UNPKG

app-builder-lib/electron-osx-sign/sign.js

Version:

15.6 kBJavaScriptView Raw

1/**
* @module sign
*/
4
5'use strict'
6
7const path = require('path')
8
9const semver = require('semver')
10
11const util = require('./util')
12const debuglog = util.debuglog
13const debugwarn = util.debugwarn
14const getAppContentsPath = util.getAppContentsPath
15const execFileAsync = util.execFileAsync
16const validateOptsAppAsync = util.validateOptsAppAsync
17const validateOptsPlatformAsync = util.validateOptsPlatformAsync
18const walkAsync = util.walkAsync
19const Identity = require('./util-identities').Identity
20const findIdentitiesAsync = require('./util-identities').findIdentitiesAsync
21const ProvisioningProfile = require('./util-provisioning-profiles').ProvisioningProfile
22const preEmbedProvisioningProfile = require('./util-provisioning-profiles').preEmbedProvisioningProfile
23const preAutoEntitlements = require('./util-entitlements').preAutoEntitlements
24
25const osRelease = require('os').release()
26
27/**
* This function returns a promise validating opts.binaries, the additional binaries to be signed along with the discovered enclosed components.
* @function
* @param {Object} opts - Options.
* @returns {Promise} Promise.
*/
33function validateOptsBinariesAsync (opts) {
return new Promise(function (resolve, reject) {
  if (opts.binaries) {
    if (!Array.isArray(opts.binaries)) {
      reject(new Error('Additional binaries should be an Array.'))
      return
    }
    // TODO: Presence check for binary files, reject if any does not exist
  }
  resolve()
})
44}
45
46/**
* This function returns a promise validating all options passed in opts.
* @function
* @param {Object} opts - Options.
* @returns {Promise} Promise.
*/
52function validateSignOptsAsync (opts) {
if (opts.ignore && !(opts.ignore instanceof Array)) {
  opts.ignore = [opts.ignore]
}
56
if (opts['provisioning-profile']) {
  if (typeof opts['provisioning-profile'] !== 'string' && !(opts['provisioning-profile'] instanceof ProvisioningProfile)) return Promise.reject(new Error('Path to provisioning profile should be a string or a ProvisioningProfile object.'))
}
60
if (opts['type']) {
  if (opts['type'] !== 'development' && opts['type'] !== 'distribution') return Promise.reject(new Error('Type must be either `development` or `distribution`.'))
} else {
  opts['type'] = 'distribution'
}
66
return Promise.all([
  validateOptsAppAsync(opts),
  validateOptsPlatformAsync(opts),
  validateOptsBinariesAsync(opts),
])
72}
73
74/**
* This function returns a promise verifying the code sign of application bundle.
* @function
* @param {Object} opts - Options.
* @returns {Promise} Promise resolving output.
*/
80async function verifySignApplicationAsync (opts) {
// Verify with codesign
const semver = require('semver')
debuglog('Verifying application bundle with codesign...')
84
await execFileAsync('codesign', [
  '--verify',
  '--deep'
]
  .concat(
    opts['strict-verify'] !== false &&
    semver.gte(osRelease, '15.0.0') >= 0 // Strict flag since darwin 15.0.0 --> OS X 10.11.0 El Capitan
      ? ['--strict' +
      (opts['strict-verify']
        ? '=' + opts['strict-verify'] // Array should be converted to a comma separated string
        : '')]
      : [],
    ['--verbose=2', opts.app]))
98
// Additionally test Gatekeeper acceptance for darwin platform
if (opts.platform === 'darwin' && opts['gatekeeper-assess'] !== false) {
  debuglog('Verifying Gatekeeper acceptance for darwin platform...')
  await execFileAsync('spctl', [
    '--assess',
    '--type', 'execute',
    '--verbose',
    '--ignore-cache',
    '--no-cache',
    opts.app
  ])
}
111}
112
113/**
* This function returns a promise codesigning only.
* @function
* @param {Object} opts - Options.
* @returns {Promise} Promise.
