
+    fn warns_when_macos_notarization_timestamp_is_disabled() {
+        let root = unique_temp_dir("macos-p12-notarization-no-timestamp");
+        write_package_json(&root);
+        fs::write(root.join("developer-id.p12"), "not a real p12")
+            .expect("p12 placeholder should be written");
+        fs::write(
+            root.join("forge.config.js"),
+            r#"
+            module.exports = {
+              packagerConfig: {
+                osxSign: {
+                  p12File: 'developer-id.p12',
+                  timestamp: 'none',
+                },
+                osxNotarize: {
+                  keychainProfile: 'notary-profile',
+                },
+              },
+            };
+            "#,
+        )
+        .expect("forge config should be written");
+        write_app_file(&root);
+        write_fake_electron_dist(&root);
+        let args = PackageArgs {
+            cwd: root.clone(),
+            out_dir: PathBuf::from("out"),
+            name: None,
+            platform: Some("darwin".to_string()),
+            arch: Some("arm64".to_string()),
+            force: false,
+            dry_run: true,
+            json: true,
+        };
+        let snapshot = crate::project::inspect(&root).expect("project should inspect");
+        let report = build_report(snapshot, &args).expect("report should build");
+        assert!(report.signing.macos.sign.will_execute);
+        assert!(report.signing.macos.sign.timestamp_url.is_none());
+        assert!(!report.signing.macos.sign.for_notarization);
+        assert!(report
+            .warnings
+            .iter()
+            .any(|warning| warning.contains("requires a secure timestamp")));
+        let _ = fs::remove_dir_all(root);
+    }
     #[test]
     fn warns_when_macos_notarization_is_configured_without_signing() {
         let root = unique_temp_dir("notarize-without-sign");