196 lines
6.8 KiB
Bash
Executable file
196 lines
6.8 KiB
Bash
Executable file
#!/usr/bin/env zsh
|
|
|
|
function dxx_codesign {
|
|
# codesign parameters:
|
|
# --timestamp: Request a signing timestamp from Apple's servers (required for notarization).
|
|
# --options=runtime: Enable a hardened runtime (required for notarization).
|
|
# --verbose: More verbose output for tracking status.
|
|
# --force: Force overwriting existing ad hoc or identity-signed signatures. Existing resources are likely to have at least one signature (likely ad hoc) to replace.
|
|
# --sign: The signing identity to use to sign the resource.
|
|
codesign --timestamp --options=runtime --verbose --force --sign "${signing_identity[2]}" "$@"
|
|
}
|
|
|
|
# Echo a message to stdout, and include the name of the script so that users
|
|
# can recognize the origin when this script is run as part of a larger build
|
|
# job.
|
|
function emsg {
|
|
echo "$0: $@"
|
|
}
|
|
|
|
# Echo a message to stderr, and include the string `error:` for users to easily
|
|
# find it via text search in a log.
|
|
function eerror {
|
|
echo "$0: error: $@" >&2
|
|
}
|
|
|
|
zmodload zsh/zutil
|
|
autoload is-at-least
|
|
|
|
if ! is-at-least 5.8 ${ZSH_VERSION}; then
|
|
eerror "zsh 5.8 is required for the notarization script, but zsh version ${ZSH_VERSION} was used. Please update to macOS 12 or higher, or install zsh 5.8 or higher and place it before the system zsh in your \$PATH."
|
|
exit 1
|
|
fi
|
|
|
|
zparseopts -D -E -F - s:=signing_identity -signing-identity:=signing_identity a:=app_bundle_path -app-bundle-path:=app_bundle_path b:=binary_name -binary-name:=binary_name z:=zip_path -zip-path:=zip_path k:=notarization_keychain_profile -notarization-keychain-profile:=notarization_keychain_profile i:=apple_id -apple-id:=apple_id t:=team_id -team-id:=team_id || exit 1
|
|
|
|
end_opts=$@[(i)(--|-)]
|
|
set -- "${@[0,end_opts-1]}" "${@[end_opts+1,-1]}"
|
|
|
|
DXX_SIGN_HAS_ERROR=0
|
|
|
|
if [[ -z "${signing_identity}" ]]; then
|
|
eerror "--signing-identity is required."
|
|
DXX_SIGN_HAS_ERROR=1
|
|
fi
|
|
|
|
if [[ -z "${app_bundle_path}" ]]; then
|
|
eerror "--app-bundle-path is required."
|
|
DXX_SIGN_HAS_ERROR=1
|
|
elif [[ ! -d "${app_bundle_path[2]}" ]]; then
|
|
eerror "App bundle specified in --app-bundle-path (${app_bundle_path[2]}) does not exist."
|
|
DXX_SIGN_HAS_ERROR=1
|
|
fi
|
|
|
|
if [[ -z "${binary_name}" ]]; then
|
|
eerror "--binary-name is required."
|
|
DXX_SIGN_HAS_ERROR=1
|
|
elif [[ ! -f "${app_bundle_path[2]}/Contents/MacOS/${binary_name[2]}" ]]; then
|
|
eerror "Binary specified in --binary-name (${binary_name[2]}) does not exist."
|
|
DXX_SIGN_HAS_ERROR=1
|
|
fi
|
|
|
|
if [[ -z "${zip_path}" ]]; then
|
|
eerror "--zip-path is required."
|
|
DXX_SIGN_HAS_ERROR=1
|
|
fi
|
|
|
|
if [[ -z "${notarization_keychain_profile}" ]]; then
|
|
if [[ -z "${apple_id}" || -z "${team_id}" ]]; then
|
|
eerror "If --notarization-keychain-profile is not provided, then both --apple-id and --team-id must be provided."
|
|
DXX_SIGN_HAS_ERROR=1
|
|
fi
|
|
fi
|
|
|
|
if [[ DXX_SIGN_HAS_ERROR -ne 0 ]]; then
|
|
# No message is needed here. A message was printed in the path(s) that set DXX_SIGN_HAS_ERROR.
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -d "${app_bundle_path[2]}/Contents/libs" ]]; then
|
|
DXX_DYLIB_PATH="${app_bundle_path[2]}/Contents/libs"
|
|
else
|
|
# Unset this to prevent surprising results if the parent process set this in
|
|
# the environment.
|
|
unset DXX_DYLIB_PATH
|
|
fi
|
|
|
|
DXX_BINARY_PATH="${app_bundle_path[2]}/Contents/MacOS/${binary_name[2]}"
|
|
|
|
if [[ ! -z "${DXX_DYLIB_PATH}" ]]; then
|
|
emsg "Signing dylibs at ${DXX_DYLIB_PATH} with identity ${signing_identity[2]} ..."
|
|
|
|
dxx_codesign "${DXX_DYLIB_PATH}"/*.dylib
|
|
if [[ $? -ne 0 ]]; then
|
|
eerror "Failed to sign dylibs in ${DXX_DYLIB_PATH}"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
emsg "Signing application binary at ${DXX_BINARY_PATH} with identity ${signing_identity[2]} ..."