*/
119function signApplicationAsync (opts) {
return walkAsync(getAppContentsPath(opts))
  .then(async function (childPaths) {
    /**
     * Sort the child paths by how deep they are in the file tree.  Some arcane apple
     * logic expects the deeper files to be signed first otherwise strange errors get
     * thrown our way
     */
    childPaths = childPaths.sort((a, b) => {
      const aDepth = a.split(path.sep).length
      const bDepth = b.split(path.sep).length
      return bDepth - aDepth
    })
132
    function ignoreFilePath (opts, filePath) {
      if (opts.ignore) {
        return opts.ignore.some(function (ignore) {
          if (typeof ignore === 'function') {
            return ignore(filePath)
          }
          return filePath.match(ignore)
        })
      }
      return false
    }
144
    if (opts.binaries) childPaths = childPaths.concat(opts.binaries)
146
    const args = [
      '--sign', opts.identity.hash || opts.identity.name,
      '--force'
    ]
    if (opts.keychain) {
      args.push('--keychain', opts.keychain)
    }
    if (opts.requirements) {
      args.push('--requirements', opts.requirements)
    }
    if (opts.timestamp) {
      args.push('--timestamp=' + opts.timestamp)
    } else {
      args.push('--timestamp')
    }
    if (opts['signature-size']) {
      if (Number.isInteger(opts['signature-size']) && opts['signature-size'] > 0) {
        args.push('--signature-size', opts['signature-size'])
      } else {
        debugwarn(`Invalid value provided for --signature-size (${opts['signature-size']}). Must be a positive integer.`)
      }
    }
169
    let optionsArguments = []
171
    if (opts['signature-flags']) {
      if (Array.isArray(opts['signature-flags'])) {
        optionsArguments = [...opts['signature-flags']]
      } else {
        const flags = opts['signature-flags'].split(',').map(function (flag) { return flag.trim() })
        optionsArguments = [...flags]
      }
    }
180
    if (opts.hardenedRuntime || opts['hardened-runtime'] || optionsArguments.includes('runtime')) {
      // Hardened runtime since darwin 17.7.0 --> macOS 10.13.6
      if (semver.gte(osRelease, '17.7.0') >= 0) {
        optionsArguments.push('runtime')
      } else {
        // Remove runtime if passed in with --signature-flags
        debuglog('Not enabling hardened runtime, current macOS version too low, requires 10.13.6 and higher')
        optionsArguments = optionsArguments.filter(function (element, index) { return element !== 'runtime' })
      }
    }
191
    if (opts['restrict']) {
      optionsArguments.push('restrict')
      debugwarn('This flag is to be deprecated, consider using --signature-flags=restrict instead')
    }
196
    if (optionsArguments.length) {
      args.push('--options', [...new Set(optionsArguments)].join(','))
    }
200
    if (opts.entitlements) {
      // Sign with entitlements
      for (const filePath of childPaths) {
        if (ignoreFilePath(opts, filePath)) {
          debuglog('Skipped... ' + filePath)
          continue
        }
        debuglog('Signing... ' + filePath)
        let entitlementsFile = opts['entitlements-inherit']
        if (filePath.includes('Library/LoginItems')) {
          entitlementsFile = opts['entitlements-loginhelper']
        }
213
        await execFileAsync('codesign', args.concat('--entitlements', entitlementsFile, filePath))
      }
      debuglog('Signing... ' + opts.app)
      await execFileAsync('codesign', args.concat('--entitlements', opts.entitlements, opts.app))
    } else {
      for (const filePath of childPaths) {
        if (ignoreFilePath(opts, filePath)) {
          debuglog('Skipped... ' + filePath)
          continue
        }
224
        debuglog('Signing... ' + filePath)
        await execFileAsync('codesign', args.concat(filePath))
      }
228
      debuglog('Signing... ' + opts.app)
      await execFileAsync('codesign', args.concat(opts.app))
    }
232
    // Verify code sign
    debuglog('Verifying...')
    await verifySignApplicationAsync(opts)
    debuglog('Verified.')
