Added export_allowed file to make repository visible in cgit

1 files changed, 464 insertions, 0 deletions

diff --git a/node_modules/electron-osx-sign/sign.js b/node_modules/electron-osx-sign/sign.js
new file mode 100644
index 0000000..e227c0e
--- /dev/null
+++ b/node_modules/electron-osx-sign/sign.js
@@ -0,0 +1,464 @@
+/**
+ * @module sign
+ */
+
+'use strict'
+
+const path = require('path')
+
+const Promise = require('bluebird')
+const compareVersion = require('compare-version')
+
+const pkg = require('./package.json')
+const util = require('./util')
+const debuglog = util.debuglog
+const debugwarn = util.debugwarn
+const getAppContentsPath = util.getAppContentsPath
+const execFileAsync = util.execFileAsync
+const validateOptsAppAsync = util.validateOptsAppAsync
+const validateOptsPlatformAsync = util.validateOptsPlatformAsync
+const walkAsync = util.walkAsync
+const Identity = require('./util-identities').Identity
+const findIdentitiesAsync = require('./util-identities').findIdentitiesAsync
+const ProvisioningProfile = require('./util-provisioning-profiles').ProvisioningProfile
+const preEmbedProvisioningProfile = require('./util-provisioning-profiles').preEmbedProvisioningProfile
+const preAutoEntitlements = require('./util-entitlements').preAutoEntitlements
+
+const osRelease = require('os').release()
+
+/**
+ * This function returns a promise validating opts.binaries, the additional binaries to be signed along with the discovered enclosed components.
+ * @function
+ * @param {Object} opts - Options.
+ * @returns {Promise} Promise.
+ */
+function validateOptsBinariesAsync (opts) {
+  return new Promise(function (resolve, reject) {
+    if (opts.binaries) {
+      if (!Array.isArray(opts.binaries)) {
+        reject(new Error('Additional binaries should be an Array.'))
+        return
+      }
+      // TODO: Presence check for binary files, reject if any does not exist
+    }
+    resolve()
+  })
+}
+
+/**
+ * This function returns a promise validating all options passed in opts.
+ * @function
+ * @param {Object} opts - Options.
+ * @returns {Promise} Promise.
+ */
+function validateSignOptsAsync (opts) {
+  if (opts.ignore && !(opts.ignore instanceof Array)) {
+    opts.ignore = [opts.ignore]
+  }
+
+  if (opts['provisioning-profile']) {
+    if (typeof opts['provisioning-profile'] !== 'string' && !(opts['provisioning-profile'] instanceof ProvisioningProfile)) return Promise.reject(new Error('Path to provisioning profile should be a string or a ProvisioningProfile object.'))
+  }
+
+  if (opts['type']) {
+    if (opts['type'] !== 'development' && opts['type'] !== 'distribution') return Promise.reject(new Error('Type must be either `development` or `distribution`.'))
+  } else {
+    opts['type'] = 'distribution'
+  }
+
+  return Promise.map([
+    validateOptsAppAsync,
+    validateOptsPlatformAsync,
+    validateOptsBinariesAsync
+  ], function (validate) {
+    return validate(opts)
+  })
+}
+
+/**
+ * This function returns a promise verifying the code sign of application bundle.
+ * @function
+ * @param {Object} opts - Options.
+ * @returns {Promise} Promise resolving output.
+ */
+function verifySignApplicationAsync (opts) {
+  // Verify with codesign
+  var compareVersion = require('compare-version')
+  debuglog('Verifying application bundle with codesign...')
+
+  var promise = execFileAsync('codesign', [
+    '--verify',
+    '--deep'
+  ]
+    .concat(
+      opts['strict-verify'] !== false &&
+      compareVersion(osRelease, '15.0.0') >= 0 // Strict flag since darwin 15.0.0 --> OS X 10.11.0 El Capitan
+        ? ['--strict' +
+            (opts['strict-verify']
+             ? '=' + opts['strict-verify'] // Array should be converted to a comma separated string
+             : '')]
+        : [],
+      ['--verbose=2', opts.app]))
+
+  // Additionally test Gatekeeper acceptance for darwin platform
+  if (opts.platform === 'darwin' && opts['gatekeeper-assess'] !== false) {
+    promise = promise
+      .then(function () {
+        debuglog('Verifying Gatekeeper acceptance for darwin platform...')
