eclipse-theia · jfaltermeier · Mar 3, 2025
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -19,7 +19,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [windows-2019, ubuntu-22.04, macos-13]
+        os: [windows-2019, ubuntu-22.04, macos-13, macos-14] # macOS-13 is for x64, macOS-14 is for arm64
         node: ['20.x']
 
     runs-on: ${{ matrix.os }}
@@ -42,7 +42,8 @@ jobs:
         with:
           python-version: '3.11'
 
-      - name: Build and package
+      - name: Build and package (Windows, Linux)
+        if: runner.os == 'Windows' || runner.os == 'Linux'
         shell: bash
         run: |
           yarn --skip-integrity-check --network-timeout 100000
@@ -53,6 +54,34 @@ jobs:
           NODE_OPTIONS: --max_old_space_size=4096
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # https://github.com/microsoft/vscode-ripgrep/issues/9
 
+      - name: Update electron-builder.yml for macOS-14
+        if: matrix.os == 'macos-14'
+        run: |
+          sed -i '' 's|https://download.eclipse.org/theia/ide/latest/macos|https://download.eclipse.org/theia/ide/latest/macos-arm|g' applications/electron/electron-builder.yml
+
+      - name: Build and package (Mac)
+        if: runner.os == 'macOS'
+        shell: bash
+        run: |
+          yarn --skip-integrity-check --network-timeout 100000
+          yarn build
+          yarn download:plugins
+          yarn package:applications
+        env:
+          NODE_OPTIONS: --max_old_space_size=4096
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # https://github.com/microsoft/vscode-ripgrep/issues/9
+
+      - name: Upload Mac Dist Files
+        if: runner.os == 'macOS'
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 #4.6.1
+        with:
+          name: ${{ matrix.os == 'macos-13' && 'mac-x64' || matrix.os == 'macos-14' && 'mac-arm64'}}
+          path: |
+            applications/electron/dist/**
+            !applications/electron/dist/mac/**
+            !applications/electron/dist/mac-arm64/**
+          retention-days: 1
+
       - name: Test (Linux)
         if: matrix.tests != 'skip' && runner.os == 'Linux'
         uses: GabrielBB/xvfb-action@86d97bde4a65fe9b290c0b3fb92c2c4ed0e5302d #1.6

diff --git a/Jenkinsfile b/Jenkinsfile
diff --git a/PUBLISHING.md b/PUBLISHING.md
@@ -50,7 +50,13 @@ Follow these steps to update dependencies and package versions:
 
 6. If there was a Theia release, review breaking changes, new built-ins, and sample applications, and update code as necessary.
 
-After completing these steps, open a PR with your changes. Merging the PR automatically triggers a preview release.
+7. After completing these steps, open a PR with your changes.
+
+8. The PR will trigger a verification build that generates two zip files with mac artifacts.
+Download these zips and replace them in this pre-release: <https://github.com/eclipse-theia/theia-ide/releases/tag/pre-release>.
+These unsigned dmgs will be used as input for the Jenkins build.
+
+9. Merging the PR automatically triggers a preview release, so make sure step 8 is fully completed before merging.
 
 ## 3. Preview, Testing, and Release Process
 

diff --git a/applications/browser/package.json b/applications/browser/package.json
@@ -3,7 +3,7 @@
   "name": "theia-ide-browser-app",
   "description": "Eclipse Theia IDE browser product",
   "productName": "Theia IDE",
-  "version": "1.59.1",
+  "version": "1.59.2",
   "license": "MIT",
   "author": "Eclipse Theia <[email protected]>",
   "homepage": "https://github.com/eclipse-theia/theia-ide#readme",
@@ -104,7 +104,7 @@
     "@theia/vsx-registry": "1.59.0",
     "@theia/workspace": "1.59.0",
     "fs-extra": "^9.0.1",
-    "theia-ide-product-ext": "1.59.1"
+    "theia-ide-product-ext": "1.59.2"
   },
   "devDependencies": {
     "@theia/cli": "1.59.0",

