electron · sethlu · Jun 2, 2017 · Jun 1, 2017 · Jun 1, 2017 · Jun 1, 2017
diff --git a/README.md b/README.md
@@ -152,7 +152,7 @@ See [default.entitlements.mas.inherit.plist](https://github.com/electron-userlan
 
 `gatekeeper-assess` - *Boolean*
 
-Flag to enable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates.
+Flag to enable/disable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates.
 Gatekeeper assessment is enabled by default on `darwin` platform.
 Default to `true`.
 
@@ -163,6 +163,11 @@ Default to be selected with respect to `provisioning-profile` and `platform` fro
 
 Signing platform `mas` will look for `3rd Party Mac Developer Application: * (*)`, and platform `darwin` will look for `Developer ID Application: * (*)` by default.
 
+`identity-validation` - *Boolean*
+
+Flag to enable/disable validation for the signing identity. If enabled, the `identity` provided will be validated in the `keychain` specified.
+Default to `true`.
+
 `keychain` - *String*
 
 The keychain name.
@@ -181,14 +186,12 @@ Default to auto detect by presence of `Squirrel.framework` within the applicatio
 
 `pre-auto-entitlements` - *Boolean*
 
-Flag to enable automation of `com.apple.security.application-groups` in entitlements file and update `Info.plist` with `ElectronTeamID`.
-Allowed values: `true`, `false`.
+Flag to enable/disable automation of `com.apple.security.application-groups` in entitlements file and update `Info.plist` with `ElectronTeamID`.
 Default to `true`.
 
 `pre-embed-provisioning-profile` - *Boolean*
 
-Flag to enable embedding of provisioning profile in the current working directory.
-Allowed values: `true`, `false`.
+Flag to enable/disable embedding of provisioning profile in the current working directory.
 Default to `true`.
 
 `provisioning-profile` - *String*
@@ -304,6 +307,11 @@ Default to be selected with respect to `platform` from `keychain` or keychain by
 
 Flattening platform `mas` will look for `3rd Party Mac Developer Installer: * (*)`, and platform `darwin` will look for `Developer ID Installer: * (*)` by default.
 
+`identity-validation` - *Boolean*
+
+Flag to enable/disable validation for signing identity. If enabled, the `identity` provided will be validated in the `keychain` specified.
+Default to `true`.
+
 `install` - *String*
 
 Path to install the bundle.

diff --git a/bin/electron-osx-flat-usage.txt b/bin/electron-osx-flat-usage.txt
@@ -17,6 +17,9 @@ DESCRIPTION
     Name of certificate to use when signing.
     Default to selected with respect to --platform from --keychain specified or keychain by system default.
 
+  --identity-validation, --no-identity-validation
+    Flag to enable/disable validation for the signing identity.
+
   --install=install-path
     Path to install the bundle.
     Default to ``/Applications''.

diff --git a/bin/electron-osx-sign-usage.txt b/bin/electron-osx-sign-usage.txt
@@ -22,7 +22,7 @@ DESCRIPTION
     This option only applies when signing with entitlements.
 
   --gatekeeper-assess, --no-gatekeeper-assess
-    Flag to enable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates.
+    Flag to enable/disable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates.
     Gatekeeper assessment is enabled by default on ``darwin'' platform.
 
   --help
@@ -32,6 +32,9 @@ DESCRIPTION
     Name of certificate to use when signing.
     Default to selected with respect to --provisioning-profile and --platform from --keychain specified or keychain by system default.
 
+  --identity-validation, --no-identity-validation
+    Flag to enable/disable validation for the signing identity.
+
   --ignore=regex
     Regex that signals ignoring a file before signing.
 
@@ -45,10 +48,10 @@ DESCRIPTION
     Default to auto detect from application bundle.
 
   --pre-auto-entitlements, --no-pre-auto-entitlements
-    Flag to enable automation of entitlements file and Info.plist.
+    Flag to enable/disable automation of entitlements file and Info.plist.
 
   --pre-embed-provisioning-profile, --no-pre-embed-provisioning-profile
-    Flag to enable embedding of provisioning profile.
+    Flag to enable/disable embedding of provisioning profile.
 