237
    // Check entitlements if applicable
    if (opts.entitlements) {
      debuglog('Displaying entitlements...')
      const result = await execFileAsync('codesign', [
        '--display',
        '--entitlements', ':-', // Write to standard output and strip off the blob header
        opts.app
      ])
      debuglog('Entitlements:', '\n', result)
    }
  })
249}
250
251/**
* This function returns a promise signing the application.
* @function
* @param {mixed} opts - Options.
* @returns {Promise} Promise.
*/
257const signAsync = module.exports.signAsync = function (opts) {
return validateSignOptsAsync(opts)
  .then(function () {
    // Determine identity for signing
    let promise
    if (opts.identity) {
      debuglog('`identity` passed in arguments.')
      if (opts['identity-validation'] === false) {
        if (!(opts.identity instanceof Identity)) {
          opts.identity = new Identity(opts.identity)
        }
        return Promise.resolve()
      }
      promise = findIdentitiesAsync(opts, opts.identity)
    } else {
      debugwarn('No `identity` passed in arguments...')
      if (opts.platform === 'mas') {
        if (opts.type === 'distribution') {
          debuglog('Finding `3rd Party Mac Developer Application` certificate for signing app distribution in the Mac App Store...')
          promise = findIdentitiesAsync(opts, '3rd Party Mac Developer Application:')
        } else {
          debuglog('Finding `Mac Developer` certificate for signing app in development for the Mac App Store signing...')
          promise = findIdentitiesAsync(opts, 'Mac Developer:')
        }
      } else {
        debuglog('Finding `Developer ID Application` certificate for distribution outside the Mac App Store...')
        promise = findIdentitiesAsync(opts, 'Developer ID Application:')
      }
    }
    return promise
      .then(function (identities) {
        if (identities.length > 0) {
          // Identity(/ies) found
          if (identities.length > 1) {
            debugwarn('Multiple identities found, will use the first discovered.')
          } else {
            debuglog('Found 1 identity.')
          }
          opts.identity = identities[0]
        } else {
          // No identity found
          return Promise.reject(new Error('No identity found for signing.'))
        }
      })
  })
  .then(function () {
    // Determine entitlements for code signing
    let filePath
    if (opts.platform === 'mas') {
      // To sign apps for Mac App Store, an entitlements file is required, especially for app sandboxing (as well some other services).
      // Fallback entitlements for sandboxing by default: Note this may cause troubles while running an signed app due to missing keys special to the project.
      // Further reading: https://developer.apple.com/library/mac/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html
      if (!opts.entitlements) {
        filePath = path.join(__dirname, 'default.entitlements.mas.plist')
        debugwarn('No `entitlements` passed in arguments:', '\n',
          '* Sandbox entitlements are required for Mac App Store distribution, your codesign entitlements file is default to:', filePath)
        opts.entitlements = filePath
      }
      if (!opts['entitlements-inherit']) {
        filePath = path.join(__dirname, 'default.entitlements.mas.inherit.plist')
        debugwarn('No `entitlements-inherit` passed in arguments:', '\n',
          '* Sandbox entitlements file for enclosing app files is default to:', filePath)
        opts['entitlements-inherit'] = filePath
      }
    } else {
      // Not necessary to have entitlements for non Mac App Store distribution
      if (!opts.entitlements) {
        debugwarn('No `entitlements` passed in arguments:', '\n',
          '* Provide `entitlements` to specify entitlements file for codesign.')