diff --git a/applications/electron/package.json b/applications/electron/package.json
@@ -3,7 +3,7 @@
   "name": "theia-ide-electron-app",
   "description": "Eclipse Theia IDE product",
   "productName": "Theia IDE",
-  "version": "1.59.1",
+  "version": "1.59.2",
   "main": "scripts/theia-electron-main.js",
   "license": "MIT",
   "author": "Eclipse Theia <[email protected]>",
@@ -112,9 +112,9 @@
     "@theia/vsx-registry": "1.59.0",
     "@theia/workspace": "1.59.0",
     "fs-extra": "^9.0.1",
-    "theia-ide-launcher-ext": "1.59.1",
-    "theia-ide-product-ext": "1.59.1",
-    "theia-ide-updater-ext": "1.59.1"
+    "theia-ide-launcher-ext": "1.59.2",
+    "theia-ide-product-ext": "1.59.2",
+    "theia-ide-updater-ext": "1.59.2"
   },
   "devDependencies": {
     "@theia/cli": "1.59.0",
@@ -158,6 +158,7 @@
     "update:blockmap": "ts-node scripts/update-blockmap.ts",
     "update:theia": "ts-node ../../scripts/update-theia-version.ts",
     "update:next": "ts-node ../../scripts/update-theia-version.ts next",
+    "sign:directory": "ts-node scripts/sign-directory.ts",
     "test": "mocha --timeout 60000 \"./test/*.spec.js\"",
     "lint": "eslint --ext js,jsx,ts,tsx scripts && eslint --ext js,jsx,ts,tsx test",
     "lint:fix": "eslint --ext js,jsx,ts,tsx scripts --fix && eslint --ext js,jsx,ts,tsx test -fix"

