I'm trying to package my electron app, using electron-forge. In order to make the app available on macs, I need to codesign the app, which requires passing info such as appleId and app-specific-password in the package.json file.
How can I pass this information securely? (ie, not available to people who download the app)
If environmental variables are the way to go, I'm hoping to understand where I set the environmental variables (in a separate file? In the start command?) and how I access them in the package.json itself.
I'd appreciate any help to sort this out.
Details of what I've considered:
-The electron forge codesign documentation does not mention how to actually provide osx required details in a secure way. It does mention that it uses electron-notarize (among others) under the hood, and electron-notarize's documentation says: "Never hard code your password into your packaging scripts, use an environment variable at a minimum", but doesn't provide detail on how to do that.
-This stack overflow answer provides helpful info in terms of setting up a separate forge.config.js file, and then says you should "load your environment variables using process.env.YOUR_VARIABLE_NAME". It doesn't provide more detail--loading the environmental variables for a packaged app is what I'm trying to figure out here.
--This stack overflow answer mentions setting them manually, but doesn't mention how. It also mentions using the dotenv package--but I'd be surprised there's a separate package required for this task that is fundamental to any mac electron app.
I've been able to hear back from one of the maintainers of electron forge, who said the way to do it is:
Load the environmental variables in the build script itself. For example: $ VAR1=something VAR2=somethingelse npm run make.
Then, reference those variables as appropriate in the forge.config.js file that package.json refers to. Example reference syntax: process.env.VAR1