2022-08-28 18:13:21 +00:00
|
|
|
// Copyright 2016-2019 Cargo-Bundle developers <https://github.com/burtonageo/cargo-bundle>
|
2024-03-01 11:29:01 +00:00
|
|
|
// Copyright 2019-2024 Tauri Programme within The Commons Conservancy
|
2021-10-22 13:04:42 +00:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
|
|
2023-08-16 02:10:02 +00:00
|
|
|
use std::{
|
|
|
|
|
env::{var, var_os},
|
|
|
|
|
ffi::OsString,
|
2025-10-07 12:27:30 +00:00
|
|
|
path::PathBuf,
|
2023-08-16 02:10:02 +00:00
|
|
|
};
|
2022-05-07 13:19:54 +00:00
|
|
|
|
2025-10-07 12:27:30 +00:00
|
|
|
use crate::{error::NotarizeAuthError, Entitlements, Settings};
|
2022-05-05 21:29:40 +00:00
|
|
|
|
2023-09-15 15:09:10 +00:00
|
|
|
pub struct SignTarget {
|
|
|
|
|
pub path: PathBuf,
|
|
|
|
|
pub is_an_executable: bool,
|
|
|
|
|
}
|
|
|
|
|
|
2024-08-16 23:30:49 +00:00
|
|
|
pub fn keychain(identity: Option<&str>) -> crate::Result<Option<tauri_macos_sign::Keychain>> {
|
|
|
|
|
if let (Some(certificate_encoded), Some(certificate_password)) = (
|
2023-08-16 02:10:02 +00:00
|
|
|
var_os("APPLE_CERTIFICATE"),
|
|
|
|
|
var_os("APPLE_CERTIFICATE_PASSWORD"),
|
2021-04-30 14:39:50 +00:00
|
|
|
) {
|
2024-08-16 23:30:49 +00:00
|
|
|
// import user certificate - useful for for CI build
|
|
|
|
|
let keychain =
|
2025-10-02 09:58:26 +00:00
|
|
|
tauri_macos_sign::Keychain::with_certificate(&certificate_encoded, &certificate_password)
|
|
|
|
|
.map_err(Box::new)?;
|
2024-08-16 23:30:49 +00:00
|
|
|
if let Some(identity) = identity {
|
|
|
|
|
let certificate_identity = keychain.signing_identity();
|
|
|
|
|
if !certificate_identity.contains(identity) {
|
2025-10-02 09:58:26 +00:00
|
|
|
return Err(crate::Error::GenericError(format!(
|
|
|
|
|
"certificate from APPLE_CERTIFICATE \"{certificate_identity}\" environment variable does not match provided identity \"{identity}\""
|
|
|
|
|
)));
|
2024-08-16 23:30:49 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
Ok(Some(keychain))
|
|
|
|
|
} else if let Some(identity) = identity {
|
|
|
|
|
Ok(Some(tauri_macos_sign::Keychain::with_signing_identity(
|
|
|
|
|
identity,
|
|
|
|
|
)))
|
2022-05-05 21:29:40 +00:00
|
|
|
} else {
|
2024-08-16 23:30:49 +00:00
|
|
|
Ok(None)
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-05-05 21:29:40 +00:00
|
|
|
|
2024-08-16 23:30:49 +00:00
|
|
|
pub fn sign(
|
|
|
|
|
keychain: &tauri_macos_sign::Keychain,
|
|
|
|
|
targets: Vec<SignTarget>,
|
|
|
|
|
settings: &Settings,
|
|
|
|
|
) -> crate::Result<()> {
|
|
|
|
|
log::info!(action = "Signing"; "with identity \"{}\"", keychain.signing_identity());
|
2023-09-15 15:09:10 +00:00