      } else {
        // If entitlements is provided as a flag, fallback to default
        if (opts.entitlements === true) {
          filePath = path.join(__dirname, 'default.entitlements.darwin.plist')
          debugwarn('`entitlements` not specified in arguments:', '\n',
            '* Provide `entitlements` to specify entitlements file for codesign.', '\n',
            '* Sandbox entitlements file for enclosing app files is default to:', filePath)
          opts.entitlements = filePath
        }
        if (!opts['entitlements-inherit']) {
          filePath = path.join(__dirname, 'default.entitlements.darwin.inherit.plist')
          debugwarn('No `entitlements-inherit` passed in arguments:', '\n',
            '* Sandbox entitlements file for enclosing app files is default to:', filePath)
          opts['entitlements-inherit'] = filePath
        }
      }
    }
    if (!opts['entitlements-loginhelper']) {
      filePath = opts.entitlements
      debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n',
        '* Sandbox entitlements file for login helper is default to:', filePath)
      opts['entitlements-loginhelper'] = filePath
    }
  })
  .then(async function () {
    // Pre-sign operations
    const preSignOperations = []
353
    if (opts['pre-embed-provisioning-profile'] === false) {
      debugwarn('Pre-sign operation disabled for provisioning profile embedding:', '\n',
        '* Enable by setting `pre-embed-provisioning-profile` to `true`.')
    } else {
      debuglog('Pre-sign operation enabled for provisioning profile:', '\n',
        '* Disable by setting `pre-embed-provisioning-profile` to `false`.')
      preSignOperations.push(preEmbedProvisioningProfile)
    }
362
    if (opts['pre-auto-entitlements'] === false) {
      debugwarn('Pre-sign operation disabled for entitlements automation.')
    } else {
      debuglog('Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`:', '\n',
        '* Disable by setting `pre-auto-entitlements` to `false`.')
      if (opts.entitlements && (!opts.version || semver.gte(opts.version, '1.1.1') >= 0)) {
        // Enable Mac App Store sandboxing without using temporary-exception, introduced in Electron v1.1.1. Relates to electron#5601
        preSignOperations.push(preAutoEntitlements)
      }
    }
373
    for (const preSignOperation of preSignOperations) {
      await preSignOperation(opts)
    }
  })
  .then(function () {
    debuglog('Signing application...', '\n',
      '> Application:', opts.app, '\n',
      '> Platform:', opts.platform, '\n',
      '> Entitlements:', opts.entitlements, '\n',
      '> Child entitlements:', opts['entitlements-inherit'], '\n',
      '> Additional binaries:', opts.binaries, '\n',
      '> Identity:', opts.identity)
    return signApplicationAsync(opts)
  })
  .then(function () {
    // Post-sign operations
    debuglog('Application signed.')
  })
392}
393
394/**
* This function is a normal callback implementation.
* @function
* @param {Object} opts - Options.
* @param {RequestCallback} cb - Callback.
*/
400module.exports.sign = function (opts, cb) {
signAsync(opts)
  .then(function () {
    debuglog('Application signed: ' + opts.app)
    if (cb) cb()
  })
  .catch(function (err) {
    debuglog('Sign failed:')
    if (err.message) debuglog(err.message)
    else if (err.stack) debuglog(err.stack)
    else debuglog(err)
    if (cb) cb(err)
  })
413}

1	`/**`
2	`* @module sign`
3	`*/`
4
5	`'use strict'`
6
7	`const path = require('path')`
8
9	`const semver = require('semver')`
10
11	`const util = require('./util')`
12	`const debuglog = util.debuglog`
13	`const debugwarn = util.debugwarn`
14	`const getAppContentsPath = util.getAppContentsPath`
15	`const execFileAsync = util.execFileAsync`
16	`const validateOptsAppAsync = util.validateOptsAppAsync`
17	`const validateOptsPlatformAsync = util.validateOptsPlatformAsync`
18	`const walkAsync = util.walkAsync`
19	`const Identity = require('./util-identities').Identity`
20	`const findIdentitiesAsync = require('./util-identities').findIdentitiesAsync`
21	`const ProvisioningProfile = require('./util-provisioning-profiles').ProvisioningProfile`
