fixed up store submissions

Author: Andrew

.github/workflows/release.yml

@@ -71,48 +71,51 @@ jobs:
         env:
           CSC_IDENTITY_AUTO_DISCOVERY: false  # Disable auto code signing
 
-      - name: Azure Login for Code Signing
-        uses: azure/login@v2
-        with:
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
-      - name: Sign Windows AppX with Azure Trusted Signing
-        uses: azure/trusted-signing-action@v0.5.0
-        with:
-          endpoint: https://eus.codesigning.azure.net/
-          trusted-signing-account-name: Allow2
-          certificate-profile-name: Allow2-Dev-Signing
-          files-folder: ${{ github.workspace }}/dist
-          files-folder-filter: appx,msix
-          file-digest: SHA256
-          timestamp-rfc3161: http://timestamp.acs.microsoft.com
-          timestamp-digest: SHA256
-
-      - name: Verify Windows signature
-        shell: pwsh
-        run: |
-          Write-Host "=== Verifying AppX/MSIX signatures ==="
-
-          # Find signtool
-          $signtool = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter "signtool.exe" |
-            Where-Object { $_.FullName -match "x64" } |
-            Sort-Object { [version]($_.FullName -replace '.*\\(\d+\.\d+\.\d+\.\d+)\\.*', '$1') } -Descending |
-            Select-Object -First 1 -ExpandProperty FullName
-
-          Write-Host "Using signtool: $signtool"
-
-          # Verify AppX/MSIX signatures
-          Get-ChildItem -Path "dist" -Include "*.appx","*.msix" -Recurse | ForEach-Object {
-            Write-Host "Verifying: $($_.Name)"
-            & $signtool verify /pa $_.FullName
-            if ($LASTEXITCODE -eq 0) {
-              Write-Host "  Signature valid"
-            } else {
-              Write-Host "  WARNING: Signature verification failed"
-            }
-          }
+      # DISABLED: Windows Store will sign the package during submission
+      # Re-enable these steps when Azure Trusted Signing is configured
+      # - name: Azure Login for Code Signing
+      #   uses: azure/login@v2
+      #   with:
+      #     client-id: ${{ secrets.AZURE_CLIENT_ID }}
+      #     tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+      #     subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      #
+      # - name: Sign Windows AppX with Azure Trusted Signing
+      #   uses: azure/trusted-signing-action@v0.5.0
+      #   with:
+      #     endpoint: https://eus.codesigning.azure.net/
+      #     trusted-signing-account-name: Allow2
+      #     certificate-profile-name: Allow2-Dev-Signing
+      #     files-folder: ${{ github.workspace }}/dist
+      #     files-folder-filter: appx,msix
+      #     file-digest: SHA256
+      #     timestamp-rfc3161: http://timestamp.acs.microsoft.com
+      #     timestamp-digest: SHA256
+
+      # DISABLED: Signature verification skipped since Windows Store will sign
+      # - name: Verify Windows signature
+      #   shell: pwsh
+      #   run: |
+      #     Write-Host "=== Verifying AppX/MSIX signatures ==="
+      #
+      #     # Find signtool
+      #     $signtool = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter "signtool.exe" |
+      #       Where-Object { $_.FullName -match "x64" } |
+      #       Sort-Object { [version]($_.FullName -replace '.*\\(\d+\.\d+\.\d+\.\d+)\\.*', '$1') } -Descending |
+      #       Select-Object -First 1 -ExpandProperty FullName
+      #
+      #     Write-Host "Using signtool: $signtool"
+      #
+      #     # Verify AppX/MSIX signatures
+      #     Get-ChildItem -Path "dist" -Include "*.appx","*.msix" -Recurse | ForEach-Object {
+      #       Write-Host "Verifying: $($_.Name)"
+      #       & $signtool verify /pa $_.FullName
+      #       if ($LASTEXITCODE -eq 0) {
+      #         Write-Host "  Signature valid"
+      #       } else {
+      #         Write-Host "  WARNING: Signature verification failed"
+      #       }
+      #     }
 
       - name: List built files
         shell: pwsh
@@ -218,7 +221,47 @@ jobs:
       - name: Build application
         run: npm run private:compile
 