|
|
|
|
dxx_codesign "${DXX_BINARY_PATH}"
|
|
if [[ $? -ne 0 ]]; then
|
|
eerror "Failed to sign application binary ${DXX_BINARY_PATH}"
|
|
exit 1
|
|
fi
|
|
|
|
emsg "Signing app bundle at ${app_bundle_path[2]} with identity ${signing_identity[2]} ..."
|
|
|
|
dxx_codesign "${app_bundle_path[2]}"
|
|
if [[ $? -ne 0 ]]; then
|
|
eerror "Failed to sign app bundle ${app_bundle_path[2]}"
|
|
exit 1
|
|
fi
|
|
|
|
DXX_ZIP_NAME=${zip_path[2]##*/}
|
|
|
|
DXX_TMP_ZIP_PATH="${TMPDIR}${DXX_ZIP_NAME}"
|
|
|
|
emsg "Compressing ${app_bundle_path[2]} to temporary ZIP file at ${DXX_TMP_ZIP_PATH} ..."
|
|
|
|
if [[ -f "${DXX_TMP_ZIP_PATH}" ]]; then
|
|
rm -f "${DXX_TMP_ZIP_PATH}"
|
|
fi
|
|
|
|
if [[ -f "${DXX_TMP_ZIP_PATH}" ]]; then
|
|
eerror "Unable to remove existing temporary ZIP file at ${DXX_TMP_ZIP_PATH}"
|
|
exit 1
|
|
fi
|
|
|
|
/usr/bin/ditto -c -k --keepParent "${app_bundle_path[2]}" "${DXX_TMP_ZIP_PATH}"
|
|
|
|
if [[ ! -f "${DXX_TMP_ZIP_PATH}" ]]; then
|
|
eerror "Error compressing app bundle to ZIP file."
|
|
exit 1
|
|
fi
|
|
|
|
# Note that the notarization process does NOT change the app bundle or the ZIP file.
|
|
# Instead, Apple reads the signature associated with the submitted resources and, if
|
|
# they don't detect any malicious code, create a ticket on their side that can be
|
|
# requested by a macOS client for the specific resource that was signed in order to
|
|
# validate that it went through the notarization process. This ticket can also be
|
|
# stapled to the app bundle for offline validation by macOS clients which are not
|
|
# connected to the Internet at the time. This stapling process happens further in
|
|
# the script.
|
|
|
|
emsg "Beginning notarization process. This may take a few minutes."
|
|
|
|
if [[ -z "${notarization_keychain_profile}" ]]; then
|
|
emsg "Using Apple ID '${apple_id[2]}' and Apple team ID '${team_id[2]}' for notarization credentials."
|
|
if [[ ! -z "${DXX_NOTARIZATION_PASSWORD}" ]]; then
|
|
emsg "Using password passed in via DXX_NOTARIZATION_PASSWORD environment variable."
|
|
xcrun notarytool submit "${DXX_TMP_ZIP_PATH}" --apple-id "${apple_id[2]}" --team-id "${team_id[2]}" --password "${DXX_NOTARIZATION_PASSWORD}" --wait
|
|
if [[ $? -ne 0 ]]; then
|
|
eerror "Error notarizing application. Check history for details."
|
|
exit 1
|
|
fi
|
|
else
|
|
emsg "Enter your application-specific password when prompted to submit for notarization."
|
|
xcrun notarytool submit "${DXX_TMP_ZIP_PATH}" --apple-id "${apple_id[2]}" --team-id "${team_id[2]}" --wait
|
|
if [[ $? -ne 0 ]]; then
|
|
eerror "Error notarizing application. Check history for details."
|
|
exit 1
|
|
fi
|
|
fi
|
|
else
|
|
emsg "Using Keychain item specified in '${notarization_keychain_profile[2]}' for notarization credentials."
|
|
xcrun notarytool submit "${DXX_TMP_ZIP_PATH}" --keychain-profile "${notarization_keychain_profile[2]}" --wait
|
|
if [[ $? -ne 0 ]]; then
|
|
eerror "Error notarizing application. Check history for details."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
emsg "Stapling ticket to app bundle ${app_bundle_path[2]} ..."
|
|
|
|
xcrun stapler staple "${app_bundle_path[2]}"
|
|
if [[ $? -ne 0 ]]; then
|
|
eerror "Failed to staple ticket to app bundle ${app_bundle_path[2]}"
|
|
exit 1
|
|
fi
|
|
|
|
rm -f "${DXX_TMP_ZIP_PATH}"
|
|
|
|
if [[ -f "${zip_path[2]}" ]]; then
|
|
rm -f "${zip_path[2]}"
|
|
fi
|
|
|
|
if [[ -f "${zip_path[2]}" ]]; then
|
|
eerror "Unable to remove existing target ZIP file at ${zip_path[2]}"
|
|
exit 1
|
|
fi
|
|
|
|
emsg "Creating ${zip_path[2]} ..."
|
|
|
|
/usr/bin/ditto -c -k --keepParent "${app_bundle_path[2]}" "${zip_path[2]}"
|