+        return execFileAsync('spctl', [
+          '--assess',
+          '--type', 'execute',
+          '--verbose',
+          '--ignore-cache',
+          '--no-cache',
+          opts.app
+        ])
+      })
+  }
+
+  return promise
+    .thenReturn()
+}
+
+/**
+ * This function returns a promise codesigning only.
+ * @function
+ * @param {Object} opts - Options.
+ * @returns {Promise} Promise.
+ */
+function signApplicationAsync (opts) {
+  return walkAsync(getAppContentsPath(opts))
+    .then(function (childPaths) {
+      function ignoreFilePath (opts, filePath) {
+        if (opts.ignore) {
+          return opts.ignore.some(function (ignore) {
+            if (typeof ignore === 'function') {
+              return ignore(filePath)
+            }
+            return filePath.match(ignore)
+          })
+        }
+        return false
+      }
+
+      if (opts.binaries) childPaths = childPaths.concat(opts.binaries)
+
+      var args = [
+        '--sign', opts.identity.hash || opts.identity.name,
+        '--force'
+      ]
+      if (opts.keychain) {
+        args.push('--keychain', opts.keychain)
+      }
+      if (opts.requirements) {
+        args.push('--requirements', opts.requirements)
+      }
+      if (opts.timestamp) {
+        args.push('--timestamp=' + opts.timestamp)
+      } else {
+        args.push('--timestamp')
+      }
+      if (opts['signature-size']) {
+        if (Number.isInteger(opts['signature-size']) && opts['signature-size'] > 0) {
+          args.push('--signature-size', opts['signature-size'])
+        } else {
+          debugwarn(`Invalid value provided for --signature-size (${opts['signature-size']}). Must be a positive integer.`)
+        }
+      }
+
+      let optionsArguments = []
+
+      if (opts['signature-flags']) {
+        if (Array.isArray(opts['signature-flags'])) {
+          optionsArguments = [...opts['signature-flags']]
+        } else {
+          const flags = opts['signature-flags'].split(',').map(function (flag) { return flag.trim() })
+          optionsArguments = [...flags]
+        }
+      }
+
+      if (opts.hardenedRuntime || opts['hardened-runtime'] || optionsArguments.includes('runtime')) {
+        // Hardened runtime since darwin 17.7.0 --> macOS 10.13.6
+        if (compareVersion(osRelease, '17.7.0') >= 0) {
+          optionsArguments.push('runtime')
+        } else {
+          // Remove runtime if passed in with --signature-flags
+          debuglog('Not enabling hardened runtime, current macOS version too low, requires 10.13.6 and higher')
+          optionsArguments = optionsArguments.filter(function (element, index) { return element !== 'runtime' })
+        }
+      }
+
+      if (opts['restrict']) {
+        optionsArguments.push('restrict')
+        debugwarn('This flag is to be deprecated, consider using --signature-flags=restrict instead')
+      }
+
+      if (optionsArguments.length) {
+        args.push('--options', [...new Set(optionsArguments)].join(','))
+      }
+
+      var promise
+      /**
+       * Sort the child paths by how deep they are in the file tree.  Some arcane apple
+       * logic expects the deeper files to be signed first otherwise strange errors get
+       * thrown our way
+       */
+      childPaths = childPaths.sort((a, b) => {
+        const aDepth = a.split(path.sep).length
+        const bDepth = b.split(path.sep).length
+        return bDepth - aDepth
+      })
+      if (opts.entitlements) {
+        // Sign with entitlements
+        promise = Promise.mapSeries(childPaths, function (filePath) {
+          if (ignoreFilePath(opts, filePath)) {
+            debuglog('Skipped... ' + filePath)
+            return
+          }
+          debuglog('Signing... ' + filePath)
+
+          let entitlementsFile = opts['entitlements-inherit']
+          if (filePath.includes('Library/LoginItems')) {
+            entitlementsFile = opts['entitlements-loginhelper']
+          }
+
+          const clonedArgs = args.concat([]);
+          if (opts.entitlementsForFile) {
+            entitlementsFile = opts.entitlementsForFile(filePath, clonedArgs) || entitlementsFile
+          }
+
+          return execFileAsync('codesign', clonedArgs.concat('--entitlements', entitlementsFile, filePath))
+        })
+          .then(function () {
+            debuglog('Signing... ' + opts.app)
+
+            const clonedArgs = args.concat([]);
+            let entitlementsFile = opts.entitlements
+            if (opts.entitlementsForFile) {
+              entitlementsFile = opts.entitlementsForFile(opts.app, clonedArgs) || entitlementsFile;
+            }
+
+            return execFileAsync('codesign', clonedArgs.concat('--entitlements', opts.entitlements, opts.app))
+          })
+      } else {
+        // Otherwise normally
+        promise = Promise.mapSeries(childPaths, function (filePath) {
+          if (ignoreFilePath(opts, filePath)) {
+            debuglog('Skipped... ' + filePath)
+            return
+          }
+          debuglog('Signing... ' + filePath)
+          return execFileAsync('codesign', args.concat(filePath))
+        })
+          .then(function () {
+            debuglog('Signing... ' + opts.app)
+            return execFileAsync('codesign', args.concat(opts.app))
+          })
+      }
+
+      return promise
+        .then(function () {
+          // Verify code sign
+          debuglog('Verifying...')
