fix: Make sure the documentation for this option clearly states the s…

…ecurity implications of turning it on #1524

package.json

@@ -31,7 +31,7 @@
     "ajv": "^5.0.1",
     "ajv-keywords": "^2.0.0",
     "archiver": "^1.3.0",
-    "aws-sdk": "^2.48.0",
+    "aws-sdk": "^2.49.0",
     "bluebird-lst": "^1.0.2",
     "chalk": "^1.1.3",
     "chromium-pickle-js": "^0.2.0",
@@ -52,7 +52,7 @@
     "node-forge": "^0.7.1",
     "normalize-package-data": "^2.3.8",
     "parse-color": "^1.0.0",
-    "plist": "^2.0.1",
+    "plist": "^2.1.0",
     "sanitize-filename": "^1.6.1",
     "semver": "^5.3.0",
     "stat-mode": "^0.2.2",
@@ -66,7 +66,7 @@
   "devDependencies": {
     "@types/electron": "^1.4.37",
     "@types/ini": "^1.3.29",
-    "@types/jest": "^19.2.2",
+    "@types/jest": "^19.2.3",
     "@types/js-yaml": "^3.5.30",
     "@types/node-forge": "^0.6.8",
     "@types/source-map-support": "^0.2.28",

packages/electron-builder/package.json

@@ -66,7 +66,7 @@
     "node-forge": "^0.7.1",
     "normalize-package-data": "^2.3.8",
     "parse-color": "^1.0.0",
-    "plist": "^2.0.1",
+    "plist": "^2.1.0",
     "sanitize-filename": "^1.6.1",
     "semver": "^5.3.0",
     "update-notifier": "^2.1.0",

packages/electron-builder/src/macPackager.ts

@@ -15,6 +15,9 @@ import { DmgTarget } from "./targets/dmg"
 import { PkgTarget, prepareProductBuildArgs } from "./targets/pkg"
 import { createCommonTarget, NoOpTarget } from "./targets/targetFactory"
 
+const buildForPrWarning = "There are serious security concerns with CSC_FOR_PULL_REQUEST=true (see the  CircleCI documentation (https://circleci.com/docs/1.0/fork-pr-builds/) for details)" +
+  "\nIf you have SSH keys, sensitive env vars or AWS credentials stored in your project settings and untrusted forks can make pull requests against your repo, then this option isn't for you."
+
 export default class MacPackager extends PlatformPackager<MacOptions> {
   readonly codeSigningInfo: Promise<CodeSigningInfo>
 
@@ -115,10 +118,18 @@ export default class MacPackager extends PlatformPackager<MacOptions> {
       warn("macOS application code signing is supported only on macOS, skipping.")
       return
     }
-    if (process.env.CSC_FOR_PULL_REQUEST !== "true" && isPullRequest()) {
-      // https://github.com/electron-userland/electron-builder/issues/1524
-      log("Current build is a part of pull request, code signing will be skipped. Set env CSC_FOR_PULL_REQUEST to true to force code signing.")
-      return
+
+    if (isPullRequest()) {
+      if (process.env.CSC_FOR_PULL_REQUEST === "true") {
+        warn(buildForPrWarning)
+      }
+      else {
+        // https://github.com/electron-userland/electron-builder/issues/1524
+        log("Current build is a part of pull request, code signing will be skipped." +
+          "\nSet env CSC_FOR_PULL_REQUEST to true to force code signing." +
+          `\n${buildForPrWarning}`)
+        return
+      }
     }
 
     const keychainName = (await this.codeSigningInfo).keychainName

packages/electron-publisher-s3/package.json

@@ -12,7 +12,7 @@
   ],
   "dependencies": {
     "fs-extra-p": "^4.1.0",
-    "aws-sdk": "^2.48.0",
+    "aws-sdk": "^2.49.0",
     "mime": "^1.3.4",
     "electron-publish": "~0.0.0-semantic-release",
     "electron-builder-util": "~0.0.0-semantic-release"