|
|
|
|
|
|
|
|
for target in targets {
|
2025-10-07 12:27:30 +00:00
|
|
|
let (entitlements_path, _temp_file) = match settings.macos().entitlements.as_ref() {
|
|
|
|
|
Some(Entitlements::Path(path)) => (Some(path.to_owned()), None),
|
|
|
|
|
Some(Entitlements::Plist(plist)) => {
|
|
|
|
|
let mut temp_file = tempfile::NamedTempFile::new()?;
|
|
|
|
|
plist::to_writer_xml(temp_file.as_file_mut(), &plist)?;
|
|
|
|
|
(Some(temp_file.path().to_path_buf()), Some(temp_file))
|
|
|
|
|
}
|
|
|
|
|
None => (None, None),
|
2025-01-23 11:14:33 +00:00
|
|
|
};
|
2025-10-07 12:27:30 +00:00
|
|
|
|
2025-10-02 09:58:26 +00:00
|
|
|
keychain
|
|
|
|
|
.sign(
|
|
|
|
|
&target.path,
|
2025-10-07 12:27:30 +00:00
|
|
|
entitlements_path.as_deref(),
|
2025-10-02 09:58:26 +00:00
|
|
|
target.is_an_executable && settings.macos().hardened_runtime,
|
|
|
|
|
)
|
|
|
|
|
.map_err(Box::new)?;
|
2023-09-15 15:09:10 +00:00
|
|
|
}
|
2022-05-05 21:29:40 +00:00
|
|
|
|
2024-08-16 23:30:49 +00:00
|
|
|
Ok(())
|
2023-08-16 02:10:02 +00:00
|
|
|
}
|
|
|
|
|
|
2021-04-30 14:39:50 +00:00
|
|
|
pub fn notarize(
|
2024-07-12 14:08:55 +00:00
|
|
|
keychain: &tauri_macos_sign::Keychain,
|
2021-04-30 14:39:50 +00:00
|
|
|
app_bundle_path: PathBuf,
|
2024-07-12 14:08:55 +00:00
|
|
|
credentials: &tauri_macos_sign::AppleNotarizationCredentials,
|
2021-04-30 14:39:50 +00:00
|
|
|
) -> crate::Result<()> {
|
2025-10-02 09:58:26 +00:00
|
|
|
tauri_macos_sign::notarize(keychain, &app_bundle_path, credentials)
|
|
|
|
|
.map_err(Box::new)
|
|
|
|
|
.map_err(Into::into)
|
2021-04-30 14:39:50 +00:00
|
|
|
}
|
|
|
|
|
|
2025-08-11 17:29:41 +00:00
|
|
|
pub fn notarize_without_stapling(
|
|
|
|
|
keychain: &tauri_macos_sign::Keychain,
|
|
|
|
|
app_bundle_path: PathBuf,
|
|
|
|
|
credentials: &tauri_macos_sign::AppleNotarizationCredentials,
|
|
|
|
|
) -> crate::Result<()> {
|
|
|
|
|
tauri_macos_sign::notarize_without_stapling(keychain, &app_bundle_path, credentials)
|
2025-10-02 09:58:26 +00:00
|
|
|
.map_err(Box::new)
|
2025-08-11 17:29:41 +00:00
|
|
|
.map_err(Into::into)
|
|
|
|
|
}
|
|
|
|
|
|
2024-07-12 14:08:55 +00:00
|
|
|
pub fn notarize_auth() -> Result<tauri_macos_sign::AppleNotarizationCredentials, NotarizeAuthError>
|
|
|
|
|
{
|
2023-09-15 11:30:27 +00:00
|
|
|
match (
|
|
|
|
|
var_os("APPLE_ID"),
|
|
|
|
|
var_os("APPLE_PASSWORD"),
|
|
|
|
|
var_os("APPLE_TEAM_ID"),
|
|
|
|
|
) {
|
2024-07-12 14:08:55 +00:00
|
|
|
(Some(apple_id), Some(password), Some(team_id)) => {
|
|
|
|
|
Ok(tauri_macos_sign::AppleNotarizationCredentials::AppleId {
|
|
|
|
|
apple_id,
|
|
|
|
|
password,
|
|
|
|
|
team_id,
|
|
|
|
