Electron-builder: Build with codesign takes a long time when 'nodegit' is in my dependencies
- Version: 11.3.0
- Target: Mac
Problem:
I am trying to build a project that has [email protected] as a dependency. When I run:
CSC_LINK={mycertfilepath} CSC_KEY_PASSWORD={mypass} build --mac
The build takes a long time (i.e. never finishes). On my MacBook Pro (Retina, Mid 2012) running MacOS Sierra, the "Rebuilding" and "Packaging" steps take ~5 minutes, which is a bit slow. For the "Signing" step, however, I've waited 30+ minutes and never seen it finish.
With nodegit deleted from "dependencies", the build finishes in seconds.
Details:
A minimal package.json that reproduces the issue looks like this:
{
"name": "repro-nodegit-electron-build-demo",
"version": "0.0.0",
"private": true,
"description": "Minimal test of building Electron with nodegit and codesigning",
"main": "index.js",
"author": "Matthew",
"engines": {
"node": "6.6.0",
"npm": "3.10.3",
"electron": "1.4.5"
},
"build": {
"appId": "com.electron.nodegitelectronbuilddemo",
"copyright": "none",
"productName": "nodegitelectronbuilddemo",
"forceCodeSigning": true,
"electronVersion": "1.4.5",
"mac": {
"category": "public.app-category.developer-tools"
}
},
"scripts": {
"build": "build --mac"
},
"dependencies": {
"nodegit": "0.16.0"
},
"devDependencies": {
"electron-builder": "11.3.0"
}
}
(To repro the signing slowness, you would need to get a developer certificate, etc.)
Hypotheses:
Based on the output of $ ps ax | grep codesign while running the build, my guess is that there are simply so many files to sign that it is just taking a long time. I see it signing a lot of files that seem ancillary.
With that in mind, these are my hypotheses:
I am supposed to somehow pre-bundle my code before using
electron-builder. (I.e. concatenate my JavaScript files, etc., so that there are fewer files to sign?)I am supposed to configure the
"files"build option so that code-signing doesn't have to trawl through a bunch of ancillary files. (It looks likenodegitand its dependencies are rather huge, and there are some test/VCS artifacts also being signed.)I have misconfigured the installation of
nodegitsomehow, resulting in a big complicated bundle.I am supposed to pre-compile
nodegitdown to a single bundle before using it here.Waiting over 30 minutes in my scenario is normal. This is simply a fact of life I will have to accept if I want to include
nodegitin my project.I am supposed to use the two-package.json setup.
Am I onto something with any of these? Any tips or suggestions?
Apologies if I've missed some important note in the documentation that pertains to this.
matthewtoast
All 9 comments
When I ps ax | grep codesign as the codesign step is working, I see output like:
codesign --sign {name_of_my_developer_id_certificate} --force --keychain {target_file_in_temp_folder} node_modules/vendor/libgit2/tests/resources/merge-resolve/.gitted/objects/54/269b3f6ec3d7d4ede24dd350dd5d605495c3ae
So it looks like codesign is going deep into hidden folders, including VCS databases, and signing all of those entries too. That's a _lot_ to sign. Which explains the wait.
My workaround is to add some "files" entries to the build config in my package.json, so that there are fewer files for codesign to crunch:
"build": {
"files": [
// ...snip...
"!node_modules/nodegit",
"node_modules/nodegit/package.json",
"node_modules/nodegit/dist/**",
"node_modules/nodegit/build/Release/nodegit.node",
// ...snip...
]
}
First I exclude the whole nodegit package from my app bundle. Then, I re-include only the parts of nodegit necessary for it to work.
I did this through trial and error, so my file patterns are probably excluding some critical file. But this at least gets the build working, and I don't initially see any problems with require('nodegit') when I launch my packaged app.
matthewtoast
on 21 Jan 2017
I think it's unlikely there will be a lot of commentary on this one, so I'm going to close it.
matthewtoast
on 26 Jan 2017
@matthewtoast No, it will be investigated and fixed when I will have time :)
develar
on 26 Jan 2017
Solution — do not use npm. Use yarn and execute yarn clean. All junk directories like vendor/libgit2/tests will be removed.
develar
on 31 Jan 2017
I have a similar problem, but I don't want to use yarn (I used it for a year, but switch back to npm after various troubles with it).
For me codesign, the final package _CodeSignature contains entries like:
<key>Resources/app.asar.unpacked/node_modules/lzz-gyp/package.json</key>
<dict>
<key>hash</key>
<data>
V46JaYPK9FUORjoONzTgww3ovBo=
</data>
<key>hash2</key>
<data>
c2Zqm6KAgz7BZzpLOD8K9yrP1ocqjCjA0V/jJv58gc0=
</data>
</dict>
- Is this needed?
- Are signatures for
.cppor.dylibneeded?
fab1an
on 8 Sep 2017
Yes, such files must be signed. Because it is library.
develar
on 13 Sep 2017
You can try to add ignores to files option if some files are not required for you.
develar
on 13 Sep 2017
Curious if this still applies in 2019? Apparently https://yarnpkg.com/lang/en/docs/cli/autoclean/ is the current command and there are separate packages that can accomplish this for npm users such as https://github.com/tj/node-prune
andrewluetgers
on 24 Oct 2019
Has this been sorted? I couldn't make it the codesign complete
ppoliani
on 19 Sep 2020
Related issues
iklemm
·
3Comments
githubbob42
·
3Comments
JohnWeisz
·
3Comments
jhg
·
3Comments
talarari
·
3Comments
Most helpful comment
Solution — do not use npm. Use yarn and execute
yarn clean. All junk directories likevendor/libgit2/testswill be removed.