Add the ability to sign the mac application

[steffenmllr]

Would be great if the app get's signed on build as in https://github.com/rogerwang/node-webkit/issues/616

https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html

[tommoor]

It seems as though this lies outside the scope of node-webkit, however some detailed instructions wouldn't go amiss.

[vladikoff]

@tommoor There are so many annoying tasks besides actually building the app, such as creating icons, creating shortcuts for executables and so on. So I feel like grunt-node-webkit-builder is the opportunity to make the process more streamlined. So huge :+1: to this feature.

[timhaak]

Hi

Is there anything I can do to help with this. Trying to get it working but not having much luck.

[steffenmllr]

You can have a look at the process. AFAIK it's adding stuff to your plst and calling the codesign command on the cli.

[timhaak]

My problem is more that it looks like its all working. But when I give the file to a colleague its still doesn't allow them to open it.

Would I need to have compiled the app locally to sign it?

[tommoor]

Tim, if you "download" the file from a local server through your web browser it should give an accurate representation of what your friend sees (i.e. you should be unable to open the file also). If it helps my codesign bash file looks something like:

app="$1"
identity="20452F2A91DEF2D09660484DBA05F3FF15953422"

echo "### signing frameworks"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/node-webkit Framework"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper EH.app/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper NP.app/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper.app/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/terminal-notifier.app/"

echo "### signing libraries"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Libraries/libclang_rt.asan_osx_dynamic.dylib"

echo "### signing app"
codesign --force --verify --verbose --sign "$identity" "$app"

echo "### verifying signature"
codesign -vvv -d "$app"

[steffenmllr]

@tommoor thanks for sharing this. It should be easy to add the identity to the grunt config and call the codesign command via node

[timhaak]

How are you generating your cert?

[tommoor]

Certificate is downloaded from Mac developer portal and added to the Keychain, is that what you mean?

[timhaak]

Yes ok then not sure what I'm doing wrong using the following

#Run the following to get a list of certs

#security find-identity app="$1" identity="437144FA008DF70A56DFFA925E21CD470B801297"

echo "### signing frameworks" codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/crash_inspector" codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/node-webkit Framework.tmp" codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/node-webkit Framework.TOC" codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/" codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper EH.app/" codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper NP.app/" codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper.app/"

echo "### signing app" codesign --force --verify --verbose --sign "$identity" "$app"

echo "### verifying signature" codesign -vvv -d "$app"

Using the production key from the developer portal (also tried with Developer key) 437144FA008DF70A56DFFA925E21CD470B801297 "3rd Party Mac Developer Application: Afrihost (Pty) Ltd (DULGG2WW9X)"

Though anyone else who gets the app get an error

codesign -vvv -d "$app" Executable=/afrihostNetworkTester/webkitprod/releases/ant-1.0.0/mac/ant-1.0.0.app/Contents/MacOS/node-webkit Identifier=com.afrihost.ant Format=bundle with Mach-O thin (i386) CodeDirectory v=20100 size=185 flags=0x0(none) hashes=3+3 location=embedded Hash type=sha1 size=20 CDHash=be851f8020c289abf855126a8837083a42a8e729 Signature size=4361 Authority=3rd Party Mac Developer Application: Afrihost (Pty) Ltd (DULGG2WW9X) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=13 Dec 2013 17:34:20 Info.plist entries=17 Sealed Resources version=2 rules=12 files=159 Internal requirements count=1 size=200

[tommoor]

Only thing I can think of that I had similar problems with was trying to use a Mac Appstore key not through the store - there are separate keys for distributing outside the store

[timhaak]

Found my problem. Turned out I could not generate the correct cert. (Developer ID).

Once I managed to generate one the script above worked.

[ayushmanchhabra]

There are so many annoying tasks besides actually building the app, such as creating icons, creating shortcuts for executables and so on. So I feel like grunt-node-webkit-builder is the opportunity to make the process more streamlined. So huge 👍 to this feature.

👋 New maintainer here. I basically agree with this except I think this should be integrated into the nw-builder (signing for Mac, Windows, Linux that is) and used by the grunt plugin.