Notarize app on macOS

Change-type: patch
Changelog-entry: Notarize app on macOS

.gitattributes

@@ -26,6 +26,7 @@ Makefile text
 *.patch text
 *.txt text
 CODEOWNERS text
+*.plist text
 
 # Binary files (no line-ending conversions)
 *.bz2 binary diff=hex

.resinci.json

@@ -78,8 +78,12 @@
         "node_modules/roboto-fontface/fonts/roboto/Roboto-Medium.woff",
         "node_modules/roboto-fontface/fonts/roboto/Roboto-Bold.woff"
       ],
+      "afterSign": "./afterSignHook.js",
       "mac": {
-        "category": "public.app-category.developer-tools"
+        "category": "public.app-category.developer-tools",
+        "hardenedRuntime": true,
+        "entitlements": "entitlements.mac.plist",
+        "entitlementsInherit": "entitlements.mac.plist"
       },
       "dmg": {
         "iconSize": 110,

afterSignHook.js

@@ -0,0 +1,22 @@
+'use strict'
+
+const { notarize } = require('electron-notarize')
+
+async function main(context) {
+  const { electronPlatformName, appOutDir } = context
+  if (electronPlatformName !== 'darwin') {
+    return
+  }
+
+  const appName = context.packager.appInfo.productFilename
+  const appleId = 'accounts+apple@balena.io'
+
+  await notarize({
+    appBundleId: 'io.balena.etcher',
+    appPath: `${appOutDir}/${appName}.app`,
+    appleId,
+    appleIdPassword: `@keychain:Application Loader: ${appleId}`
+  })
+}
+
+exports.default = main

electron-builder.yml

@@ -14,6 +14,9 @@ files:
 mac:
   icon: assets/icon.icns
   category: public.app-category.developer-tools
+  hardenedRuntime: true
+  entitlements: "entitlements.mac.plist"
+  entitlementsInherit: "entitlements.mac.plist"
 dmg:
   background: assets/dmg/background.tiff
   icon: assets/icon.icns

entitlements.mac.plist

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.device.usb</key>
+    <true/>
+    <key>com.apple.security.files.user-selected.read-only</key>
+    <true/>
+    <key>com.apple.security.network.client</key>
+    <true/>
+  </dict>
+</plist>

package.json

@@ -92,8 +92,9 @@
     "babel-loader": "^8.0.4",
     "chalk": "^1.1.3",
     "electron": "3.1.9",
-    "electron-builder": "^20.40.2",
+    "electron-builder": "^20.44.4",
     "electron-mocha": "^6.0.4",
+    "electron-notarize": "^0.1.1",
     "eslint": "^4.17.0",
     "eslint-config-standard": "^10.2.1",
     "eslint-plugin-import": "^2.9.0",