test: check bundled binaries are signed on macOS

For notarization on macOS all packaged binaries must be signed. Add a regression test to check that known binaries from our dependencies (at the time of this commit term-size via npm) are signed. Signed-off-by: Richard Lau <[email protected]> PR-URL: #32522 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
nodejs · Mar 30, 2020 · fbb51b9 · fbb51b9
1 parent 36c6d22
commit fbb51b9
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/test/parallel/test-macos-signed-deps.js b/test/parallel/test-macos-signed-deps.js
@@ -0,0 +1,31 @@
+'use strict';
+
+// Notarization on macOS requires all binaries to be signed.
+// We sign our own binaries but check here if any binaries from our dependencies
+// (e.g. npm) are signed.
+const common = require('../common');
+
+if (!common.isOSX) {
+  common.skip('macOS specific test');
+}
+
+const assert = require('assert');
+const { spawnSync } = require('child_process');
+const path = require('path');
+
+const debuglog = require('util').debuglog('test');
+
+const binaries = [
+  'deps/npm/node_modules/term-size/vendor/macos/term-size',
+];
+
+for (const testbin of binaries) {
+  const bin = path.resolve(__dirname, '..', '..', testbin);
+  debuglog(`Checking ${bin}`);
+  const cp = spawnSync('codesign', [ '-vvvv', bin ], { encoding: 'utf8' });
+  debuglog(cp.stdout);
+  debuglog(cp.stderr);
+  assert.strictEqual(cp.signal, null);
+  assert.strictEqual(cp.status, 0, `${bin} does not appear to be signed.\n` +
+                     `${cp.stdout}\n${cp.stderr}`);
+}