Use notarize support built into electron-builder

.github/workflows/build_macos.yaml

@@ -79,12 +79,11 @@ jobs:
             - name: "[Signed] Build App"
               if: inputs.sign != ''
               run: |
-                  scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }}
+                  scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} --notarytool-team-id='${{ secrets.APPLE_TEAM_ID }}'
                   yarn build:universal --publish never --config electron-builder.json
               env:
-                  NOTARIZE_APPLE_ID: ${{ secrets.APPLE_ID }}
-                  NOTARIZE_APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
-                  NOTARIZE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+                  APPLE_ID: ${{ secrets.APPLE_ID }}
+                  APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
                   CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }}
                   CSC_LINK: ${{ secrets.APPLE_CSC_LINK }}
 

package.json

@@ -81,14 +81,15 @@
     "@typescript-eslint/eslint-plugin": "^5.42.0",
     "@typescript-eslint/parser": "^5.42.0",
     "allchange": "^1.0.6",
-    "app-builder-lib": "^22.14.10",
+    "app-builder-lib": "24.0.0",
+    "asar": "^3.2.0",
     "babel-jest": "^29.0.0",
     "chokidar": "^3.5.2",
     "detect-libc": "^1.0.3",
     "electron": "^23.0.0",
-    "electron-builder": "^23.6.0",
-    "electron-builder-squirrel-windows": "^23.6.0",
-    "electron-devtools-installer": "^3.1.1",
+    "electron-builder": "24.0.0",
+    "electron-builder-squirrel-windows": "24.0.0",
+    "electron-devtools-installer": "^3.2.0",
     "eslint": "^8.26.0",
     "eslint-config-google": "^0.14.0",
     "eslint-config-prettier": "^8.5.0",

scripts/generate-builder-config.ts

@@ -7,6 +7,9 @@
  * On Windows:
  *  Prefixes the nightly version with `0.0.1-nightly.` as it breaks if it is not semver
  *
+ * On macOS:
+ *   Passes --notarytool-team-id to build.mac.notarize.notarize if specified and removes build.mac.afterSign
+ *
  * On Linux:
  *  Replaces spaces in the product name with dashes as spaces in paths can cause issues
  *  Passes --deb-custom-control to build.deb.fpm if specified
@@ -26,10 +29,18 @@ const argv = parseArgs<{
     "nightly"?: string;
     "signtool-thumbprint"?: string;
     "signtool-subject-name"?: string;
+    "notarytool-team-id"?: string;
     "deb-custom-control"?: string;
     "deb-changelog"?: string;
 }>(process.argv.slice(2), {
-    string: ["nightly", "deb-custom-control", "deb-changelog", "signtool-thumbprint", "signtool-subject-name"],
+    string: [
+        "nightly",
+        "deb-custom-control",
+        "deb-changelog",
+        "signtool-thumbprint",
+        "signtool-subject-name",
+        "notarytool-team-id",
+    ],
 });
 
 type DeepWriteable<T> = { -readonly [P in keyof T]: DeepWriteable<T[P]> };
@@ -82,6 +93,13 @@ async function main(): Promise<number | void> {
         cfg.win!.certificateSha1 = argv["signtool-thumbprint"];
     }
 
+    if (argv["notarytool-team-id"]) {
+        delete cfg.afterSign;
+        cfg.mac!.notarize = {
+            teamId: argv["notarytool-team-id"],
+        };
+    }
+
     if (os.platform() === "linux") {
         // Electron crashes on debian if there's a space in the path.
         // https://github.com/vector-im/element-web/issues/13171