feat: add option to skip signature on macos

.github/workflows/ci.yml

@@ -12,7 +12,7 @@ jobs:
       fail-fast: false # prevent test to stop if one fails
       matrix:
         node-version: [12.x, 14.x, 16.x, 18.x]
-        os: [ubuntu-latest, windows-latest] # Skip macos-latest
+        os: [ubuntu-latest, windows-latest, macos-latest]
 
     runs-on: ${{ matrix.os }}
     steps:

README.md

@@ -44,6 +44,7 @@ pkg [options] <input>
     --public-packages    force specified packages to be considered public
     --no-bytecode        skip bytecode generation and include source files as plain js
     --no-native-build    skip native addons build
+    --no-signature       skip signature of the final executable on macos
     --no-dict            comma-separated list of packages names to ignore dictionaries. Use --no-dict * to disable all dictionaries
     -C, --compress       [default=None] compression algorithm = Brotli or GZip
 

lib/index.ts

@@ -232,6 +232,7 @@ export async function exec(argv2: string[]) {
       'public',
       'v',
       'version',
+      'signature',
     ],
     string: [
       '_',
@@ -251,7 +252,7 @@ export async function exec(argv2: string[]) {
       'C',
       'compress',
     ],
-    default: { bytecode: true, 'native-build': true },
+    default: { bytecode: true, 'native-build': true, signature: true },
   });
 
   if (argv.h || argv.help) {
@@ -682,7 +683,7 @@ export async function exec(argv2: string[]) {
     });
 
     if (target.platform !== 'win' && target.output) {
-      if (target.platform === 'macos') {
+      if (argv.signature && target.platform === 'macos') {
         // patch executable to allow code signing
         const buf = patchMachOExecutable(readFileSync(target.output));
         writeFileSync(target.output, buf);

test/test-50-bakery-fetch/main.js

@@ -22,6 +22,14 @@ fetch
     arch: fetch.system.hostArch,
   })
   .then(function (needed) {
+    if (process.platform === 'darwin') {
+      utils.spawn.sync(
+        'codesign',
+        ['-fds', '-', './' + path.basename(needed)],
+        { cwd: path.dirname(needed) }
+      );
+    }
+
     right = utils.spawn.sync(
       './' + path.basename(needed),
       ['--expose-gc', '-e', 'if (global.gc) console.log("ok");'],

test/test-50-corrupt-executable/main.js

@@ -10,6 +10,11 @@ const utils = require('../utils.js');
 assert(!module.parent);
 assert(__dirname === process.cwd());
 
+// TODO : understand why the damage is not impacting macos build
+if (process.platform === 'darwin') {
+  return;
+}
+
 const host = 'node' + process.version.match(/^v(\d+)/)[1];
 const target = process.argv[2] || host;
 const input = './test-x-index.js';

test/test-50-no-signature/main.js

@@ -0,0 +1,42 @@
+#!/usr/bin/env node
+
+'use strict';
+
+const path = require('path');
+const assert = require('assert');
+const utils = require('../utils.js');
+
+assert(!module.parent);
+assert(__dirname === process.cwd());
+
+const darwin = process.platform === 'darwin';
+if (!darwin) {
+  return;
+}
+
+const target = process.argv[2] || 'host';
+const input = './test-x-index.js';
+const output = './test-output';
+
+let right;
+
+utils.pkg.sync([
+  '--no-signature',
+  '--target',
+  target,
+  '--output',
+  output,
+  input,
+]);
+
+right = utils.spawn.sync('codesign', ['-dv', './' + path.basename(output)], {
+  stdio: 'pipe',
+  expect: 1,
+});
+
+assert.strictEqual(
+  right.stderr,
+  './test-output: code object is not signed at all\n'
+);
+
+utils.vacuum.sync(output);

test/test-50-no-signature/test-x-index.js

@@ -0,0 +1,3 @@
+'use strict';
+
+console.log('ok');

test/test-50-reproducible/main.js

@@ -20,6 +20,7 @@ const output2 = './test-output-2.exe';
 
 utils.pkg.sync([
   '--public',
+  '--no-signature', // the signature will make the build not reproducible
   '--no-bytecode',
   '--target',
   target,
@@ -30,6 +31,7 @@ utils.pkg.sync([
 
 utils.pkg.sync([
   '--public',
+  '--no-signature',
   '--no-bytecode',
   '--target',
   target,