Parallelize signing

Author: SuperDisk

package.json

@@ -34,6 +34,7 @@
     "fs-extra": "^10.0.0",
     "isbinaryfile": "^4.0.8",
     "minimist": "^1.2.6",
+    "p-limit": "^6.2.0",
     "plist": "^3.0.5"
   },
   "devDependencies": {

src/sign.ts

@@ -3,6 +3,9 @@ import * as os from 'os';
 import * as path from 'path';
 import * as plist from 'plist';
 import compareVersion from 'compare-version';
+import pLimit from 'p-limit';
+
+const limit = pLimit(20);
 
 import {
   debugLog,
@@ -199,103 +202,128 @@ async function signApplication (opts: ValidatedSignOptions, identity: Identity)
     return bDepth - aDepth;
   });
 
-  for (const filePath of [...children, opts.app]) {
-    if (shouldIgnoreFilePath(filePath)) {
-      debugLog('Skipped... ' + filePath);
-      continue;
-    }
+  let filesByLength: any[] = [];
+  for (let s of [...children, opts.app]) {
+    let len = s.split(path.sep).length;
 
-    const perFileOptions = await mergeOptionsForFile(
-      opts.optionsForFile ? opts.optionsForFile(filePath) : null,
-      defaultOptionsForFile(filePath, opts.platform)
-    );
+    if (filesByLength[len] === undefined)
+      filesByLength[len] = [];
 