diff --git a/applications/electron/scripts/sign-directory.ts b/applications/electron/scripts/sign-directory.ts
@@ -0,0 +1,178 @@
+/********************************************************************************
+ * Copyright (C) 2025 EclipseSource and others.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the MIT License, which is available in the project root.
+ *
+ * SPDX-License-Identifier: MIT
+ ********************************************************************************/
+
+import { hideBin } from 'yargs/helpers';
+import yargs from 'yargs/yargs';
+import path from 'path';
+import fs from 'fs';
+import child_process from 'child_process';
+
+const signCommand = path.join(__dirname, 'sign.sh');
+const notarizeCommand = path.join(__dirname, 'notarize.sh');
+const entitlements = path.resolve(__dirname, '..', 'entitlements.plist');
+
+// File extensions and patterns that need code signing on macOS
+const BINARY_EXTENSIONS = ['.dylib', '.so', '.node', '.framework'];
+const BINARY_PATTERNS = [
+    /^MacOS\//, // Executable files in MacOS directory
+    /^Contents\/MacOS\//, // Executable files in Contents/MacOS directory
+];
+const EXECUTABLE_NAMES = [
+    'node', 'electron', 'rg', 'macos-trash', 'chrome-sandbox'
+];
+
+// Function to check if a file is likely a binary that needs signing
+function isBinaryFile(filePath: string): boolean {
+    const extension = path.extname(filePath);
+    const fileName = path.basename(filePath);
+    const relativePath = filePath.replace(/^.*?\.app\//, ''); // Get path relative to .app bundle
+
+    // Check by extension
+    if (BINARY_EXTENSIONS.includes(extension)) {
+        return true;
+    }
+
+    // Check by executable name
+    if (EXECUTABLE_NAMES.includes(fileName)) {
+        return true;
+    }
+
+    // Check by pattern
+    for (const pattern of BINARY_PATTERNS) {
+        if (pattern.test(relativePath)) {
+            return true;
+        }
+    }
+
+    // Check if file is executable (Unix-only check)
+    try {
+        const stat = fs.statSync(filePath);
+        if ((stat.mode & 0o111) !== 0) { // Check if execute bit is set
+            // Further verify it's a binary with 'file' command if available
+            try {
+                const fileType = child_process.execSync(`file "${filePath}"`).toString();
+                return fileType.includes('Mach-O') ||
+                       fileType.includes('executable') ||
+                       fileType.includes('shared library') ||
+                       fileType.includes('dynamically linked');
+            } catch (e) {
+                // If 'file' command fails, fall back to assuming it's a binary if it has execute permission
+                return true;
+            }
+        }
+    } catch (e) {
+        // If stat fails, skip this check
+    }
+
+    return false;
+}
+
+// Function to recursively find binaries in a directory
+function findBinariesToSign(dirPath: string): string[] {
+    const result: string[] = [];
+
+    function scanDirectory(currentPath: string): void {
+        const entries = fs.readdirSync(currentPath, { withFileTypes: true });
+
+        for (const entry of entries) {
+            const fullPath = path.join(currentPath, entry.name);
+
+            // Skip node_modules and .git directories
+            if (entry.isDirectory() &&
+                entry.name !== 'node_modules' &&
+                entry.name !== '.git') {
+                scanDirectory(fullPath);
+            } else if (entry.isFile() && isBinaryFile(fullPath)) {
+                result.push(fullPath);
+            }
+        }
+    }
+
+    scanDirectory(dirPath);
+
+    // Sort by path depth (deepest first) to ensure nested binaries are signed first
+    return result.sort((a, b) => {
+        const aDepth = a.split(path.sep).length;
+        const bDepth = b.split(path.sep).length;
+        return bDepth - aDepth;
+    });
+}
+
+const signFile = (file: string) => {
+    const stat = fs.lstatSync(file);
+    const mode = stat.isFile() ? stat.mode : undefined;
+
+    // Get SHA hash of file before signing - only for actual files, not directories
+    let shaBeforeSigning: string | undefined;
+    if (stat.isFile()) {
+        shaBeforeSigning = child_process.execSync(`shasum -a 256 "${file}"`).toString().trim();
+    }
+
+    console.log(`Signing ${file}...`);
+    child_process.spawnSync(signCommand, [
+        path.basename(file),
+        entitlements
+    ], {
+        cwd: path.dirname(file),
+        maxBuffer: 1024 * 10000,
+        env: process.env,
+        stdio: 'inherit',
+        encoding: 'utf-8'
+    });
+
+    // Get SHA hash of file after signing - only for actual files, not directories
+    if (stat.isFile()) {
+        const shaAfterSigning = child_process.execSync(`shasum -a 256 "${file}"`).toString().trim();
+        // Log a warning if the SHA hash hasn't changed after signing
+        if (shaBeforeSigning === shaAfterSigning) {
+            console.warn(`WARNING: SHA hash did not change after signing for ${file}. This might indicate the file was not properly signed.`);
+        }
+    }
+
+    if (mode) {
+        console.log(`Setting attributes of ${file}...`);
+        fs.chmodSync(file, mode);
+    }
+};
+
+const argv = yargs(hideBin(process.argv))
+    .option('directory', { alias: 'd', type: 'string', default: 'dist', description: 'The directory which contains the application to be signed' })
+    .version(false)
+    .wrap(120)
+    .parseSync();
+
+execute();
+
+async function execute(): Promise<void> {
+    console.log(`signCommand: ${signCommand}; notarizeCommand: ${notarizeCommand}; entitlements: ${entitlements}; directory: ${argv.directory}`);
+
+    // First sign all individual binaries inside the app bundle
+    const binariesToSign = findBinariesToSign(argv.directory);
+
+    for (const binaryPath of binariesToSign) {
+        signFile(binaryPath);
+    }
+
+    // Then sign the main app bundle
+    console.log('Signing main application bundle...');
+    signFile(argv.directory);
+
+    // Notarize app
+    console.log('Notarizing application...');
+    child_process.spawnSync(notarizeCommand, [
+        path.basename(argv.directory),
+        'eclipse.theia'
+    ], {
+        cwd: path.dirname(argv.directory),
+        maxBuffer: 1024 * 10000,
+        env: process.env,
+        stdio: 'inherit',
+        encoding: 'utf-8'
+    });
+}