|
| 1 | +# Xai Sentry Desktop Client |
| 2 | + |
| 3 | +An electron & vite cross platform desktop client for the Sentry Node Operator building on top of the `@sentry/core` operator services. |
| 4 | + |
| 5 | +## Local development |
| 6 | + |
| 7 | +Running and building is done from the root of the monorepo. |
| 8 | +The monorepo will handle all npm dependencies |
| 9 | + |
| 10 | +From the root run |
| 11 | + |
| 12 | +- `pnpm desktop` to run a local dev instance with hot reload |
| 13 | +- `pnpm -filter @sentry/sentry-client-desktop build` to create a release build for the current working os |
| 14 | + |
| 15 | +Building the monorepo with `pnpm run build` from the root of the repo will also create a release build of the desktop client. |
| 16 | + |
| 17 | +## Release build and signing |
| 18 | + |
| 19 | +The desktop client is build using [`electron-builder`](https://www.electron.build/code-signing.html). The configuration for the release build is defined in `apps\sentry-client-desktop\electron-builder.json5`. The release build will create the release for the OS running the build, so for multi platform release the build has to be run on all required platforms. |
| 20 | + |
| 21 | +### Windows |
| 22 | + |
| 23 | +Windows signing is done with SSL.com in the release workflow using the [EV Code signing certificate](https://www.electron.build/code-signing.html#windows) |
| 24 | + |
| 25 | +Required build environment variables for signing: |
| 26 | + |
| 27 | + |
| 28 | +- `SSL_USERNAME` SSL.com login username |
| 29 | +- `SSL_PASSWORD` SSL.com login password |
| 30 | +- `SSL_TOTP_SECRET` Certificate secret to pull the actual EV certificate from the SSL.com identity |
| 31 | + |
| 32 | + |
| 33 | +### MacOS |
| 34 | + |
| 35 | +Signing the mac build can be done by the `electron-builder`. Currently the configuration is setup to sign and notarize the app. |
| 36 | +For signing a macOS release a Apple Developer Application ID Certificate is required, detailed steps in the section below. |
| 37 | + |
| 38 | +For integrating the electron-builder signing the certificate has to be added to the mac key-chain, for this specific environment variables need to be set during the release build process: |
| 39 | + |
| 40 | +- `MAC_CERTIFICATE_P12_BASE64` the base64 encoded certificate and private key |
| 41 | +- `MAC_CERTIFICATE_PASSWORD` the certificate encryption password |
| 42 | + |
| 43 | +Electron builder signing and notarizing env: |
| 44 | + |
| 45 | +- `CSC_LINK` same as `MAC_CERTIFICATE_P12_BASE64`, important for electron-builder finding the identity |
| 46 | +- `CSC_KEY_PASSWORD` same as `MAC_CERTIFICATE_PASSWORD`, important for electron-builder finding the identity from the cert above |
| 47 | +- `APPLE_ID` The apple ID used for the Developer certificate for notarizing the app |
| 48 | +- `APPLE_APP_SPECIFIC_PASSWORD` [App specific password](https://support.apple.com/en-us/102654) for notarizing the app |
| 49 | +- `APPLE_TEAM_ID` The apple team id used for the account that created the certificate used for notarizing the app |
| 50 | + |
| 51 | +#### Verify Mac Signing: |
| 52 | + |
| 53 | +- Verify the app’s signature |
| 54 | + - `codesign --verify --deep --verbose --strict /path/to/sentry-client-macos.app` |
| 55 | + |
| 56 | +- Check if Gatekeeper accepts the app after notarizing |
| 57 | + - `spctl --assess --type exec --verbose /path/to/sentry-client-macos.app` |
| 58 | + |
| 59 | +- Check notarization status |
| 60 | + - `xcrun notarytool history --apple-id APPLE_ID --password APPLE_APP_SPECIFIC_PASSWORD --team-id APPLE_TEAM_ID` |
| 61 | + |
| 62 | + |
| 63 | +#### Create an Apple Developer Application ID Certificate |
| 64 | + |
| 65 | +### Step 1: Create a Certificate Signing Request (CSR) |
| 66 | + |
| 67 | +1. Open **Keychain Access** (`Applications > Utilities > Keychain Access`). |
| 68 | +2. From the menu, select **Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority**. |
