desktop: get code signing/notarizing working

Author: patosullivan

.github/workflows/electron-build.yml

@@ -128,32 +128,23 @@ jobs:
         shell: bash
         run: echo "VERSION=${GITHUB_REF#refs/tags/desktop-v}" >> $GITHUB_OUTPUT
 
-      # Code signing is disabled for now
-      # - name: Import Code-Signing Certificates (macOS)
-      #   if: matrix.os == 'macos-latest'
-      #   uses: apple-actions/import-codesign-certs@v2
-      #   with:
-      #     p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
-      #     p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
-      #     keychain-password: ${{ github.run_id }}
+      - name: Import Code-Signing Certificates (macOS)
+        if: matrix.os == 'macos-latest'
+        uses: apple-actions/import-codesign-certs@v2
+        with:
+          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
+          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          keychain-password: ${{ github.run_id }}
 
-      # Install electron-notarize package - re-enable when we have a Developer ID Application certificate
-      # we'll also need to add the `afterSign` hook to electron-builder config in package.json
-      # - name: Install @electron/notarize
-      #   if: matrix.os == 'macos-latest'
-      #   working-directory: apps/tlon-desktop
-      #   run: pnpm add @electron/notarize -D
-      
-      # Run platform-specific electron-builder with code signing & notarization disabled
+      # Run platform-specific electron-builder with code signing & notarization 
       - name: Build Platform Package
         working-directory: apps/tlon-desktop
         env:
-          # Explicitly disable code signing and notarization
-          CSC_IDENTITY_AUTO_DISCOVERY: "false"
-          CSC_IDENTITY: ""
-          NOTARIZE: "false"
-          ELECTRON_BUILDER_SIGN: "false"
-          USE_HARD_LINKS: "false"
+          CSC_LINK: ${{ matrix.os == 'macos-latest' && secrets.APPLE_CERTIFICATE_BASE64 || '' }}
+          CSC_KEY_PASSWORD: ${{ matrix.os == 'macos-latest' && secrets.APPLE_CERTIFICATE_PASSWORD || '' }}
+          APPLE_ID: ${{ matrix.os == 'macos-latest' && secrets.APPLE_ID || '' }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ matrix.os == 'macos-latest' && secrets.APPLE_ID_PASSWORD || '' }}
+          APPLE_TEAM_ID: ${{ matrix.os == 'macos-latest' && secrets.APPLE_TEAM_ID || '' }}
         run: npx electron-builder ${{ matrix.build_flag }}
 
       # Prepare artifacts with proper names

apps/tlon-desktop/package.json

@@ -33,6 +33,7 @@
     "electron-store": "^10.0.1"
   },
   "devDependencies": {
+    "@electron/notarize": "2.5.0",
     "concurrently": "^9.1.2",
     "electron": "34.3.0",
     "electron-builder": "^26.0.10",
@@ -62,10 +63,10 @@
     "mac": {
       "category": "public.app-category.social-networking",
       "darkModeSupport": true,
-      "hardenedRuntime": false,
+      "hardenedRuntime": true,
       "gatekeeperAssess": false,
-      "entitlements": null,
-      "entitlementsInherit": null,
+      "entitlements": "resources/entitlements.mac.plist",
+      "entitlementsInherit": "resources/entitlements.mac.plist",
       "icon": "resources/icons/mac/icon.icns",
       "target": [
         {
@@ -90,6 +91,7 @@
     "linux": {
       "icon": "resources/icons/png",
       "target": "AppImage"
-    }
+    },
+    "afterSign": ".notarize.js"
   }
 }