signing fixed for snaps

OWASP · Nov 22, 2024 · d8dba40 · d8dba40
2 parents f25d301 + 3752042
commit d8dba40
Show file tree

Hide file tree

Showing 6 changed files with 694 additions and 227 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -4,7 +4,8 @@ on:
   push:
     # only for version 2.x.x releases and release candidates
     tags:
-      - v2.?.?*
+      - v2.?.?
+      - v2.?.?-RC?
   workflow_dispatch:
 
 env:
@@ -157,7 +158,7 @@ jobs:
         run: npm clean-install
 
       - name: Build Windows executable
-        # signing has to be done later with hardware key
+        # code signing done later using Extended Verification (EV) with a hardware key
         run: npm run build:desktop -- --windows --publish never
 
       - name: Save SBOM artifact
@@ -174,6 +175,15 @@ jobs:
     name: MacOS installer
     runs-on: macos-latest
     needs: [desktop_unit_tests, site_unit_tests]
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # MacOS signing: certificate and password, see electron.build/code-signing
+      CSC_KEY_PASSWORD: ${{ secrets.MAC_CERTS_PASSWORD }}
+      CSC_LINK:  ${{ secrets.MAC_CERTS }}
+      # MacOS notarization: see github.com/electron/notarize#readme
+      APPLE_ID: ${{ secrets.APPLE_ID }}
+      APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+      APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
     defaults:
       run:
         working-directory: td.vue
@@ -199,24 +209,7 @@ jobs:
       - name: Install clean packages
         run: npm clean-install
 
-      - name: Prepare for MacOS notarization
-        # Import Apple API key for app notarization on macOS
-        run: |
-          mkdir -p ~/private_keys/
-          echo '${{ secrets.API_KEY }}' > ~/private_keys/AuthKey_${{ secrets.API_KEY_ID }}.p8
-
       - name: Publish MacOS disk image
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # MacOS signing certificate and password, see electron.build/code-signing
-          CSC_KEY_PASSWORD: ${{ secrets.MAC_CERTS_PASSWORD }}
-          CSC_LINK:  ${{ secrets.MAC_CERTS }}
-          # MacOS notarization:
-          # API_KEY_ID: ${{ secrets.API_KEY_ID }}
-          # API_KEY_ISSUER_ID: ${{ secrets.API_KEY_ISSUER_ID }}
-          APPLE_ID: ${{ secrets.APPPLE_ID }}
-          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
-          APPLE_TEAM_ID: ${{ secrets.APPPLE_TEAM_ID }}
         run: npm run build:desktop -- --mac --publish always
 
       - name: Print logs on error
@@ -285,6 +278,9 @@ jobs:
     name: Linux snap
     runs-on: ubuntu-24.04
     needs: [desktop_unit_tests, site_unit_tests]
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }}
     defaults:
       run:
         working-directory: td.vue
@@ -316,14 +312,10 @@ jobs:
       # Snaps do not publish, even with snapcraft installed, so use Snap Store
       - name: Build Linux snap
         shell: bash
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: npm run build:desktop -- --linux snap
 
       - name: Upload to Snap Store
         shell: bash
-        env:
-          SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }}
         run: snapcraft upload --release=stable dist-desktop/threat-dragon*.snap
 
       - name: Print logs on error
@@ -486,7 +478,7 @@ jobs:
           tar -czvf threat-dragon-sboms.zip sboms
 
       - name: Create release notes
-        uses: softprops/action-gh-release@v2.0.4
+        uses: softprops/action-gh-release@v2.1.0
         with:
           draft: true
           name: "${releaseVersion:1}"

diff --git a/README.md b/README.md
@@ -76,8 +76,7 @@ please see the [legacy-v1.x branch](https://github.com/OWASP/threat-dragon/tree/
 
 ### Building version 2.x
 
-Install [git](https://git-scm.com/downloads) and [node.js](https://nodejs.org/en/download/)
-which includes the node package manager npm
+Install [git](https://git-scm.com/downloads) and [node.js][download] which includes the node package manager npm
 
 Clone the repository using: `git clone https://github.com/owasp/threat-dragon.git`
 
@@ -172,6 +171,7 @@ Threat Dragon: _making threat modeling less threatening_
 
 [build]: https://github.com/OWASP/threat-dragon/actions/workflows/push.yaml
 [bitbucket]: https://owasp.org/www-project-threat-dragon/docs-2/bitbucket-repo/
+[download]: https://nodejs.org/en/download/package-manager
 [github]: https://owasp.org/www-project-threat-dragon/docs-2/github-repo/
 [gitlab]: https://owasp.org/www-project-threat-dragon/docs-2/gitlab-repo/
 [license]: https://github.com/OWASP/threat-dragon/blob/v2.2.0/license.txt

diff --git a/package.json b/package.json
@@ -1,6 +1,7 @@
 {
   "name": "threat-dragon",
   "version": "2.3.0-RC2",
+  "appBundleId": "org.owasp.threatdragon",
   "private": true,
   "scripts": {
     "audit": "npm-run-all -c audit:server audit:site",

diff --git a/release-process.md b/release-process.md
@@ -10,8 +10,8 @@ For example if RC1, but change for RC2 and so on :
 
 1. `git clone [email protected]:OWASP/threat-dragon.git`
 2. `cd threat-dragon`
-3. update version, for example `"version": "2.3.0",`, in `td.vue/package.json`
-4. ensure `buildState` in `td.vue/package.json` is `-RC1`
+3. update version, for example `"version": "2.3.0-RC1",`, in `td.vue/package.json`
+4. ensure `buildState` in `td.vue/package.json` is empty ``
 5. update version, for example `"version": "2.3.0-RC1",`, in `package.json` and `td.server/package.json`
 6. update package lock files: `npm install`
 7. `npm run build`
@@ -133,9 +133,10 @@ and any other relevant channels
 ### Manually notarize / staple for MacOS images
 
 It used to be that [altool][altool] could be used to notarize the MacOS `.dmg` files in the pipeline.
-As of early 2024 this is no longer available and [notarytool][notarize] must be used in a secure environment.
-Used in [the pipeline][notarytool], it can also be done/checked manually:
+As of early 2024 this is no longer available and [notarytool][notarytool] must be used in a secure environment.
+The secrets for both signing and notarization can be checked by running it manually from the command line:
 
+- provide the [code signing certs for MacOS][certs]
 - Download both x86 and arm64 images for the MacOS installer (`*.dmg`)
 - ensure that the apple developer [environment is set up][notarize]
 - notarize and staple, for example with version 2.3.0:
@@ -158,6 +159,7 @@ Token used in the Threat Dragon pipeline as 'SNAPCRAFT_TOKEN', use command to re
 
 [altool]: https://successfulsoftware.net/2023/04/28/moving-from-altool-to-notarytool-for-mac-notarization/
 [area]: https://github.com/OWASP/threat-dragon/releases
+[certs]: https://federicoterzi.com/blog/automatic-code-signing-and-notarization-for-macos-apps-using-github-actions/
 [heroku]: https://id.heroku.com/login
 [herokucli]: https://devcenter.heroku.com/articles/heroku-cli#install-the-heroku-cli
 [herokudash]: https://dashboard.heroku.com/apps