| 69 | +3. Fill out the following fields: |
| 70 | + - **User Email Address**: Your Apple Developer account email. |
| 71 | + - **Common Name**: Your name or your company’s name. |
| 72 | + - **CA Email Address**: Leave this blank. |
| 73 | + - **Request is**: Select **Saved to disk**. |
| 74 | +4. Check the box for **Let me specify key pair information**. |
| 75 | +5. **Key Pair Information**: |
| 76 | + - Algorithm: Select **RSA**. |
| 77 | + - Key Size: Choose **2048-bit**. |
| 78 | +6. Click **Continue** and save the CSR file to your desktop (or any location). |
| 79 | + |
| 80 | +--- |
| 81 | + |
| 82 | +### Step 2: Submit the CSR to Apple Developer |
| 83 | + |
| 84 | +1. Log in to your [Apple Developer Account](https://developer.apple.com/account/). |
| 85 | +2. Go to **Certificates, Identifiers & Profiles**. |
| 86 | +3. Under **Certificates**, click the **+** button to create a new certificate. |
| 87 | +4. Choose the appropriate certificate type based on your need (e.g., **Developer ID Installer** or **Mac App Distribution**). |
| 88 | +5. Upload the CSR file you generated earlier. |
| 89 | +6. Download the new certificate (`.cer` file) provided by Apple. |
| 90 | + |
| 91 | +--- |
| 92 | + |
| 93 | +### Step 3: Install the Certificate in Keychain Access |
| 94 | + |
| 95 | +1. Double-click the downloaded `.cer` file to install it in **Keychain Access**. |
| 96 | +2. Open **Keychain Access** and navigate to **login > My Certificates**. |
| 97 | +3. Find the certificate you just installed. |
| 98 | + - It should appear under **My Certificates** and when expanded, should show the private key associated with it. |
| 99 | +4. If the certificate is not under **My Certificates** or you don’t see the private key, see the troubleshooting steps below. |
| 100 | + |
| 101 | +--- |
| 102 | + |
| 103 | +### Step 4: Export the Certificate and Private Key as a `.p12` File |
| 104 | + |
| 105 | +1. In **Keychain Access**, go to **My Certificates**. |
| 106 | +2. Right-click the certificate (which should now include the private key) and select **Export**. |
| 107 | +3. Choose the **.p12** format from the list of options. |
| 108 | +4. Set a name for the `.p12` file and choose a location to save it. |
| 109 | +5. You will be prompted to set a password to protect the `.p12` file. |
| 110 | +6. After setting the password, your `.p12` file will be exported and saved. |
| 111 | + |
| 112 | +--- |
| 113 | + |
| 114 | +### Step 5: Use the `.p12` in Your Build Pipeline |
| 115 | + |
| 116 | +Once you have your `.p12` file, you can use it in your build process for signing packages or apps, such as in GitHub Actions: |
| 117 | + |
| 118 | +1. **Encode the `.p12` file to base64**: |
| 119 | + ```bash |
| 120 | + base64 -i certificate.p12 -o certificate.p12.base64 |
| 121 | + |
| 122 | +--- |
| 123 | + |
| 124 | +### Troubleshooting Tips |
| 125 | + |
| 126 | +- **Missing Private Key**: If your certificate is in the **Certificates** section but not in **My Certificates**, it means the private key is not associated. This can happen if the private key wasn’t created or stored correctly during the CSR process. |
| 127 | + - In **Keychain Access**, go to **login > Keys** and look for a private key matching the common name of the certificate. |
| 128 | + - If you find the private key, you can try manually associating it with the certificate by dragging the certificate onto the key. |
| 129 | + - If the private key is not present, you'll need to regenerate the CSR and repeat the steps to create the certificate. |
| 130 | +
|
| 131 | +--- |
| 132 | +
|
| 133 | +### Notes |
| 134 | +
|
| 135 | +- **Key Size**: Make sure to select **RSA 2048-bit** or higher, as 1024-bit is no longer considered secure. |
| 136 | +- **Password**: You will need the password set during the `.p12` export when using the file for signing operations in your build pipeline. |
| 137 | +
|
| 138 | +--- |
| 139 | +
|
| 140 | +
|
| 141 | +
|
0 commit comments