use native notarization

.github/workflows/build.yml

@@ -88,6 +88,7 @@ jobs:
         CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
         CSC_INSTALLER_LINK: ${{ secrets.CSC_INSTALLER_LINK }}
         CSC_INSTALLER_KEY_PASSWORD: ${{ secrets.CSC_INSTALLER_KEY_PASSWORD }}
+        APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
         APPSTORE_USERNAME: ${{ secrets.APPSTORE_USERNAME }}
         APPSTORE_PASSWORD: ${{ secrets.APPSTORE_PASSWORD }}
         USE_HARD_LINKS: false

build/mac/afterBuildHook.cjs

@@ -1,16 +0,0 @@
-const fs = require('fs')
-const signHook = require('./afterSignHook.cjs')
-
-module.exports = async function (params) {
-    // notarize the app on Mac OS only.
-    if (process.platform !== 'darwin' || !process.env.GITHUB_REF || !process.env.GITHUB_REF.startsWith('refs/tags/')) {
-        return
-    }
-    console.log('afterBuild hook triggered')
-
-    let pkgName = fs.readdirSync('dist').find(x => x.endsWith('.pkg'))
-    signHook({
-        appOutDir: 'dist',
-        _pathOverride: pkgName,
-    })
-}

build/mac/afterSignHook.cjs

@@ -1,35 +0,0 @@
-// See: https://medium.com/@TwitterArchiveEraser/notarize-electron-apps-7a5f988406db
-
-const fs = require('fs')
-const path = require('path')
-const notarizer = require('@electron/notarize')
-
-module.exports = async function (params) {
-    // notarize the app on Mac OS only.
-    if (process.platform !== 'darwin' || !process.env.GITHUB_REF || !process.env.GITHUB_REF.startsWith('refs/tags/')) {
-        return
-    }
-    console.log('afterSign hook triggered', params)
-
-    let appId = 'org.tabby'
-
-    let appPath = path.join(params.appOutDir, params._pathOverride || `${params.packager.appInfo.productFilename}.app`)
-    if (!fs.existsSync(appPath)) {
-        throw new Error(`Cannot find application at: ${appPath}`)
-    }
-
-    console.log(`Notarizing ${appId} found at ${appPath}`)
-
-    try {
-        await notarizer.notarize({
-            appBundleId: appId,
-            appPath: appPath,
-            appleId: process.env.APPSTORE_USERNAME,
-            appleIdPassword: process.env.APPSTORE_PASSWORD,
-        })
-    } catch (error) {
-        console.error(error)
-    }
-
-    console.log(`Done notarizing ${appId}`)
-}

electron-builder.yml

@@ -3,8 +3,6 @@ appId: org.tabby
 productName: Tabby
 compression: normal
 npmRebuild: false
-afterSign: "./build/mac/afterSignHook.cjs"
-afterAllArtifactBuild: "./build/mac/afterBuildHook.cjs"
 files:
 - '**/*'
 - dist

scripts/build-macos.mjs

@@ -13,6 +13,9 @@ if (process.env.GITHUB_HEAD_REF) {
     process.env.CSC_IDENTITY_AUTO_DISCOVERY = 'false'
 }
 
+process.env.APPLE_ID ??= process.env.APPSTORE_USERNAME
+process.env.APPLE_APP_SPECIFIC_PASSWORD ??= process.env.APPSTORE_PASSWORD
+
 builder({
     dir: true,
     mac: ['pkg', 'zip'],
@@ -24,6 +27,13 @@ builder({
         },
         mac: {
             identity: !process.env.CI || process.env.CSC_LINK ? undefined : null,
+            notarize: process.env.APPLE_TEAM_ID ? {
+                appBundleId: 'org.tabby',
+                teamId: process.env.APPLE_TEAM_ID,
+            } : false,
+        },
+        pkg: {
+            identity: !process.env.CI || process.env.CSC_INSTALLER_LINK ? undefined : null,
         },
         npmRebuild: process.env.ARCH !== 'arm64',
         publish: process.env.KEYGEN_TOKEN ? [