22	`const preEmbedProvisioningProfile = require('./util-provisioning-profiles').preEmbedProvisioningProfile`
23	`const preAutoEntitlements = require('./util-entitlements').preAutoEntitlements`
24
25	`const osRelease = require('os').release()`
26
27	`/**`
28	`* This function returns a promise validating opts.binaries, the additional binaries to be signed along with the discovered enclosed components.`
29	`* @function`
30	`* @param {Object} opts - Options.`
31	`* @returns {Promise} Promise.`
32	`*/`
33	`function validateOptsBinariesAsync (opts) {`
34	`return new Promise(function (resolve, reject) {`
35	`if (opts.binaries) {`
36	`if (!Array.isArray(opts.binaries)) {`
37	`reject(new Error('Additional binaries should be an Array.'))`
38	`return`
39	`}`
40	`// TODO: Presence check for binary files, reject if any does not exist`
41	`}`
42	`resolve()`
43	`})`
44	`}`
45
46	`/**`
47	`* This function returns a promise validating all options passed in opts.`
48	`* @function`
49	`* @param {Object} opts - Options.`
50	`* @returns {Promise} Promise.`
51	`*/`
52	`function validateSignOptsAsync (opts) {`
53	`if (opts.ignore && !(opts.ignore instanceof Array)) {`
54	`opts.ignore = [opts.ignore]`
55	`}`
56
57	`if (opts['provisioning-profile']) {`
58	`if (typeof opts['provisioning-profile'] !== 'string' && !(opts['provisioning-profile'] instanceof ProvisioningProfile)) return Promise.reject(new Error('Path to provisioning profile should be a string or a ProvisioningProfile object.'))`
59	`}`
60
61	`if (opts['type']) {`
62	if (opts['type'] !== 'development' && opts['type'] !== 'distribution') return Promise.reject(new Error('Type must be either `development` or `distribution`.'))
63	`} else {`
64	`opts['type'] = 'distribution'`
65	`}`
66
67	`return Promise.all([`
68	`validateOptsAppAsync(opts),`
69	`validateOptsPlatformAsync(opts),`
70	`validateOptsBinariesAsync(opts),`
71	`])`
72	`}`
73
74	`/**`
75	`* This function returns a promise verifying the code sign of application bundle.`
76	`* @function`
77	`* @param {Object} opts - Options.`
78	`* @returns {Promise} Promise resolving output.`
79	`*/`
80	`async function verifySignApplicationAsync (opts) {`
81	`// Verify with codesign`
82	`const semver = require('semver')`
83	`debuglog('Verifying application bundle with codesign...')`
84
85	`await execFileAsync('codesign', [`
86	`'--verify',`
87	`'--deep'`
88	`]`
89	`.concat(`
90	`opts['strict-verify'] !== false &&`
91	`semver.gte(osRelease, '15.0.0') >= 0 // Strict flag since darwin 15.0.0 --> OS X 10.11.0 El Capitan`
92	`? ['--strict' +`
93	`(opts['strict-verify']`
94	`? '=' + opts['strict-verify'] // Array should be converted to a comma separated string`
95	`: '')]`
96	`: [],`
97	`['--verbose=2', opts.app]))`
98
99	`// Additionally test Gatekeeper acceptance for darwin platform`
100	`if (opts.platform === 'darwin' && opts['gatekeeper-assess'] !== false) {`
101	`debuglog('Verifying Gatekeeper acceptance for darwin platform...')`
102	`await execFileAsync('spctl', [`
103	`'--assess',`
104	`'--type', 'execute',`
105	`'--verbose',`
106	`'--ignore-cache',`
107	`'--no-cache',`
108	`opts.app`
109	`])`
110	`}`
111	`}`
112
113	`/**`
114	`* This function returns a promise codesigning only.`
115	`* @function`
116	`* @param {Object} opts - Options.`
117	`* @returns {Promise} Promise.`
118	`*/`
119	`function signApplicationAsync (opts) {`
120	`return walkAsync(getAppContentsPath(opts))`
121	`.then(async function (childPaths) {`
122	`/**`
123	`* Sort the child paths by how deep they are in the file tree. Some arcane apple`
124	`* logic expects the deeper files to be signed first otherwise strange errors get`
125	`* thrown our way`
126	`*/`
127	`childPaths = childPaths.sort((a, b) => {`
128	`const aDepth = a.split(path.sep).length`
129	`const bDepth = b.split(path.sep).length`
130	`return bDepth - aDepth`
131	`})`
132
133	`function ignoreFilePath (opts, filePath) {`
134	`if (opts.ignore) {`
135	`return opts.ignore.some(function (ignore) {`
136	`if (typeof ignore === 'function') {`
137	`return ignore(filePath)`
138	`}`
139	`return filePath.match(ignore)`
