feat: Specify patterns for archive traversals

sethlu · sethlu · commit a78b4fdb8870 · 2020-07-19T02:51:21.000-07:00
diff --git a/README.md b/README.md
@@ -195,7 +195,7 @@ Default to `true`.
 The keychain name.
 Default to system default keychain.
 
-`ignore` - *RegExp|Function|Array.<(RegExp|Function)>*
+`ignore` - *String|RegExp|Function|Array.<(String|RegExp|Function)>*
 
 Regex, function or an array of regex's and functions that signal skipping signing a file.
 Elements of other types are treated as `RegExp`.
@@ -250,8 +250,9 @@ Default to `true`.
 Specify the URL of the timestamp authority server, default to server provided by Apple. Please note that this default server may not support signatures not furnished by Apple.
 Disable the timestamp service with `none`.
 
-`traverse-archives` - *String*
-Flag to enable/disable automation of signing binaries inside zip-like archives.
+`traverse-archives` - *Boolean|String|RegExp|Function|Array.<(String|RegExp|Function)>*
+Option to enable automation of signing binaries inside zip-like archives.
+Not specifying any pattern will lead to marking all binary files as potential zip-like archives.
 Default to `false`.
 
 `type` - *String*
diff --git a/bin/electron-osx-sign-usage.txt b/bin/electron-osx-sign-usage.txt
@@ -43,7 +43,7 @@ DESCRIPTION
   --identity-validation, --no-identity-validation
     Flag to enable/disable validation for the signing identity.
 
-  --ignore=path
+  --ignore=pattern/to/ignore/1,pattern/to/ignore/2
     Path to skip signing. The string will be treated as a regular expression when used to match the file paths.
 
   --keychain=keychain
@@ -86,8 +86,9 @@ DESCRIPTION
     Specify the URL of the timestamp authority server, default to server provided by Apple.
     Disable the timestamp service with ``none''.
 
-  --traverse-archives
-    Flag to enable/disable automation of signing binaries inside zip-like archives.
+  --traverse-archives, --traverse-archives=pattern/to/archive/1,pattern/to/archive/2
+    Option to enable automation of signing binaries inside zip-like archives.
+    Not specifying any pattern will lead to marking all binary files as potential zip-like archives.
     Disabled by default.
 
   --type=type
diff --git a/bin/electron-osx-sign.js b/bin/electron-osx-sign.js
@@ -15,8 +15,7 @@ var args = require('minimist')(process.argv.slice(2), {
     'pre-embed-provisioning-profile',
     'gatekeeper-assess',
     'hardened-runtime',
-    'restrict',
-    'traverse-archives'
+    'restrict'
   ],
   'default': {
     'pre-auto-entitlements': true,
diff --git a/sign.js b/sign.js
@@ -68,6 +68,10 @@ function validateSignOptsAsync (opts) {
     opts['type'] = 'distribution'
   }
 
+  if (opts['traverse-archives'] && typeof opts['traverse-archives'] !== 'boolean' && !(opts['traverse-archives'] instanceof Array)) {
+    opts['traverse-archives'] = [opts['traverse-archives']]
+  }
+
   return Promise.map([
     validateOptsAppAsync,
     validateOptsPlatformAsync,
@@ -141,6 +145,26 @@ function ignoreFilePath (opts, filePath) {
   return false
 }
 
+/***
+ * Helper function to facilitate whether to consider traversing a potential archive.
+ * @function
+ * @param {Object} opts - Options.
+ * @param {string} humanReadableFilePath - The file path to check whether to include for traversal.
+ * @returns {boolean} Whether to consider the potential archive for traversal.
+ */
+function shouldConsiderTraversingArchive (opts, humanReadableFilePath) {
+  if (opts['traverse-archives']) {
+    if (opts['traverse-archives'] === true) return true
+    return opts['traverse-archives'].some(function (include) {
+      if (typeof include === 'function') {
+        return include(humanReadableFilePath)
+      }
+      return humanReadableFilePath.match(include)
+    })
+  }
+  return false
+}
+
 /**
  * Sign a zip-like archive child component of the app bundle.
  * This piece of automation helps to traverse zip-like archives and sign any enclosing binary files. See #229.
@@ -224,7 +248,7 @@ function signChildComponentAsync (opts, args, filePath, humanReadableFilePath =
   }
 
   var promise
-  if (opts['traverse-archives']) {
+  if (shouldConsiderTraversingArchive(opts, humanReadableFilePath)) {
     // Sign the child components if the file is an archive
     promise = isZipFileAsync(filePath)
       .then(function (archive) {
