From 6e0d8e1f5cbcad73fcc6339c6b1dd35b11d9eedc Mon Sep 17 00:00:00 2001
From: Juan Cruz Viotti <jviotti@openmailbox.org>
Date: Mon, 28 Nov 2016 01:13:02 -0400
Subject: [PATCH] refactor: ditch `electron-osx-sign` for OS X signing (#901)

Making use of `codesign` directly allows us to have much more
flexibility in how we sign things, which will prove very valuable when
adapting this `sign.sh` script to code sign the Etcher CLI.

Signed-off-by: Juan Cruz Viotti <jviotti@openmailbox.org>
---
 package.json           |  1 -
 scripts/darwin/sign.sh | 42 ++++++++++++++++++++++++++++++++----------
 2 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/package.json b/package.json
index 0de71ad0..e2e52a47 100644
--- a/package.json
+++ b/package.json
@@ -99,7 +99,6 @@
     "cz-conventional-changelog": "^1.1.6",
     "electron-builder": "^2.6.0",
     "electron-mocha": "^3.1.1",
-    "electron-osx-sign": "^0.3.0",
     "electron-packager": "^7.0.1",
     "electron-prebuilt": "1.4.4",
     "eslint": "^2.13.1",
diff --git a/scripts/darwin/sign.sh b/scripts/darwin/sign.sh
index 6a1ce41b..e1bfcfd8 100755
--- a/scripts/darwin/sign.sh
+++ b/scripts/darwin/sign.sh
@@ -50,19 +50,41 @@ if [ -z "$ARGV_APPLICATION" ] || [ -z "$ARGV_IDENTITY" ]; then
   usage
 fi
 
-ELECTRON_OSX_SIGN=./node_modules/.bin/electron-osx-sign
+function sign_file() {
+  local file=$1
+  codesign --sign "$ARGV_IDENTITY" -fv "$file"
+}
 
-if [ ! -x $ELECTRON_OSX_SIGN ]; then
-  echo "Couldn't find $ELECTRON_OSX_SIGN" 1>&2
-  echo "Have you installed the dependencies first?" 1>&2
-  exit 1
-fi
+# Avoid issues with `for` loops on file names containing spaces
+# See https://www.cyberciti.biz/tips/handling-filenames-with-spaces-in-bash.html
+SAVEIFS=$IFS
+IFS=$(echo -en "\n\b")
 
-$ELECTRON_OSX_SIGN "$ARGV_APPLICATION" \
-  --platform darwin \
-  --verbose \
-  --identity "$ARGV_IDENTITY"
+# Sign all executables
+# See http://apple.stackexchange.com/a/116371
+for file in $(find "$ARGV_APPLICATION" -perm +111 -type f); do
+  sign_file "$file"
+done
 
+# Sign `.app` and `.framework` directories now that
+# all the executables inside them have been signed.
+
+for file in $(find "$ARGV_APPLICATION/Contents" -name '*.app'); do
+  sign_file "$file"
+done
+
+for file in $(find "$ARGV_APPLICATION/Contents" -name '*.framework'); do
+  sign_file "$file"
+done
+
+# Restore IFS
+IFS=$SAVEIFS
+
+# Sign top-level application after all
+# its components have been signed
+sign_file "$ARGV_APPLICATION"
+
+# Verify signature
 codesign \
   --verify \
   --deep \