140	`})`
141	`}`
142	`return false`
143	`}`
144
145	`if (opts.binaries) childPaths = childPaths.concat(opts.binaries)`
146
147	`const args = [`
148	`'--sign', opts.identity.hash \|\| opts.identity.name,`
149	`'--force'`
150	`]`
151	`if (opts.keychain) {`
152	`args.push('--keychain', opts.keychain)`
153	`}`
154	`if (opts.requirements) {`
155	`args.push('--requirements', opts.requirements)`
156	`}`
157	`if (opts.timestamp) {`
158	`args.push('--timestamp=' + opts.timestamp)`
159	`} else {`
160	`args.push('--timestamp')`
161	`}`
162	`if (opts['signature-size']) {`
163	`if (Number.isInteger(opts['signature-size']) && opts['signature-size'] > 0) {`
164	`args.push('--signature-size', opts['signature-size'])`
165	`} else {`
166	debugwarn(`Invalid value provided for --signature-size (${opts['signature-size']}). Must be a positive integer.`)
167	`}`
168	`}`
169
170	`let optionsArguments = []`
171
172	`if (opts['signature-flags']) {`
173	`if (Array.isArray(opts['signature-flags'])) {`
174	`optionsArguments = [...opts['signature-flags']]`
175	`} else {`
176	`const flags = opts['signature-flags'].split(',').map(function (flag) { return flag.trim() })`
177	`optionsArguments = [...flags]`
178	`}`
179	`}`
180
181	`if (opts.hardenedRuntime \|\| opts['hardened-runtime'] \|\| optionsArguments.includes('runtime')) {`
182	`// Hardened runtime since darwin 17.7.0 --> macOS 10.13.6`
183	`if (semver.gte(osRelease, '17.7.0') >= 0) {`
184	`optionsArguments.push('runtime')`
185	`} else {`
186	`// Remove runtime if passed in with --signature-flags`
187	`debuglog('Not enabling hardened runtime, current macOS version too low, requires 10.13.6 and higher')`
188	`optionsArguments = optionsArguments.filter(function (element, index) { return element !== 'runtime' })`
189	`}`
190	`}`
191
192	`if (opts['restrict']) {`
193	`optionsArguments.push('restrict')`
194	`debugwarn('This flag is to be deprecated, consider using --signature-flags=restrict instead')`
195	`}`
196
197	`if (optionsArguments.length) {`
198	`args.push('--options', [...new Set(optionsArguments)].join(','))`
199	`}`
200
201	`if (opts.entitlements) {`
202	`// Sign with entitlements`
203	`for (const filePath of childPaths) {`
204	`if (ignoreFilePath(opts, filePath)) {`
205	`debuglog('Skipped... ' + filePath)`
206	`continue`
207	`}`
208	`debuglog('Signing... ' + filePath)`
209	`let entitlementsFile = opts['entitlements-inherit']`
210	`if (filePath.includes('Library/LoginItems')) {`
211	`entitlementsFile = opts['entitlements-loginhelper']`
212	`}`
213
214	`await execFileAsync('codesign', args.concat('--entitlements', entitlementsFile, filePath))`
215	`}`
216	`debuglog('Signing... ' + opts.app)`
217	`await execFileAsync('codesign', args.concat('--entitlements', opts.entitlements, opts.app))`
218	`} else {`
219	`for (const filePath of childPaths) {`
220	`if (ignoreFilePath(opts, filePath)) {`
221	`debuglog('Skipped... ' + filePath)`
222	`continue`
223	`}`
224
225	`debuglog('Signing... ' + filePath)`
226	`await execFileAsync('codesign', args.concat(filePath))`
227	`}`
228
229	`debuglog('Signing... ' + opts.app)`
230	`await execFileAsync('codesign', args.concat(opts.app))`
231	`}`
232
233	`// Verify code sign`
234	`debuglog('Verifying...')`
235	`await verifySignApplicationAsync(opts)`
236	`debuglog('Verified.')`
237
238	`// Check entitlements if applicable`
239	`if (opts.entitlements) {`
240	`debuglog('Displaying entitlements...')`
241	`const result = await execFileAsync('codesign', [`
242	`'--display',`
243	`'--entitlements', ':-', // Write to standard output and strip off the blob header`
244	`opts.app`
245	`])`
246	`debuglog('Entitlements:', '\n', result)`
247	`}`
248	`})`
249	`}`
250
251	`/**`
252	`* This function returns a promise signing the application.`
253	`* @function`
254	`* @param {mixed} opts - Options.`
255	`* @returns {Promise} Promise.`
256	`*/`
257	`const signAsync = module.exports.signAsync = function (opts) {`
258	`return validateSignOptsAsync(opts)`
259	`.then(function () {`
260	`// Determine identity for signing`
261	`let promise`
262	`if (opts.identity) {`
263	debuglog('`identity` passed in arguments.')
