Build with codesign takes a long time when 'nodegit' is in my dependencies

• Version: 11.3.0

• Target: Mac

Problem:

I am trying to build a project that has nodegit@0.16.0 as a dependency. When I run:

CSC_LINK={mycertfilepath} CSC_KEY_PASSWORD={mypass} build --mac

The build takes a long time (i.e. never finishes). On my MacBook Pro (Retina, Mid 2012) running MacOS Sierra, the “Rebuilding” and “Packaging” steps take ~5 minutes, which is a bit slow. For the “Signing” step, however, I’ve waited 30+ minutes and never seen it finish.

With nodegit deleted from "dependencies", the build finishes in seconds.

Details:

A minimal package.json that reproduces the issue looks like this:

{
  "name": "repro-nodegit-electron-build-demo",
  "version": "0.0.0",
  "private": true,
  "description": "Minimal test of building Electron with nodegit and codesigning",
  "main": "index.js",
  "author": "Matthew",
  "engines": {
    "node": "6.6.0",
    "npm": "3.10.3",
    "electron": "1.4.5"
  },
  "build": {
    "appId": "com.electron.nodegitelectronbuilddemo",
    "copyright": "none",
    "productName": "nodegitelectronbuilddemo",
    "forceCodeSigning": true,
    "electronVersion": "1.4.5",
    "mac": {
      "category": "public.app-category.developer-tools"
    }
  },
  "scripts": {
    "build": "build --mac"
  },
  "dependencies": {
    "nodegit": "0.16.0"
  },
  "devDependencies": {
    "electron-builder": "11.3.0"
  }
}

(To repro the signing slowness, you would need to get a developer certificate, etc.)

Hypotheses:

Based on the output of $ ps ax | grep codesign while running the build, my guess is that there are simply so many files to sign that it is just taking a long time. I see it signing a lot of files that seem ancillary.

With that in mind, these are my hypotheses:

• I am supposed to somehow pre-bundle my code before using electron-builder. (I.e. concatenate my JavaScript files, etc., so that there are fewer files to sign?)

• I am supposed to configure the "files" build option so that code-signing doesn’t have to trawl through a bunch of ancillary files. (It looks like nodegit and its dependencies are rather huge, and there are some test/VCS artifacts also being signed.)

• I have misconfigured the installation of nodegit somehow, resulting in a big complicated bundle.

• I am supposed to pre-compile nodegit down to a single bundle before using it here.

• Waiting over 30 minutes in my scenario is normal. This is simply a fact of life I will have to accept if I want to include nodegit in my project.

• I am supposed to use the two-package.json setup.

Am I onto something with any of these? Any tips or suggestions?

Apologies if I’ve missed some important note in the documentation that pertains to this.