Lines 6-46javascript
6// stable identity: its requirement degenerates to the binary's own cdhash,
7// which changes on every rebuild. So each time `impel app update` re-signed a
8// rebuilt bundle, macOS saw a brand-new app and re-prompted for every
9// permission the user had already granted.
11// Signing rebuilds with a stable per-machine self-signed certificate instead
12// gives the bundle a constant designated requirement, so TCC grants survive
13// updates the way they do for a normal app. The certificate lives in a
14// dedicated keychain under the Impel config dir; no Apple Developer account is
15// involved (these bundles are patched and built on the user's own machine, so
16// Developer ID signing is impossible anyway).
18// Everything here is best-effort: if any step fails — no `security`/`openssl`,
19// a locked keychain, an unusual environment — we fall back to ad-hoc signing,
20// which is exactly today's behavior. Updates never fail because signing could
23import fs from "node:fs";
24import os from "node:os";
25import path from "node:path";
26import crypto from "node:crypto";
27import { spawnSync } from "node:child_process";
28
HighChild Process
Package source references child process execution.
src/codesign.jsView on unpkg · L26 29import { CONFIG_DIR } from "./config.js";
31export const SIGNING_IDENTITY_NAME = "Impel Local Codesigning";
33// Ad-hoc: what every managed bundle was signed with before stable identities.
34export const ADHOC_IDENTITY = Object.freeze({
37 keychainArgs: Object.freeze([]),
41/** `codesign` arguments that select the given identity (and its keychain). */
42export function codesignIdentityArgs(identity = ADHOC_IDENTITY) {
43 return [...identity.keychainArgs, "--sign", identity.signArg];