264	`if (opts['identity-validation'] === false) {`
265	`if (!(opts.identity instanceof Identity)) {`
266	`opts.identity = new Identity(opts.identity)`
267	`}`
268	`return Promise.resolve()`
269	`}`
270	`promise = findIdentitiesAsync(opts, opts.identity)`
271	`} else {`
272	debugwarn('No `identity` passed in arguments...')
273	`if (opts.platform === 'mas') {`
274	`if (opts.type === 'distribution') {`
275	debuglog('Finding `3rd Party Mac Developer Application` certificate for signing app distribution in the Mac App Store...')
276	`promise = findIdentitiesAsync(opts, '3rd Party Mac Developer Application:')`
277	`} else {`
278	debuglog('Finding `Mac Developer` certificate for signing app in development for the Mac App Store signing...')
279	`promise = findIdentitiesAsync(opts, 'Mac Developer:')`
280	`}`
281	`} else {`
282	debuglog('Finding `Developer ID Application` certificate for distribution outside the Mac App Store...')
283	`promise = findIdentitiesAsync(opts, 'Developer ID Application:')`
284	`}`
285	`}`
286	`return promise`
287	`.then(function (identities) {`
288	`if (identities.length > 0) {`
289	`// Identity(/ies) found`
290	`if (identities.length > 1) {`
291	`debugwarn('Multiple identities found, will use the first discovered.')`
292	`} else {`
293	`debuglog('Found 1 identity.')`
294	`}`
295	`opts.identity = identities[0]`
296	`} else {`
297	`// No identity found`
298	`return Promise.reject(new Error('No identity found for signing.'))`
299	`}`
300	`})`
301	`})`
302	`.then(function () {`
303	`// Determine entitlements for code signing`
304	`let filePath`
305	`if (opts.platform === 'mas') {`
306	`// To sign apps for Mac App Store, an entitlements file is required, especially for app sandboxing (as well some other services).`
307	`// Fallback entitlements for sandboxing by default: Note this may cause troubles while running an signed app due to missing keys special to the project.`
308	`// Further reading: https://developer.apple.com/library/mac/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html`
309	`if (!opts.entitlements) {`
310	`filePath = path.join(__dirname, 'default.entitlements.mas.plist')`
311	debugwarn('No `entitlements` passed in arguments:', '\n',
312	`'* Sandbox entitlements are required for Mac App Store distribution, your codesign entitlements file is default to:', filePath)`
313	`opts.entitlements = filePath`
314	`}`
315	`if (!opts['entitlements-inherit']) {`
316	`filePath = path.join(__dirname, 'default.entitlements.mas.inherit.plist')`
317	debugwarn('No `entitlements-inherit` passed in arguments:', '\n',
318	`'* Sandbox entitlements file for enclosing app files is default to:', filePath)`
319	`opts['entitlements-inherit'] = filePath`
320	`}`
321	`} else {`
322	`// Not necessary to have entitlements for non Mac App Store distribution`
323	`if (!opts.entitlements) {`
324	debugwarn('No `entitlements` passed in arguments:', '\n',
325	'* Provide `entitlements` to specify entitlements file for codesign.')
