feat notarization: use notarytool for code-signing

[nsrCodes]

The default alt-tool has been deprecated for more than a year and will soon become unsupported

Here's the issue tracking the change in electron notarize
And based on the changes being made to support this it will be a breaking change, that will later use notarytool as the default (which is also recommended by apple documentation)

This PR adds changes to now use the notarytool for code-signing. But this also requires the environment to have an extra APPLE_TEAM_ID variable to be set. This is the team ID you want to notarize under.

[praveen-zluri]

Was looking forward to this!

[nsrCodes]

@amilajack just learnt that electron-builder already notarizes the app.
The afterSign script used in this template runs after the notarization has already been done once.

I have added a fix to this PR to stop this and only use the notarize.js script in this module
But a better solution would be to remove all this extra code and just ask the user to set the right environment variables, and their teamId inside package.json

I am not the right person to implement this solution so feel free to take this forward as you like, but would love to see notarytool being used by this template either way

Referring to how electron builder handles notarization might be useful here

[jgresham]

How are appBundleId and appPath set using the tool without the script? I don't see it in the docs. It looks like Nov 1 is the deadline for updating the notary tool. https://www.electron.build/configuration/mac

[NicolasZanotti]

I would also check for APPLE_TEAM_ID and log and error in the if-statement above.

[jgresham]

Using the script and setting notarize: false gives this • skipping "afterSign" hook as no signing occurred, perhaps you intended "afterPack"?

[danielduan]

in package.json -> build -> mac the teamId key needs to be set:

"notarize": {
  "teamId": "12ABC3D0FG"
}

the environment variables APPLE_ID and APPLE_APP_SPECIFIC_PASSWORD needs to be set

this above config will automatically get electron-builder to notarize the build. the notarize.js script duplicates the notarization like @nsrCodes mentioned and can be completely removed. otherwise, it notarizes twice and I receive duplicate emails from apple about the notarization.

also note that the environment variable APPLE_ID_PASS used in notarize.js is different from the APPLE_APP_SPECIFIC_PASSWORD used by electron-builder so currently both need to be set for the duplicate notarize process to work or else the build errors.