-    // preAutoEntitlements should only be applied to the top level app bundle.
-    // Applying it other files will cause the app to crash and be rejected by Apple.
-    if (!filePath.includes('.app/')) {
-      if (opts.preAutoEntitlements === false) {
-        debugWarn('Pre-sign operation disabled for entitlements automation.');
-      } else {
-        debugLog(
-          'Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`:',
-          '\n',
-          '* Disable by setting `pre-auto-entitlements` to `false`.'
-        );
-        if (!opts.version || compareVersion(opts.version, '1.1.1') >= 0) {
-          // Enable Mac App Store sandboxing without using temporary-exception, introduced in Electron v1.1.1. Relates to electron#5601
-          const newEntitlements = await preAutoEntitlements(opts, perFileOptions, {
-            identity,
-            provisioningProfile: opts.provisioningProfile
-              ? await getProvisioningProfile(opts.provisioningProfile, opts.keychain)
-              : undefined
+    filesByLength[len].push(s);
+  }
+  filesByLength.reverse();
+
+  const signingPromises = filesByLength.map((files) => {
+    return {
+      files: files,
+      run: async () => await Promise.all(
+        files.map((filePath: string) => {
+          return limit(async () => {
+            if (shouldIgnoreFilePath(filePath)) {
+              debugLog('Skipped... ' + filePath);
+              return;
+            }
+
+            const perFileOptions = await mergeOptionsForFile(
+              opts.optionsForFile ? opts.optionsForFile(filePath) : null,
+              defaultOptionsForFile(filePath, opts.platform)
+            );
+
+            // preAutoEntitlements should only be applied to the top level app bundle.
+            // Applying it other files will cause the app to crash and be rejected by Apple.
+            if (!filePath.includes('.app/')) {
+              if (opts.preAutoEntitlements === false) {
+                debugWarn('Pre-sign operation disabled for entitlements automation.');
+              } else {
+                debugLog(
+                  'Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`:',
+                  '\n',
+                  '* Disable by setting `pre-auto-entitlements` to `false`.'
+                );
+                if (!opts.version || compareVersion(opts.version, '1.1.1') >= 0) {
+                  // Enable Mac App Store sandboxing without using temporary-exception, introduced in Electron v1.1.1. Relates to electron#5601
+                  const newEntitlements = await preAutoEntitlements(opts, perFileOptions, {
+                    identity,
+                    provisioningProfile: opts.provisioningProfile
+                      ? await getProvisioningProfile(opts.provisioningProfile, opts.keychain)
+                      : undefined
+                  });
+
+                  // preAutoEntitlements may provide us new entitlements, if so we update our options
+                  // and ensure that entitlements-loginhelper has a correct default value
+                  if (newEntitlements) {
+                    perFileOptions.entitlements = newEntitlements;
+                  }
+                }
+              }
+            }
+
+            debugLog('Signing in parallel... ' + filePath);
+
+            const perFileArgs = [...args];
+
+            if (perFileOptions.requirements) {
+              if (perFileOptions.requirements.charAt(0) === '=') {
+                perFileArgs.push(`-r${perFileOptions.requirements}`);
+              } else {
+                perFileArgs.push('--requirements', perFileOptions.requirements);
+              }
+            }
+            if (perFileOptions.timestamp) {
+              perFileArgs.push('--timestamp=' + perFileOptions.timestamp);
+            } else {
+              perFileArgs.push('--timestamp');
+            }
+
+            let optionsArguments: string[] = [];
+
+            if (perFileOptions.signatureFlags) {
+              if (Array.isArray(perFileOptions.signatureFlags)) {
+                optionsArguments.push(...perFileOptions.signatureFlags);
+              } else {
+                const flags = perFileOptions.signatureFlags.split(',').map(function (flag) {
+                  return flag.trim();
+                });
+                optionsArguments.push(...flags);
+              }
+            }
+
+            if (perFileOptions.hardenedRuntime || optionsArguments.includes('runtime')) {
+              // Hardened runtime since darwin 17.7.0 --> macOS 10.13.6
+              if (compareVersion(osRelease, '17.7.0') >= 0) {
+                optionsArguments.push('runtime');
+              } else {
+                // Remove runtime if passed in with --signature-flags
+                debugLog(
+                  'Not enabling hardened runtime, current macOS version too low, requires 10.13.6 and higher'
+                );
+                optionsArguments = optionsArguments.filter((arg) => {
+                  return arg !== 'runtime';
+                });
+              }
+            }
+
+            if (optionsArguments.length) {
+              perFileArgs.push('--options', [...new Set(optionsArguments)].join(','));
+            }
+
+            if (perFileOptions.additionalArguments) {
+              perFileArgs.push(...perFileOptions.additionalArguments);
+            }
+
+            await execFileAsync(
+              'codesign',
+              perFileArgs.concat('--entitlements', perFileOptions.entitlements, filePath)
+            );
           });
-
-          // preAutoEntitlements may provide us new entitlements, if so we update our options
-          // and ensure that entitlements-loginhelper has a correct default value
-          if (newEntitlements) {
-            perFileOptions.entitlements = newEntitlements;
-          }
-        }
-      }
-    }
-
-    debugLog('Signing... ' + filePath);
-
-    const perFileArgs = [...args];
-
-    if (perFileOptions.requirements) {
-      if (perFileOptions.requirements.charAt(0) === '=') {
-        perFileArgs.push(`-r${perFileOptions.requirements}`);
-      } else {
-        perFileArgs.push('--requirements', perFileOptions.requirements);
-      }
-    }
-    if (perFileOptions.timestamp) {
-      perFileArgs.push('--timestamp=' + perFileOptions.timestamp);
-    } else {
-      perFileArgs.push('--timestamp');
-    }
-
-    let optionsArguments: string[] = [];
-
-    if (perFileOptions.signatureFlags) {
-      if (Array.isArray(perFileOptions.signatureFlags)) {
-        optionsArguments.push(...perFileOptions.signatureFlags);
-      } else {
-        const flags = perFileOptions.signatureFlags.split(',').map(function (flag) {
-          return flag.trim();
-        });
-        optionsArguments.push(...flags);
-      }
-    }
-
-    if (perFileOptions.hardenedRuntime || optionsArguments.includes('runtime')) {
-      // Hardened runtime since darwin 17.7.0 --> macOS 10.13.6
-      if (compareVersion(osRelease, '17.7.0') >= 0) {
-        optionsArguments.push('runtime');
-      } else {
-        // Remove runtime if passed in with --signature-flags
-        debugLog(
-          'Not enabling hardened runtime, current macOS version too low, requires 10.13.6 and higher'
-        );
-        optionsArguments = optionsArguments.filter((arg) => {
-          return arg !== 'runtime';
-        });
-      }
-    }
-
-    if (optionsArguments.length) {
-      perFileArgs.push('--options', [...new Set(optionsArguments)].join(','));
-    }
-
-    if (perFileOptions.additionalArguments) {
-      perFileArgs.push(...perFileOptions.additionalArguments);
+        })
+      )
     }
+  });
 
-    await execFileAsync(
-      'codesign',
-      perFileArgs.concat('--entitlements', perFileOptions.entitlements, filePath)
-    );
+  for (const idx in signingPromises) {
+    let { run } = signingPromises[idx];
+    await run();
   }
 
   // Verify code sign

src/util.ts

@@ -142,7 +142,7 @@ export async function walkAsync (dirPath: string): Promise<string[]> {
       children.map(async (child) => {
         const filePath = path.resolve(dirPath, child);
 
-        const stat = await fs.stat(filePath);
+        const stat = await fs.lstat(filePath);
         if (stat.isFile()) {
           switch (path.extname(filePath)) {
             case '.cstemp': // Temporary file generated from past codesign