Platform: Mac App Store support

[sethlu]

• MAS platform support
• Entitlements (optional) are supported to sign apps, not just with a certificate
• Made it easier to sign for MAS distribution, may fallback to default entitlements file

[malept]

This map should be sorted alphabetically.

[malept]

Please update the rest of the "darwin platform only" references to be "darwin/mas platforms only".

[malept]

This would solve #163 (or at least part of it). I'm going to wait on @maxogden's opinion on this before merging, as he had some concerns in the linked issue.

If someone with a Mac could test this, it would be appreciated.

[max-mapper]

Here's my opinion:

• Looks pretty solid + straightforward, however:
• I think there needs to be some mention somewhere in the readme that mas means "Mac App Store" just to help user friendliness
• The fact that we're adding a bunch of code signing specific code with no tests makes me really nervous. I would really prefer it at this point if all the codesigning stuff got moved into a separate standalone module that we could depend on. This kind of patch is a big red flag to me

[malept]

I think there needs to be some mention somewhere in the readme that mas means "Mac App Store" just to help user friendliness

👍 - also, linking to the Electron docs would be helpful.

The fact that we're adding a bunch of code signing specific code with no tests makes me really nervous.

Yeah, me too. The problem I have is that I don't know what a reasonable way to programatically test this looks like.

I would really prefer it at this point if all the codesigning stuff got moved into a separate standalone module that we could depend on. This kind of patch is a big red flag to me

👍

[max-mapper]

The problem I have is that I don't know what a reasonable way to programatically test this looks like.

Agreed, it's a hard one. I think in place of proper tests the next best thing would be to put all the signing code into a new module, e.g. electron-sign, and then at least it can have a dedicated issue tracker, version number, external API, and maintainers.

Is anyone up for writing + maintaining a electron-sign module?

[sethlu]

Putting the codesign into a separated module for building and testing could be a nice track, as testing online proves hard for signing with certificates, needing manual help after all. I'll see if I could start a module integrating the OS X codesign command later.
Here's a list of things I guess might be confusing for those packing the mac apps:

• The certificates for packing an app for distributing outside/in the Mac App Store are different.
• Distributing outside the Mac App Store doesn't necessarily need the entitlements, as they are for sandboxing as the main purpose (to my perspective).
• From my reading online, I found code signing each file in the project is recommended(?) by Apple as Xcode does so, with --deep ignored.
• For distribution within the Mac App Store, an installer package should be required for uploading the app to iTunesConnect for reviewing (so I may put up a electron-sign with installer)

[sethlu]

Here's what I've got from today: https://github.com/sethlu/electron-sign
Tbh, only those with the dev program could have the code tested.

[max-mapper]

@sethlu Wow!! Amazing work. That looks really good so far. I looked at the code and didn't see any obvious problems. It's great that you have a test suite and standard hooked up too :)

When you are ready, do you want to make a PR to electron-packager that update this PR to integrate with electron-sign? I can also add you to the electron-packager collaborators so you can help maintain the integration in the future.

[cjb]

(Maybe electron-mac-sign or something, since Windows Electron apps also require signing?)

[max-mapper]

@cjb is there any existing code for that? if if's not too hairy maybe it could live in electron-sign too?

[sethlu]

@maxogden @cjb I've renamed the project to electron-osx-sign and it should avoid some issues with understanding from simply reading the command, as it is OS X only now. Seems that there is as well some sorts of code signing with Windows, but I wouldn't get into that too much now for Electron as distribution to OS X's a bit more complex in following the steps, and it's quite needing.
An updated repo: https://github.com/sethlu/electron-osx-sign
I'll see how I could have my electron-packager fork updated with code-sign and make several tests before doing anything further.

[max-mapper]

@sethlu excellent, sounds good, thanks!

[malept]

Regarding signing packages on Windows: #32

[sethlu]

I'm not quite sure about the code signing for the Windows platform as I do most of my work on my Mac.
I haven't replaced the testing procedures for codesign around test/mac.js:181, not sure if to remove it as the code signing's been moved to a separate module.

[malept]

Please keep the dependency list alphabetized.

[max-mapper]

protip, if you use npm install --save some-dependency then npm will automatically add it to the dependencies in package.json and alphabetize it for you :)

[sethlu]

@maxogden Wow, thanks! I'll have it a try the next time I need to have the package description sorted.
On the travis build, I'm thinking about pulling the timeout longer for testing as it frequently does.

[sethlu]

Oops, sorry I accidentally closed this.

[sethlu]

@malept Just separated the commits to make each change clearer. Mind having another check?

[malept]

Once the app-copyright docs are updated, I'm going to merge this. (Unless one of the other contributors raises concerns soon - @kfranqueiro's concern about whether adding this feature constitutes a major or minor version bump will be addressed in #266. Hopefully I didn't miss anything.)

[sethlu]

@malept The readme.md has been updated with app-copyright.
I'm not sure but there's really quite a lot of working in changing the plist properties from my commits.

[malept]

"copyright", not "copyrights string". I'll fix this post-merge. (I'm doing #265 anyway.)

[malept]

Excellent, I'm going to merge this later today.

I'm not sure but there's really quite a lot of working in changing the plist properties from my commits.

Yes, @maxogden had a similar observation in a different PR: #253 (comment)

[sethlu]

@malept cool! After this I could join their discussions on plists, just to minimize the amount of code based on file modifications.

[malept]

Oops, forgot to merge this last night. I will do so now.

Thanks @sethlu for all the work you've done on this pull request!

[jasonhinkle]

Fantastic work guys!

[positlabs]

@sethlu @malept, if you're ever in Oakland, CA, I owe you a beer!