+          var promise = verifySignApplicationAsync(opts)
+            .then(function (result) {
+              debuglog('Verified.')
+            })
+
+          // Check entitlements if applicable
+          if (opts.entitlements) {
+            promise = promise
+              .then(function () {
+                debuglog('Displaying entitlements...')
+                return execFileAsync('codesign', [
+                  '--display',
+                  '--entitlements', ':-', // Write to standard output and strip off the blob header
+                  opts.app
+                ])
+              })
+              .then(function (result) {
+                debuglog('Entitlements:', '\n',
+                  result)
+              })
+          }
+
+          return promise
+        })
+    })
+}
+
+/**
+ * This function returns a promise signing the application.
+ * @function
+ * @param {mixed} opts - Options.
+ * @returns {Promise} Promise.
+ */
+var signAsync = module.exports.signAsync = function (opts) {
+  debuglog('electron-osx-sign@%s', pkg.version)
+  return validateSignOptsAsync(opts)
+    .then(function () {
+      // Determine identity for signing
+      var promise
+      if (opts.identity) {
+        debuglog('`identity` passed in arguments.')
+        if (opts['identity-validation'] === false) {
+          if (!(opts.identity instanceof Identity)) {
+            opts.identity = new Identity(opts.identity)
+          }
+          return Promise.resolve()
+        }
+        promise = findIdentitiesAsync(opts, opts.identity)
+      } else {
+        debugwarn('No `identity` passed in arguments...')
+        if (opts.platform === 'mas') {
+          if (opts.type === 'distribution') {
+            debuglog('Finding `3rd Party Mac Developer Application` certificate for signing app distribution in the Mac App Store...')
+            promise = findIdentitiesAsync(opts, '3rd Party Mac Developer Application:')
+          } else {
+            debuglog('Finding `Mac Developer` certificate for signing app in development for the Mac App Store signing...')
+            promise = findIdentitiesAsync(opts, 'Mac Developer:')
+          }
+        } else {
+          debuglog('Finding `Developer ID Application` certificate for distribution outside the Mac App Store...')
+          promise = findIdentitiesAsync(opts, 'Developer ID Application:')
+        }
+      }
+      return promise
+        .then(function (identities) {
+          if (identities.length > 0) {
+            // Identity(/ies) found
+            if (identities.length > 1) {
+              debugwarn('Multiple identities found, will use the first discovered.')
+            } else {
+              debuglog('Found 1 identity.')
+            }
+            opts.identity = identities[0]
+          } else {
+            // No identity found
+            return Promise.reject(new Error('No identity found for signing.'))
+          }
+        })
+    })
+    .then(function () {
+      // Determine entitlements for code signing
+      var filePath
+      if (opts.platform === 'mas') {
+        // To sign apps for Mac App Store, an entitlements file is required, especially for app sandboxing (as well some other services).
+        // Fallback entitlements for sandboxing by default: Note this may cause troubles while running an signed app due to missing keys special to the project.
+        // Further reading: https://developer.apple.com/library/mac/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html
+        if (!opts.entitlements) {
+          filePath = path.join(__dirname, 'default.entitlements.mas.plist')
+          debugwarn('No `entitlements` passed in arguments:', '\n',
+            '* Sandbox entitlements are required for Mac App Store distribution, your codesign entitlements file is default to:', filePath)
+          opts.entitlements = filePath
+        }
+        if (!opts['entitlements-inherit']) {
+          filePath = path.join(__dirname, 'default.entitlements.mas.inherit.plist')
+          debugwarn('No `entitlements-inherit` passed in arguments:', '\n',
+            '* Sandbox entitlements file for enclosed app files is default to:', filePath)
+          opts['entitlements-inherit'] = filePath
+        }
+        // The default value for opts['entitlements-file'] will be processed later
+      } else {
+        // Not necessary to have entitlements for non Mac App Store distribution
+        if (!opts.entitlements) {
+          debugwarn('No `entitlements` passed in arguments:', '\n',
+            '* Provide `entitlements` to specify entitlements file for codesign.')
