feat(sltt-app): sign and notarize macos application (#28)

What issue(s) is this trying to resolve?
* feat(sltt-app): Sign and notarize Mac application #9

How does it all work?
* In order for a Mac application to be successfully installed, the app
installer must be signed (with a certificate) and notarized (uploaded to
Apple to be scanned for viruses, etc.).

What particularly has changed?
* Description of procedure
[HERE](https://docs.google.com/document/d/1Qk-bz-uRPBThCXs2rRfNnr4QIxsC3yNlM_e7eMjGGHs/edit?usp=sharing)
* Signing certificate created
* .env file with notarization credentials created
* package.json "build" object updated with Mac build config

Steps for testing
1. yarn build:mac
2. Copy newly created .dmg file to another mac
3. Launch dmg file, drag application icon to Applications folder, launch
application, smoke test.


ticket: #9
commit-convention: https://www.conventionalcommits.org/en/v1.0.0/

---------

Co-authored-by: Eric Pyle <[email protected]>

Author: Nathan22Miles

.gitignore

@@ -2,3 +2,5 @@ node_modules
 dist
 out
 *.log*
+.env
+.DS_Store

README.md

@@ -152,3 +152,7 @@ vite v4.3.3 building for production...
     [====================] 100% 0.0s | sltt-app-Setup-1.0.6.exe to github
 Done in 55.90s.
 ```
+
+# Building Releases for Mac
+
+Discussion of process [HERE](https://docs.google.com/document/d/1Qk-bz-uRPBThCXs2rRfNnr4QIxsC3yNlM_e7eMjGGHs/edit?usp=sharing)

build/entitlements.mac.plist

@@ -8,5 +8,7 @@
     <true/>
     <key>com.apple.security.cs.allow-dyld-environment-variables</key>
     <true/>
+    <key>com.apple.security.device.camera</key>
+    <true/>
   </dict>
 </plist>

build/notarize.js

@@ -1,36 +1,36 @@
-const { notarize } = require('@electron/notarize')
-
-module.exports = async (context) => {
-  if (process.platform !== 'darwin') return
+console.log('afterSign hook triggered')
 
-  console.log('aftersign hook triggered, start to notarize app.')
+require('dotenv').config()
 
-  if (!process.env.CI) {
-    console.log(`skipping notarizing, not in CI.`)
-    return
-  }
+const { notarize } = require('@electron/notarize')
 
-  if (!('APPLE_ID' in process.env && 'APPLE_ID_PASS' in process.env)) {
-    console.warn('skipping notarizing, APPLE_ID and APPLE_ID_PASS env variables must be set.')
+exports.default = async function notarizing(context) {
+  const { electronPlatformName, appOutDir } = context
+  if (electronPlatformName !== 'darwin') {
     return
   }
 
-  const appId = 'net.sltt-bible.app'
-
-  const { appOutDir } = context
+  console.log('notarizing...')
 
   const appName = context.packager.appInfo.productFilename
 
-  try {
-    await notarize({
-      appBundleId: appId,
-      appPath: `${appOutDir}/${appName}.app`,
-      appleId: process.env.APPLE_ID,
-      appleIdPassword: process.env.APPLEIDPASS
-    })
-  } catch (error) {
-    console.error(error)
+  // Get appleId and appleIdPassword from environment variables.
+  // These values are in the .env file.
+  // appleId: email address you use to login to App Store Connect
+  // appleIdPassword: app-specific password generated by appleid.apple.com
+  const { appleId, appleIdPassword, teamId } = process.env
+
+  if (!appleId || !appleIdPassword || !teamId) {
+    console.error('Missing Apple ID or Apple ID password or Team ID')
+    return
   }
 
-  console.log(`done notarizing ${appId}.`)
+  return await notarize({
+    appBundleId: 'net.sltt-bible.app',
+    appPath: `${appOutDir}/${appName}.app`,
+    appleId,
+    appleIdPassword,
+    tool: 'notarytool',
+    teamId,
+  })
 }

electron-builder.yml

@@ -20,7 +20,11 @@ nsis:
   uninstallDisplayName: ${productName}
   createDesktopShortcut: always
 mac:
+  category: "public.app-category.business"
+  entitlements: build/entitlements.mac.plist
   entitlementsInherit: build/entitlements.mac.plist
+  hardenedRuntime: true
+  gatekeeperAssess: false
   extendInfo:
     - NSCameraUsageDescription: Application requests access to the device's camera.
     - NSMicrophoneUsageDescription: Application requests access to the device's microphone.

package.json

@@ -30,12 +30,26 @@
     "build:win:prerelease": "npm run build && electron-builder --win --config --publish onTagOrDraft --prerelease",
     "build:win:draft": "npm run build && electron-builder --win --config --publish onTagOrDraft",
     "build:win:release": "npm run build && cross-env GH_TOKEN=%SLTT_APP_PAT% electron-builder --win --config --publish always",
+    "build:mac:norelease": "electron-vite build && electron-builder --mac --config --publish never",
     "build:mac": "electron-vite build && electron-builder --mac --config",
+    "build:mac:release": "electron-vite build && electron-builder --mac --config --publish always",
     "build:linux": "electron-vite build && electron-builder --linux --config"
   },
   "build": {
     "appId": "net.sltt-bible.app",
     "productName": "sltt-app",
+    "forceCodeSigning": true,
+    "afterSign": "build/notarize.js",
+    "mac": {
+      "target": [
+        {
+          "target": "dmg",
+          "arch": [
+            "x64"
+          ]
+        }
+      ]
+    },
     "directories": {
       "output": "dist"
     },