-      - name: Build macOS app (MAS target)
+      - name: Install provisioning profile
+        env:
+          PROVISIONING_PROFILE_BASE64: ${{ secrets.APPLE_PROVISIONING_PROFILE_BASE64 }}
+        run: |
+          if [ -n "$PROVISIONING_PROFILE_BASE64" ]; then
+            echo "=== Installing Provisioning Profile ==="
+            echo "$PROVISIONING_PROFILE_BASE64" | base64 -d > "./Allow2Automate_Distribution.provisionprofile"
+
+            # Verify the profile was created
+            if [ -f "./Allow2Automate_Distribution.provisionprofile" ]; then
+              echo "✅ Provisioning profile written to project root"
+              ls -la ./Allow2Automate_Distribution.provisionprofile
+            else
+              echo "❌ Failed to create provisioning profile"
+              exit 1
+            fi
+
+            # Also install to system location for electron-builder
+            mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
+
+            # Extract UUID from profile and install with that name
+            PROFILE_UUID=$(security cms -D -i "./Allow2Automate_Distribution.provisionprofile" 2>/dev/null | plutil -extract UUID raw - 2>/dev/null || echo "embedded")
+            if [ "$PROFILE_UUID" != "embedded" ] && [ -n "$PROFILE_UUID" ]; then
+              cp "./Allow2Automate_Distribution.provisionprofile" ~/Library/MobileDevice/Provisioning\ Profiles/"${PROFILE_UUID}.provisionprofile"
+              echo "✅ Provisioning profile installed to system location with UUID: ${PROFILE_UUID}"
+            else
+              cp "./Allow2Automate_Distribution.provisionprofile" ~/Library/MobileDevice/Provisioning\ Profiles/
+              echo "✅ Provisioning profile installed to system location"
+            fi
+          else
+            echo "❌ ERROR: APPLE_PROVISIONING_PROFILE_BASE64 secret not set"
+            echo "Mac App Store build requires a provisioning profile."
+            echo ""
+            echo "To create this secret:"
+            echo "1. Download your provisioning profile from Apple Developer Portal"
+            echo "2. Base64 encode it: base64 -i Allow2Automate_Distribution.provisionprofile | pbcopy"
+            echo "3. Add as GitHub secret: APPLE_PROVISIONING_PROFILE_BASE64"
+            exit 1
+          fi
+
+      - name: Build macOS app (MAS target - Universal)
         run: npm run private:build:mac
         env:
           # Enable code signing if certificates are available

dist-assets/.gitkeep

@@ -16,6 +16,12 @@
     "node_modules"
   ],
 
+  "asar": true,
+  "asarUnpack": [
+    "**/*.node",
+    "**/better-sqlite3/**"
+  ],
+
   "dmg": {
     "contents": [{
       "type": "file",
@@ -30,13 +36,32 @@
   },
 
   "mac": {
-    "target": "mas",
+    "target": [
+      {
+        "target": "mas",
+        "arch": ["universal"]
+      }
+    ],
     "provisioningProfile": "./Allow2Automate_Distribution.provisionprofile",
     "category": "public.app-category.lifestyle",
     "icon": "./app/assets/icons/mac/icon.icns",
     "entitlements": "./parent.plist",
     "entitlementsInherit": "./child.plist",
-    "bundleVersion": 46
+    "bundleVersion": 46,
+    "hardenedRuntime": true,
+    "gatekeeperAssess": false,
+    "extendInfo": {
+      "NSAppTransportSecurity": {
+        "NSAllowsArbitraryLoads": true
+      }
+    }
+  },
+
+  "mas": {
+    "hardenedRuntime": false,
+    "entitlements": "./parent.plist",
+    "entitlementsInherit": "./child.plist",
+    "provisioningProfile": "./Allow2Automate_Distribution.provisionprofile"
   },
 
   "appx": {
@@ -53,7 +78,10 @@
   },
 
   "linux": {
-    "target": [ "snap", "AppImage" ],
+    "target": ["snap", "AppImage"],
     "category": "Utility"
-  }
+  },
+
+  "nativeRebuilder": "sequential",
+  "npmRebuild": true
 }

electron-builder.json

@@ -62,7 +62,7 @@
     "browser-sync": "^2.26.7",
     "chai": "^4.2.0",
     "electron": "^25.0.0",
-    "electron-builder": "^24.0.0",
+    "electron-builder": "^26.0.0",
     "electron-devtools-installer": "^3.0.0",
     "electron-mocha": "^12.0.1",
     "electron-rebuild": "^3.2.9",

package.json

@@ -2,13 +2,40 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
     <dict>
+        <!-- Required: App Sandbox for Mac App Store -->
         <key>com.apple.security.app-sandbox</key>
         <true/>
+
+        <!-- Application group for shared data -->
         <key>com.apple.security.application-groups</key>
-        <string>L44G2T7U48.com.allow2.automate</string>
+        <array>
+            <string>L44G2T7U48.com.allow2.automate</string>
+        </array>
+
+        <!-- Network access -->
         <key>com.apple.security.network.client</key>
         <true/>
         <key>com.apple.security.network.server</key>
         <true/>
+
+        <!-- Required for Electron/V8 JIT compilation (better-sqlite3 and other native modules) -->
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+
+        <!-- Required for V8 to allocate executable memory -->
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+
+        <!-- Required for loading native modules like better-sqlite3 -->
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+
+        <!-- File access for user-selected files (Open/Save dialogs) -->
+        <key>com.apple.security.files.user-selected.read-write</key>
+        <true/>
+
+        <!-- Downloads folder access -->
+        <key>com.apple.security.files.downloads.read-write</key>
+        <true/>
     </dict>
-</plist>
+</plist>