Merge pull request #1355 from emlys/task/727

Code sign the electron app

.github/workflows/build-and-test.yml

@@ -344,7 +344,18 @@ jobs:
           yarn config set network-timeout 600000 -g
           yarn install
 
-      - name: Build Workbench
+      - name: Authenticate GCP
+        if: github.event_name != 'pull_request'
+        uses: google-github-actions/auth@v0
+        with:
+          credentials_json: ${{ secrets.GOOGLE_SERVICE_ACC_KEY }}
+
+      - name: Set up GCP
+        if: github.event_name != 'pull_request'
+        uses: google-github-actions/setup-gcloud@v0
+
+      - name: Build Workbench (PRs)
+        if: github.event_name == 'pull_request'
         working-directory: workbench
         env:
           GH_TOKEN: env.GITHUB_TOKEN
@@ -354,19 +365,35 @@ jobs:
           yarn run build
           yarn run dist
 
-      - name: Test electron app with puppeteer
+      - name: Build Workbench (macOS)
+        if: github.event_name != 'pull_request' && matrix.os == 'macos-latest' # secrets not available in PR
         working-directory: workbench
-        run: npx cross-env CI=true yarn run test-electron-app
+        env:
+          GH_TOKEN: env.GITHUB_TOKEN
+          DEBUG: electron-builder
+          CSC_LINK: 2025-01-16-Expiry-AppStore-App.p12
+          CSC_KEY_PASSWORD: ${{ secrets.MACOS_CODESIGN_CERT_PASS }}
+        run: |
+          gsutil cp gs://stanford_cert/$CSC_LINK $CSC_LINK
+          yarn run build
+          yarn run dist
 
-      - name: Authenticate GCP
-        if: github.event_name != 'pull_request'
-        uses: google-github-actions/auth@v0
-        with:
-          credentials_json: ${{ secrets.GOOGLE_SERVICE_ACC_KEY }}
+      - name: Build Workbench (Windows)
+        if: github.event_name != 'pull_request' && matrix.os == 'windows-latest' # secrets not available in PR
+        working-directory: workbench
+        env:
+          GH_TOKEN: env.GITHUB_TOKEN
+          DEBUG: electron-builder
+          CSC_LINK: Stanford-natcap-code-signing-cert-expires-2024-01-26.p12
+          CSC_KEY_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_CERT_PASS }}
+        run: |
+          gsutil cp gs://stanford_cert/$CSC_LINK $CSC_LINK
+          yarn run build
+          yarn run dist
 
-      - name: Set up GCP
-        if: github.event_name != 'pull_request'
-        uses: google-github-actions/setup-gcloud@v0
+      - name: Test electron app with puppeteer
+        working-directory: workbench
+        run: npx cross-env CI=true yarn run test-electron-app
 
       - name: Sign binaries (macOS)
         if: github.event_name != 'pull_request' && matrix.os == 'macos-latest' # secrets not available in PR

HISTORY.rst

@@ -52,6 +52,8 @@ Unreleased Changes
     * Fixed a bug where sampledata downloads failed silently (and progress bar
       became innacurate) if the Workbench did not have write permission to
       the download location. https://github.com/natcap/invest/issues/1070
+    * The workbench app is now distributed with a valid code signature
+      (`#727 <https://github.com/natcap/invest/issues/727>`_)
     * Changing the language setting will now cause the app to relaunch
       (`#1168 <https://github.com/natcap/invest/issues/1168>`_),
 * Forest Carbon

workbench/electron-builder-config.js

@@ -43,11 +43,11 @@ const config = {
       from: 'resources/storage_token.txt',
       to: 'storage_token.txt',
     },
+    {
+      from: '../LICENSE.txt',
+      to: 'LICENSE.InVEST.txt',
+    },
   ],
-  extraFiles: [{
-    from: '../LICENSE.txt',
-    to: 'LICENSE.InVEST.txt',
-  }],
   appId: APP_ID,
   productName: PRODUCT_NAME,
   artifactName: ARTIFACT_NAME,