   --provisioning-profile=file
     Path to provisioning profile.

diff --git a/flat.js b/flat.js
@@ -14,6 +14,7 @@ const debugwarn = util.debugwarn
 const execFileAsync = util.execFileAsync
 const validateOptsAppAsync = util.validateOptsAppAsync
 const validateOptsPlatformAsync = util.validateOptsPlatformAsync
+const Identity = require('./util-identities').findIdentitiesAsync
 const findIdentitiesAsync = require('./util-identities').findIdentitiesAsync
 
 /**
@@ -55,7 +56,7 @@ function validateFlatOptsAsync (opts) {
 function flatApplicationAsync (opts) {
   var args = [
     '--component', opts.app, opts.install,
-    '--sign', opts.identity,
+    '--sign', opts.identity.name,
     opts.pkg
   ]
   if (opts.keychain) {
@@ -82,6 +83,9 @@ var flatAsync = module.exports.flatAsync = function (opts) {
       var promise
       if (opts.identity) {
         debuglog('`identity` passed in arguments.')
+        if (opts['identity-validation'] === false || opts.identity instanceof Identity) {
+          return Promise.resolve()
+        }
         promise = findIdentitiesAsync(opts, opts.identity)
       } else {
         debugwarn('No `identity` passed in arguments...')

diff --git a/sign.js b/sign.js
@@ -17,7 +17,9 @@ const execFileAsync = util.execFileAsync
 const validateOptsAppAsync = util.validateOptsAppAsync
 const validateOptsPlatformAsync = util.validateOptsPlatformAsync
 const walkAsync = util.walkAsync
+const Identity = require('./util-identities').Identity
 const findIdentitiesAsync = require('./util-identities').findIdentitiesAsync
+const ProvisioningProfile = require('./util-provisioning-profiles').ProvisioningProfile
 const preEmbedProvisioningProfile = require('./util-provisioning-profiles').preEmbedProvisioningProfile
 const preAutoEntitlements = require('./util-entitlements').preAutoEntitlements
 
@@ -47,8 +49,6 @@ function validateOptsBinariesAsync (opts) {
  * @returns {Promise} Promise.
  */
 function validateSignOptsAsync (opts) {
-  const ProvisioningProfile = require('./util-provisioning-profiles').ProvisioningProfile
-
   if (opts.ignore) {
     if (typeof opts.ignore !== 'function' && typeof opts.ignore !== 'string') return Promise.reject(new Error('Ignore filter should be either a function or a string.'))
   }
@@ -134,7 +134,7 @@ function signApplicationAsync (opts) {
       if (opts.binaries) childPaths = childPaths.concat(opts.binaries)
 
       var args = [
-        '--sign', opts.identity,
+        '--sign', opts.identity.hash || opts.identity.name,
         '--force'
       ]
       if (opts.keychain) {
@@ -223,6 +223,9 @@ var signAsync = module.exports.signAsync = function (opts) {
       if (opts.identity) {
         debuglog('`identity` passed in arguments.')
         if (opts['identity-validation'] === false) {
+          if (!(opts.identity instanceof Identity)) {
+            opts.identity = new Identity(opts.identity)
+          }
           return Promise.resolve()
         }
         promise = findIdentitiesAsync(opts, opts.identity)
@@ -244,7 +247,7 @@ var signAsync = module.exports.signAsync = function (opts) {
       return promise
         .then(function (identities) {
           if (identities.length > 0) {
-            // Provisioning profile(s) found
+            // Identity(/ies) found
             if (identities.length > 1) {
               debugwarn('Multiple identities found, will use the first discovered.')
             } else {

diff --git a/util-entitlements.js b/util-entitlements.js
@@ -50,7 +50,7 @@ module.exports.preAutoEntitlements = function (opts) {
               appInfo.ElectronTeamID = opts['provisioning-profile'].message.Entitlements['com.apple.developer.team-identifier']
               debuglog('`ElectronTeamID` not found in `Info.plist`, use parsed from provisioning profile: ' + appInfo.ElectronTeamID)
             } else {
-              appInfo.ElectronTeamID = opts.identity.substring(opts.identity.indexOf('(') + 1, opts.identity.lastIndexOf(')'))
+              appInfo.ElectronTeamID = opts.identity.name.substring(opts.identity.name.indexOf('(') + 1, opts.identity.name.lastIndexOf(')'))
               debuglog('`ElectronTeamID` not found in `Info.plist`, use parsed from signing identity: ' + appInfo.ElectronTeamID)
             }
             return writeFileAsync(appInfoPath, plist.build(appInfo), 'utf8')

diff --git a/util-identities.js b/util-identities.js
@@ -9,6 +9,16 @@ const debuglog = util.debuglog
 const flatList = util.flatList
 const execFileAsync = util.execFileAsync
 
+/**
+ * @constructor
+ * @param {string} name - Name of the signing identity.
+ * @param {String} hash - SHA-1 hash of the identity.
+ */
+var Identity = module.exports.Identity = function (name, hash) {
+  this.name = name
+  this.hash = hash
+}
+
 /**
  * This function returns a promise checking the indentity proposed and updates the identity option to a exact finding from results.
  * @function
@@ -37,7 +47,7 @@ module.exports.findIdentitiesAsync = function (opts, identity) {
           debuglog('Identity:', '\n',
             '> Name:', identityFound, '\n',
             '> Hash:', identityHashFound)
-          return identityHashFound
+          return new Identity(identityFound, identityHashFound)
         }
       })
     })