refactor: streamline runCheckedTool and writeSecretBase64 function signatures

robertsLando · robertsLando · commit 6cfb86a1f571 · 2026-04-23T10:29:39.000+02:00
diff --git a/packages/build/dist/index.mjs b/packages/build/dist/index.mjs
@@ -19124,7 +19124,7 @@ function parseWindowsSignMode(raw) {
     `windows-sign-mode must be one of: none | signtool | trusted-signing. Got "${raw}".`
   );
 }
-async function runCheckedTool(deps, command, args, label, opts = {}) {
+async function runCheckedTool(command, args, label, deps, opts = {}) {
   deps.logger.info(`[pkg-action] ${label}: ${command} ${args.join(" ")}`);
   let result = await deps.exec(command, args, {
     ignoreReturnCode: !0,
@@ -19133,32 +19133,31 @@ async function runCheckedTool(deps, command, args, label, opts = {}) {
   if (result.exitCode !== 0)
     throw new SignError(`${label} failed (exit ${String(result.exitCode)}). See stderr above.`);
 }
-async function writeSecretBase64(deps, tempDir, base64, extension) {
-  let path4 = join6(tempDir, `${randomBytes(8).toString("hex")}.${extension}`), bytes = Buffer.from(base64, "base64");
+async function writeSecretBase64(base64, extension, deps) {
+  let path4 = join6(deps.tempDir, `${randomBytes(8).toString("hex")}.${extension}`), bytes = Buffer.from(base64, "base64");
   return await (deps.writeFile ?? ((p, d) => writeFile4(p, d, { mode: 384 })))(path4, bytes), path4;
 }
 async function signMacos(binaryPath, cfg, deps) {
   let keychainPath = join6(
     deps.tempDir,
     `pkg-action-${randomBytes(6).toString("hex")}.keychain-db`
-  ), p12Path = await writeSecretBase64(deps, deps.tempDir, cfg.certificate, "p12");
+  ), p12Path = await writeSecretBase64(cfg.certificate, "p12", deps);
   await runCheckedTool(
-    deps,
     "security",
     ["create-keychain", "-p", cfg.keychainPassword, keychainPath],
-    "security create-keychain"
+    "security create-keychain",
+    deps
   ), await runCheckedTool(
-    deps,
     "security",
     ["set-keychain-settings", "-lut", "21600", keychainPath],
-    "security set-keychain-settings"
+    "security set-keychain-settings",
+    deps
   ), await runCheckedTool(
-    deps,
     "security",
     ["unlock-keychain", "-p", cfg.keychainPassword, keychainPath],
-    "security unlock-keychain"
+    "security unlock-keychain",
+    deps
   ), await runCheckedTool(
-    deps,
     "security",
     [
       "import",
@@ -19172,9 +19171,9 @@ async function signMacos(binaryPath, cfg, deps) {
       "-T",
       "/usr/bin/security"
     ],
-    "security import"
+    "security import",
+    deps
   ), await runCheckedTool(
-    deps,
     "security",
     [
       "set-key-partition-list",
@@ -19185,7 +19184,8 @@ async function signMacos(binaryPath, cfg, deps) {
       cfg.keychainPassword,
       keychainPath
     ],
-    "security set-key-partition-list"
+    "security set-key-partition-list",
+    deps
   );
   let codesignArgs = [
     "--force",
@@ -19197,13 +19197,12 @@ async function signMacos(binaryPath, cfg, deps) {
     "--sign",
     cfg.identity
   ];
-  return cfg.entitlements !== void 0 && codesignArgs.push("--entitlements", cfg.entitlements), codesignArgs.push(binaryPath), await runCheckedTool(deps, "codesign", codesignArgs, "codesign"), await runCheckedTool(
-    deps,
+  return cfg.entitlements !== void 0 && codesignArgs.push("--entitlements", cfg.entitlements), codesignArgs.push(binaryPath), await runCheckedTool("codesign", codesignArgs, "codesign", deps), await runCheckedTool(
     "codesign",
     ["--verify", "--strict", "--verbose=2", binaryPath],
-    "codesign --verify"
+    "codesign --verify",
+    deps
   ), cfg.notarize && (await runCheckedTool(
-    deps,
     "xcrun",
     [
       "notarytool",
@@ -19217,13 +19216,14 @@ async function signMacos(binaryPath, cfg, deps) {
       cfg.appPassword,
       "--wait"
     ],
-    "xcrun notarytool submit"
+    "xcrun notarytool submit",
+    deps
   ), deps.logger.info(
     "[pkg-action] notarytool submit succeeded. Note: bare binaries cannot be stapled; Gatekeeper queries Apple at first launch."
   )), { keychainPath };
 }
 async function signWindowsSigntool(binaryPath, cfg, deps) {
-  let pfxPath = await writeSecretBase64(deps, deps.tempDir, cfg.certificate, "pfx"), args = [
+  let pfxPath = await writeSecretBase64(cfg.certificate, "pfx", deps), args = [
     "sign",
     "/fd",
     "sha256",
@@ -19236,7 +19236,7 @@ async function signWindowsSigntool(binaryPath, cfg, deps) {
     "/p",
     cfg.password
   ];
-  cfg.description !== void 0 && args.push("/d", cfg.description), args.push(binaryPath), await runCheckedTool(deps, "signtool", args, "signtool sign"), await runCheckedTool(deps, "signtool", ["verify", "/pa", "/v", binaryPath], "signtool verify");
+  cfg.description !== void 0 && args.push("/d", cfg.description), args.push(binaryPath), await runCheckedTool("signtool", args, "signtool sign", deps), await runCheckedTool("signtool", ["verify", "/pa", "/v", binaryPath], "signtool verify", deps);
 }
 async function signWindowsTrustedSigning(binaryPath, cfg, deps) {
   let env = {
@@ -19256,7 +19256,7 @@ async function signWindowsTrustedSigning(binaryPath, cfg, deps) {
     "-fd",
     "sha256"
   ];
-  cfg.description !== void 0 && args.push("-d", cfg.description), args.push(binaryPath), await runCheckedTool(deps, "azuresigntool", args, "azuresigntool sign", { env }), await runCheckedTool(deps, "signtool", ["verify", "/pa", "/v", binaryPath], "signtool verify");
+  cfg.description !== void 0 && args.push("-d", cfg.description), args.push(binaryPath), await runCheckedTool("azuresigntool", args, "azuresigntool sign", deps, { env }), await runCheckedTool("signtool", ["verify", "/pa", "/v", binaryPath], "signtool verify", deps);
 }
 