+        } else {
+          // If entitlements is provided as a boolean flag, fallback to default
+          if (opts.entitlements === true) {
+            filePath = path.join(__dirname, 'default.entitlements.darwin.plist')
+            debugwarn('`entitlements` not specified in arguments:', '\n',
+              '* Provide `entitlements` to specify entitlements file for codesign.', '\n',
+              '* Entitlements file is default to:', filePath)
+            opts.entitlements = filePath
+          }
+          if (!opts['entitlements-inherit']) {
+            filePath = path.join(__dirname, 'default.entitlements.darwin.inherit.plist')
+            debugwarn('No `entitlements-inherit` passed in arguments:', '\n',
+              '* Entitlements file for enclosed app files is default to:', filePath)
+            opts['entitlements-inherit'] = filePath
+          }
+          // The default value for opts['entitlements-file'] will be processed later
+        }
+      }
+    })
+    .then(function () {
+      // Pre-sign operations
+      var preSignOperations = []
+
+      if (opts['pre-embed-provisioning-profile'] === false) {
+        debugwarn('Pre-sign operation disabled for provisioning profile embedding:', '\n',
+          '* Enable by setting `pre-embed-provisioning-profile` to `true`.')
+      } else {
+        debuglog('Pre-sign operation enabled for provisioning profile:', '\n',
+          '* Disable by setting `pre-embed-provisioning-profile` to `false`.')
+        preSignOperations.push(preEmbedProvisioningProfile)
+      }
+
+      if (opts['pre-auto-entitlements'] === false) {
+        debugwarn('Pre-sign operation disabled for entitlements automation.')
+      } else {
+        debuglog('Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`:', '\n',
+          '* Disable by setting `pre-auto-entitlements` to `false`.')
+        if (opts.entitlements && (!opts.version || compareVersion(opts.version, '1.1.1') >= 0)) {
+          // Enable Mac App Store sandboxing without using temporary-exception, introduced in Electron v1.1.1. Relates to electron#5601
+          preSignOperations.push(preAutoEntitlements)
+        }
+      }
+
+      // preAutoEntitlements may update opts.entitlements,
+      // so we wait after it's done before giving opts['entitlements-loginhelper'] its default value
+      preSignOperations.push(function (opts) {
+        if (opts.entitlements) {
+          if (!opts['entitlements-loginhelper']) {
+            // Default to App Sandbox enabled
+            const filePath = opts.entitlements
+            debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n',
+              '* Entitlements file for login helper is default to:', filePath)
+            opts['entitlements-loginhelper'] = filePath
+          }
+        }
+      })
+
+      return Promise.mapSeries(preSignOperations, function (preSignOperation) {
+        return preSignOperation(opts)
+      })
+    })
+    .then(function () {
+      debuglog('Signing application...', '\n',
+        '> Application:', opts.app, '\n',
+        '> Platform:', opts.platform, '\n',
+        '> Entitlements:', opts.entitlements, '\n',
+        '> Child entitlements:', opts['entitlements-inherit'], '\n',
+        '> Login helper entitlements:', opts['entitlements-loginhelper'], '\n',
+        '> Additional binaries:', opts.binaries, '\n',
+        '> Identity:', opts.identity)
+      return signApplicationAsync(opts)
+    })
+    .then(function () {
+      // Post-sign operations
+      debuglog('Application signed.')
+    })
+}
+
+/**
+ * This function is a normal callback implementation.
+ * @function
+ * @param {Object} opts - Options.
+ * @param {RequestCallback} cb - Callback.
+ */
+module.exports.sign = function (opts, cb) {
+  signAsync(opts)
+    .then(function () {
+      debuglog('Application signed: ' + opts.app)
+      if (cb) cb()
+    })
+    .catch(function (err) {
+      debuglog('Sign failed:')
+      if (err.message) debuglog(err.message)
+      else if (err.stack) debuglog(err.stack)
+      else debuglog(err)
+      if (cb) cb(err)
+    })
+}