|
})
|
|
|
|
|
}
|
2023-10-06 17:33:49 +00:00
|
|
|
(Some(_apple_id), Some(_password), None) => Err(NotarizeAuthError::MissingTeamId),
|
2021-04-30 14:39:50 +00:00
|
|
|
_ => {
|
2025-10-02 09:58:26 +00:00
|
|
|
match (
|
|
|
|
|
var_os("APPLE_API_KEY"),
|
|
|
|
|
var_os("APPLE_API_ISSUER"),
|
|
|
|
|
var("APPLE_API_KEY_PATH"),
|
|
|
|
|
) {
|
2024-07-12 14:08:55 +00:00
|
|
|
(Some(key_id), Some(issuer), Ok(key_path)) => {
|
2025-10-02 09:58:26 +00:00
|
|
|
Ok(tauri_macos_sign::AppleNotarizationCredentials::ApiKey {
|
|
|
|
|
key_id,
|
|
|
|
|
key: tauri_macos_sign::ApiKey::Path(key_path.into()),
|
|
|
|
|
issuer,
|
|
|
|
|
})
|
|
|
|
|
}
|
2024-07-12 14:08:55 +00:00
|
|
|
(Some(key_id), Some(issuer), Err(_)) => {
|
2023-09-15 11:30:27 +00:00
|
|
|
let mut api_key_file_name = OsString::from("AuthKey_");
|
2024-07-12 14:08:55 +00:00
|
|
|
api_key_file_name.push(&key_id);
|
2023-09-15 11:30:27 +00:00
|
|
|
api_key_file_name.push(".p8");
|
2023-09-07 13:01:12 +00:00
|
|
|
let mut key_path = None;
|
|
|
|
|
|
|
|
|
|
let mut search_paths = vec!["./private_keys".into()];
|
2024-06-04 03:03:25 +00:00
|
|
|
if let Some(home_dir) = dirs::home_dir() {
|
2023-09-07 13:01:12 +00:00
|
|
|
search_paths.push(home_dir.join("private_keys"));
|
|
|
|
|
search_paths.push(home_dir.join(".private_keys"));
|
|
|
|
|
search_paths.push(home_dir.join(".appstoreconnect").join("private_keys"));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for folder in search_paths {
|
|
|
|
|
if let Some(path) = find_api_key(folder, &api_key_file_name) {
|
|
|
|
|
key_path = Some(path);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if let Some(key_path) = key_path {
|
2025-10-02 09:58:26 +00:00
|
|
|
Ok(tauri_macos_sign::AppleNotarizationCredentials::ApiKey {
|
|
|
|
|
key_id,
|
|
|
|
|
key: tauri_macos_sign::ApiKey::Path(key_path),
|
|
|
|
|
issuer,
|
|
|
|
|
})
|
2023-09-07 13:01:12 +00:00
|
|
|
} else {
|
2025-10-02 09:58:26 +00:00
|
|
|
Err(NotarizeAuthError::MissingApiKey {
|
|
|
|
|
file_name: api_key_file_name.to_string_lossy().into_owned(),
|
|
|
|
|
})
|
2023-09-07 13:01:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
2025-10-02 09:58:26 +00:00
|
|
|
_ => Err(NotarizeAuthError::MissingCredentials),
|
2021-04-30 14:39:50 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-09-07 13:01:12 +00:00
|
|
|
|
2023-09-15 11:30:27 +00:00
|
|
|
fn find_api_key(folder: PathBuf, file_name: &OsString) -> Option<PathBuf> {
|
2023-09-07 13:01:12 +00:00
|
|
|
let path = folder.join(file_name);
|
|
|
|
|
if path.exists() {
|
|
|
|
|
Some(path)
|
|
|
|
|
} else {
|
|
|
|
|
None
|
|
|
|
|
}
|
|
|
|
|
}
|