326	`} else {`
327	`// If entitlements is provided as a flag, fallback to default`
328	`if (opts.entitlements === true) {`
329	`filePath = path.join(__dirname, 'default.entitlements.darwin.plist')`
330	debugwarn('`entitlements` not specified in arguments:', '\n',
331	'* Provide `entitlements` to specify entitlements file for codesign.', '\n',
332	`'* Sandbox entitlements file for enclosing app files is default to:', filePath)`
333	`opts.entitlements = filePath`
334	`}`
335	`if (!opts['entitlements-inherit']) {`
336	`filePath = path.join(__dirname, 'default.entitlements.darwin.inherit.plist')`
337	debugwarn('No `entitlements-inherit` passed in arguments:', '\n',
338	`'* Sandbox entitlements file for enclosing app files is default to:', filePath)`
339	`opts['entitlements-inherit'] = filePath`
340	`}`
341	`}`
342	`}`
343	`if (!opts['entitlements-loginhelper']) {`
344	`filePath = opts.entitlements`
345	debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n',
346	`'* Sandbox entitlements file for login helper is default to:', filePath)`
347	`opts['entitlements-loginhelper'] = filePath`
348	`}`
349	`})`
350	`.then(async function () {`
351	`// Pre-sign operations`
352	`const preSignOperations = []`
353
354	`if (opts['pre-embed-provisioning-profile'] === false) {`
355	`debugwarn('Pre-sign operation disabled for provisioning profile embedding:', '\n',`
356	'* Enable by setting `pre-embed-provisioning-profile` to `true`.')
357	`} else {`
358	`debuglog('Pre-sign operation enabled for provisioning profile:', '\n',`
359	'* Disable by setting `pre-embed-provisioning-profile` to `false`.')
360	`preSignOperations.push(preEmbedProvisioningProfile)`
361	`}`
362
363	`if (opts['pre-auto-entitlements'] === false) {`
364	`debugwarn('Pre-sign operation disabled for entitlements automation.')`
365	`} else {`
366	debuglog('Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`:', '\n',
367	'* Disable by setting `pre-auto-entitlements` to `false`.')
368	`if (opts.entitlements && (!opts.version \|\| semver.gte(opts.version, '1.1.1') >= 0)) {`
369	`// Enable Mac App Store sandboxing without using temporary-exception, introduced in Electron v1.1.1. Relates to electron#5601`
370	`preSignOperations.push(preAutoEntitlements)`
371	`}`
372	`}`
373
374	`for (const preSignOperation of preSignOperations) {`
375	`await preSignOperation(opts)`
376	`}`
377	`})`
378	`.then(function () {`
379	`debuglog('Signing application...', '\n',`
380	`'> Application:', opts.app, '\n',`
381	`'> Platform:', opts.platform, '\n',`
382	`'> Entitlements:', opts.entitlements, '\n',`
383	`'> Child entitlements:', opts['entitlements-inherit'], '\n',`
384	`'> Additional binaries:', opts.binaries, '\n',`
385	`'> Identity:', opts.identity)`
386	`return signApplicationAsync(opts)`
387	`})`
388	`.then(function () {`
389	`// Post-sign operations`
390	`debuglog('Application signed.')`
391	`})`
392	`}`
393
394	`/**`
395	`* This function is a normal callback implementation.`
396	`* @function`
397	`* @param {Object} opts - Options.`
398	`* @param {RequestCallback} cb - Callback.`
399	`*/`
400	`module.exports.sign = function (opts, cb) {`
401	`signAsync(opts)`
402	`.then(function () {`
403	`debuglog('Application signed: ' + opts.app)`
404	`if (cb) cb()`
405	`})`
406	`.catch(function (err) {`
407	`debuglog('Sign failed:')`
408	`if (err.message) debuglog(err.message)`
409	`else if (err.stack) debuglog(err.stack)`
410	`else debuglog(err)`
411	`if (cb) cb(err)`
412	`})`
413	`}`