Skip to content

Commit

Permalink
Merge pull request #362 from HASEL-UZH/350-win-code-sign
Browse files Browse the repository at this point in the history 
350 win code sign
  • Loading branch information
@casaout
casaout authored Jan 24, 2025
2 parents 8af1852 + e714b53 commit c80b73e
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 4 deletions.
48 changes: 45 additions & 3 deletions documentation/RESEARCH.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,11 @@ To use GitHub Actions to build and create PersonalAnalytics releases, you need t
- `CSC_LINK` (link to Apple Developer Certificate in \*.p12 format)
- `CSC_KEY_PASSWORD` (password for the Apple Developer Certificate)

### Required Changes in `electron-builder.json5`
### Required Changes in `electron-builder.config.cjs`
These changes are required to automatically publish the built artifacts to GitHub releases. You need to replace the `owner` and `repo` with your GitHub username and repository name.
You can find more information on electron-builder here: https://www.electron.build/ and for the `electron-builder.json5` file here: https://www.electron.build/configuration/configuration
You can find more information on electron-builder here: https://www.electron.build/ and for the `electron-builder.config.cjs` file here: https://www.electron.build/configuration/configuration

```json5
```cjfs
{
publish: {
provider: "github",
Expand Down Expand Up @@ -146,6 +146,48 @@ Note that we're using Electron Builder and Github Actions (see [docu]([url](http
- Manually download and test the release, and if all is good, publish it!
- Releases are found under https://github.com/HASEL-UZH/PersonalAnalytics/releases

#### Code Signing for Windows

For Windows, we are using Azure Trusted Signing (beta) for code signing using Andre's personal account.
Please refer to the [electron-builder documentation](https://www.electron.build/code-signing.html#using-with-azure-trusted-signing-beta)
and [Azure's documentation](https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations)
for more information. Following [this guide](https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/), the following
secrets and variables were defined for the GitHub action:

#### Secrets & Variables

| Name | Description |
|---------------------------|------------------------------------------------------------------------------------------------------------------------------------------|
| `AZURE_TENANT_ID` | The Microsoft Entra tenant (directory) ID. |
| `AZURE_CERT_PROFILE_NAME` | The name of the certificate (public trust) profile. |
| `AZURE_CLIENT_ID` | The client (application) ID of an App Registration in the tenant. |
| `AZURE_CLIENT_SECRET` | The client secret that was generated for the App Registration. |
| `AZURE_CODE_SIGNING_NAME` | The name of the trusted signing account (from the main Trusted Signing Account page in Azure). |
| `AZURE_ENDPOINT` | The URL for the selected region, labelled as Account URI (from the main Trusted Signing Account page in Azure). |
| `AZURE_PUBLISHER_NAME` | The publisher name used for code signing for Windows builds. This is the full string in the form of `CN=..., O=..., L=..., S=..., C=CH`. |

Note that using special characters (e.g. `é`) in the publisher name can lead to issues with the code signing process.

The above secrets and variables are used in the action files (e.g., [build.yml](https://github.com/HASEL-UZH/PersonalAnalytics/blob/dev/.github/workflows/buildyml)) and
provided to the electron-builder ([electron-builder.config.cjs](../src/electron/electron-builder.config.js)) via environment variables.

#### Code Signing for macOS

For macOS, the electron-builder's code signing is
disabled ([electron-builder.config.cjs](../src/electron/electron-builder.config.js)) and we are using the `afterSign` hook to
call the [notarize.cjs](../src/electron/scripts/notarize.js) script to sign the application using the `@electron/notarize`
package. The following environment variables are required for the code signing process:

### Secrets

| Name | Description |
|-------------------------------|-----------------------------------------------------------------------------------------------------|
| `APPLE_ID` | The Apple ID used for notarization. |
| `APPLE_ID_PASS` | The password for the Apple ID. |
| `APPLE_TEAM_ID` | The Apple Team ID (https://developer.apple.com/help/account/manage-your-team/locate-your-team-id/). |
| `APPLE_APP_SPECIFIC_PASSWORD` | App-Specific Password (https://appleid.apple.com/account/manage). |
| `CSC_LINK` | base64-encoded data of the Apple Developer Account certificate. |
| `CSC_KEY_PASSWORD` | Password of the Apple Developer Account certificate used to decrypt the certificate. |

### Testing PersonalAnalytics
PersonalAnalytics was tested on `Windows 11` and `macOS 14`. It might work on older versions as well.
Expand Down
1 change: 1 addition & 0 deletions src/electron/electron-builder.config.cjs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ module.exports = {
},
win: {
target: ["nsis"],
publisherName: `${process.env.AZURE_PUBLISHER_NAME}`,
azureSignOptions: {
publisherName: `${process.env.AZURE_PUBLISHER_NAME}`,
endpoint: `${process.env.AZURE_ENDPOINT}`,
Expand Down
2 changes: 1 addition & 1 deletion src/electron/package.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "personal-analytics",
"description": "PersonalAnalytics is a privacy-protecting, open-source self-monitoring software",
"version": "0.0.28",
"version": "0.0.29",
"main": "dist-electron/main/index.js",
"type": "module",
"author": {
Expand Down

0 comments on commit c80b73e

Please sign in to comment.