electron-forge: securely add appleId and password

Question

I'm trying to package my electron app, using electron-forge. In order to make the app available on macs, I need to codesign the app, which requires passing info such as appleId and app-specific-password in the package.json file.

How can I pass this information securely? (ie, not available to people who download the app)

If environmental variables are the way to go, I'm hoping to understand where I set the environmental variables (in a separate file? In the start command?) and how I access them in the package.json itself.

I'd appreciate any help to sort this out.

Details of what I've considered:

-The electron forge codesign documentation does not mention how to actually provide osx required details in a secure way. It does mention that it uses electron-notarize (among others) under the hood, and electron-notarize's documentation says: "Never hard code your password into your packaging scripts, use an environment variable at a minimum", but doesn't provide detail on how to do that.

-This stack overflow answer provides helpful info in terms of setting up a separate forge.config.js file, and then says you should "load your environment variables using process.env.YOUR_VARIABLE_NAME". It doesn't provide more detail--loading the environmental variables for a packaged app is what I'm trying to figure out here.

--This stack overflow answer mentions setting them manually, but doesn't mention how. It also mentions using the dotenv package--but I'd be surprised there's a separate package required for this task that is fundamental to any mac electron app.

score 2 · Answer 1 · answered Sep 06 '21 at 01:05

I store them in an .env file in my project directory as follows:

APPLEID=your_id
APPLEIDPASS=your_password

In package.json I have a section:

  "build": {
    "productName": "PRODUCT",
    "appId": "your app id",
    "copyright": "Copyright",
    "directories": {
      "output": "build"
    },
    "afterSign": "scripts/notarize.js",

The afterSign points to a script scripts/notarize.js that will pull out the APPLEID and APPLEIDPASS using dotenv:

require('dotenv').config()
const { notarize } = require('electron-notarize')

exports.default = async function notarizing(context) {
  const { electronPlatformName, appOutDir } = context
  if (electronPlatformName !== 'darwin') {
    return
  }

  const appName = context.packager.appInfo.productFilename;

  return await notarize({
    appBundleId: 'your app id',
    appPath: `${appOutDir}/${appName}.app`,
    appleId: process.env.APPLEID,
    appleIdPassword: process.env.APPLEIDPASS
  })
}

It's those 2 last lines with appleId and appleIdPassword that pull out the environment variables.

Never commit the .env file to, for example, github. To make sure: add .env to your .gitignore file. Also: the script/notarize.js app is not part of your app itself, this runs while you build your app.

I also appreciate that you provided your method for notarizing--how to actually activate the notarize process is another thing that is not documented often. — SeanRtS, Sep 06 '21 at 12:27

score -1 · Accepted Answer · answered Nov 27 '22 at 16:17

-1

I've been able to hear back from one of the maintainers of electron forge, who said the way to do it is:

Load the environmental variables in the build script itself. For example: $ VAR1=something VAR2=somethingelse npm run make.
Then, reference those variables as appropriate in the forge.config.js file that package.json refers to. Example reference syntax: process.env.VAR1

answered Nov 27 '22 at 16:17

SeanRtS

1,005
1
13
31

the variables are not accesible into the executable – jon_eldiablo May 04 '23 at 20:34

electron-forge: securely add appleId and password

2 Answers2