 // packages/core/src/version.ts
diff --git a/packages/core/src/signing.ts b/packages/core/src/signing.ts
@@ -211,10 +211,10 @@ export interface SigningDeps {
 }
 
 async function runCheckedTool(
-  deps: SigningDeps,
   command: string,
   args: readonly string[],
   label: string,
+  deps: SigningDeps,
   opts: { env?: Readonly<Record<string, string>> } = {},
 ): Promise<void> {
   deps.logger.info(`[pkg-action] ${label}: ${command} ${args.join(' ')}`);
@@ -231,12 +231,11 @@ async function runCheckedTool(
  *  delete the path after use — we return it so the caller can plug into
  *  saveState for post.ts cleanup. */
 async function writeSecretBase64(
-  deps: SigningDeps,
-  tempDir: string,
   base64: string,
   extension: string,
+  deps: SigningDeps,
 ): Promise<string> {
-  const path = join(tempDir, `${randomBytes(8).toString('hex')}.${extension}`);
+  const path = join(deps.tempDir, `${randomBytes(8).toString('hex')}.${extension}`);
   const bytes = Buffer.from(base64, 'base64');
   const writer = deps.writeFile ?? ((p: string, d: Uint8Array) => writeFile(p, d, { mode: 0o600 }));
   await writer(path, bytes);
@@ -260,29 +259,28 @@ export async function signMacos(
     deps.tempDir,
     `pkg-action-${randomBytes(6).toString('hex')}.keychain-db`,
   );
-  const p12Path = await writeSecretBase64(deps, deps.tempDir, cfg.certificate, 'p12');
+  const p12Path = await writeSecretBase64(cfg.certificate, 'p12', deps);
 
   // Create + unlock ephemeral keychain, import cert, allow codesign access.
   await runCheckedTool(
-    deps,
     'security',
     ['create-keychain', '-p', cfg.keychainPassword, keychainPath],
     'security create-keychain',
+    deps,
   );
   await runCheckedTool(
-    deps,
     'security',
     ['set-keychain-settings', '-lut', '21600', keychainPath],
     'security set-keychain-settings',
+    deps,
   );
   await runCheckedTool(
-    deps,
     'security',
     ['unlock-keychain', '-p', cfg.keychainPassword, keychainPath],
     'security unlock-keychain',
+    deps,
   );
   await runCheckedTool(
-    deps,
     'security',
     [
       'import',
@@ -297,9 +295,9 @@ export async function signMacos(
       '/usr/bin/security',
     ],
     'security import',
+    deps,
   );
   await runCheckedTool(
-    deps,
     'security',
     [
       'set-key-partition-list',
@@ -311,6 +309,7 @@ export async function signMacos(
       keychainPath,
     ],
     'security set-key-partition-list',
+    deps,
   );
 
   // codesign. --force replaces existing sigs (pkg ships unsigned);
@@ -329,23 +328,22 @@ export async function signMacos(
     codesignArgs.push('--entitlements', cfg.entitlements);
   }
   codesignArgs.push(binaryPath);
-  await runCheckedTool(deps, 'codesign', codesignArgs, 'codesign');
+  await runCheckedTool('codesign', codesignArgs, 'codesign', deps);
 
   // Post-sign sanity: re-invoke codesign in verify mode to confirm the
   // signature actually landed. Catches bad identities, revoked certs, and
   // silent signtool/codesign failures that still exit 0.
   await runCheckedTool(
-    deps,
     'codesign',
     ['--verify', '--strict', '--verbose=2', binaryPath],
     'codesign --verify',
+    deps,
   );
 
   if (cfg.notarize) {
     // notarytool only needs the three secrets — appleId/teamId/appPassword.
     // Validated up front in parseSigningInputs.
     await runCheckedTool(
-      deps,
       'xcrun',
       [
         'notarytool',
@@ -360,6 +358,7 @@ export async function signMacos(
         '--wait',
       ],
       'xcrun notarytool submit',
+      deps,
     );
     // Binaries (unlike .app bundles) cannot be stapled — only container
     // formats accept the notarization ticket. We still submit, which
@@ -380,7 +379,7 @@ export async function signWindowsSigntool(
   cfg: WindowsSigntoolInputs,
   deps: SigningDeps,
 ): Promise<void> {
-  const pfxPath = await writeSecretBase64(deps, deps.tempDir, cfg.certificate, 'pfx');
+  const pfxPath = await writeSecretBase64(cfg.certificate, 'pfx', deps);
   const args = [
     'sign',
     '/fd',
@@ -396,10 +395,10 @@ export async function signWindowsSigntool(
   ];
   if (cfg.description !== undefined) args.push('/d', cfg.description);
   args.push(binaryPath);
-  await runCheckedTool(deps, 'signtool', args, 'signtool sign');
+  await runCheckedTool('signtool', args, 'signtool sign', deps);
   // Post-sign sanity: verify the signature embedded in the PE. `/pa` uses
   // the default Authenticode chain policy; `/v` is verbose.
-  await runCheckedTool(deps, 'signtool', ['verify', '/pa', '/v', binaryPath], 'signtool verify');
+  await runCheckedTool('signtool', ['verify', '/pa', '/v', binaryPath], 'signtool verify', deps);
 }
 
 // ─── Azure Trusted Signing ────────────────────────────────────────────────
@@ -433,8 +432,8 @@ export async function signWindowsTrustedSigning(
   ];
   if (cfg.description !== undefined) args.push('-d', cfg.description);
   args.push(binaryPath);
-  await runCheckedTool(deps, 'azuresigntool', args, 'azuresigntool sign', { env });
+  await runCheckedTool('azuresigntool', args, 'azuresigntool sign', deps, { env });
   // azuresigntool produces a standard Authenticode signature, so the same
   // signtool verify path applies. No azure creds required to verify.
-  await runCheckedTool(deps, 'signtool', ['verify', '/pa', '/v', binaryPath], 'signtool verify');
+  await runCheckedTool('signtool', ['verify', '/pa', '/v', binaryPath], 'signtool verify', deps);
 }
