|
|
|
#!/usr/bin/env bash
|
|
|
|
set -e
|
|
|
|
readonly usage='usage: sign-notarize.bash -i <id> -k <keychain-profile> [--] <package>.dmg
|
|
|
|
|
|
|
|
Sign and notarize the "CMake.app" bundle inside the given "<package>.dmg" disk image.
|
|
|
|
Also produce a "<package>.tar.gz" tarball containing the same "CMake.app".
|
|
|
|
|
|
|
|
Options:
|
|
|
|
|
|
|
|
-i <id> Signing Identity
|
|
|
|
-k <keychain-profile> Keychain profile containing stored credentials
|
|
|
|
|
|
|
|
Create the keychain profile ahead of time using
|
|
|
|
|
|
|
|
xcrun notarytool store-credentials <keychain-profile> \
|
|
|
|
--apple-id <dev-acct> --team-id <team-id> [--password <app-specific-password>]
|
|
|
|
|
|
|
|
where:
|
|
|
|
|
|
|
|
<dev-acct> is an Apple ID of a developer account
|
|
|
|
<team-id> is from https://developer.apple.com/account/#!/membership
|
|
|
|
<app-specific-password> is generated via https://support.apple.com/en-us/HT204397
|
|
|
|
If --password is omitted, notarytool will prompt for it.
|
|
|
|
|
|
|
|
This creates a keychain item called "com.apple.gke.notary.tool" with an
|
|
|
|
account name "com.apple.gke.notary.tool.saved-creds.<keychain-profile>".
|
|
|
|
'
|
|
|
|
|
|
|
|
cleanup() {
|
|
|
|
if test -d "$tmpdir"; then
|
|
|
|
rm -rf "$tmpdir"
|
|
|
|
fi
|
|
|
|
if test -d "$vol_path"; then
|
|
|
|
hdiutil detach "$vol_path"
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
trap "cleanup" EXIT
|
|
|
|
|
|
|
|
die() {
|
|
|
|
echo "$@" 1>&2; exit 1
|
|
|
|
}
|
|
|
|
|
|
|
|
id=''
|
|
|
|
keychain_profile=''
|
|
|
|
while test "$#" != 0; do
|
|
|
|
case "$1" in
|
|
|
|
-i) shift; id="$1" ;;
|
|
|
|
-k) shift; keychain_profile="$1" ;;
|
|
|
|
--) shift ; break ;;
|
|
|
|
-*) die "$usage" ;;
|
|
|
|
*) break ;;
|
|
|
|
esac
|
|
|
|
shift
|
|
|
|
done
|
|
|
|
case "$1" in
|
|
|
|
*.dmg) readonly dmg="$1"; shift ;;
|
|
|
|
*) die "$usage" ;;
|
|
|
|
esac
|
|
|
|
test "$#" = 0 || die "$usage"
|
|
|
|
|
|
|
|
# Verify arguments.
|
|
|
|
if test -z "$id" -o -z "$keychain_profile"; then
|
|
|
|
die "$usage"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Verify environment.
|
|
|
|
if ! xcrun --find notarytool 2>/dev/null; then
|
|
|
|
die "'xcrun notarytool' not found"
|
|
|
|
fi
|
|
|
|
|
|
|
|
readonly tmpdir="$(mktemp -d)"
|
|
|
|
|
|
|
|
# Prepare entitlements.
|
|
|
|
readonly entitlements_xml="$tmpdir/entitlements.xml"
|
|
|
|
echo '<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
|
|
<plist version="1.0">
|
|
|
|
<dict>
|
|
|
|
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
|
|
|
|
<true/>
|
|
|
|
</dict>
|
|
|
|
</plist>' > "$entitlements_xml"
|
|
|
|
|
|
|
|
# Convert from read-only original image to read-write.
|
|
|
|
readonly udrw_dmg="$tmpdir/udrw.dmg"
|
|
|
|
hdiutil convert "$dmg" -format UDRW -o "${udrw_dmg}"
|
|
|
|
|
|
|
|
# Mount the temporary udrw image.
|
|
|
|
readonly vol_name="$(basename "${dmg%.dmg}")"
|
|
|
|
readonly vol_path="/Volumes/$vol_name"
|
|
|
|
hdiutil attach "${udrw_dmg}"
|
|
|
|
|
|
|
|
codesign --verify --timestamp --options=runtime --verbose --deep \
|
|
|
|
-s "$id" \
|
|
|
|
--entitlements "$entitlements_xml" \
|
|
|
|
"$vol_path/CMake.app/Contents/bin/cmake" \
|
|
|
|
"$vol_path/CMake.app/Contents/bin/ccmake" \
|
|
|
|
"$vol_path/CMake.app/Contents/bin/ctest" \
|
|
|
|
"$vol_path/CMake.app/Contents/bin/cpack" \
|
|
|
|
"$vol_path/CMake.app"
|
|
|
|
|
|
|
|
ditto -c -k --keepParent "$vol_path/CMake.app" "$tmpdir/CMake.app.zip"
|
|
|
|
xcrun notarytool submit "$tmpdir/CMake.app.zip" --keychain-profile "$keychain_profile" --wait
|
|
|
|
xcrun stapler staple "$vol_path/CMake.app"
|
|
|
|
|
|
|
|
# Create a tarball of the volume next to the original disk image.
|
|
|
|
readonly tar_gz="${dmg/%.dmg/.tar.gz}"
|
|
|
|
tar cvzf "$tar_gz" -C /Volumes "$vol_name/CMake.app"
|
|
|
|
|
|
|
|
# Unmount the modified udrw image.
|
|
|
|
hdiutil detach "$vol_path"
|
|
|
|
|
|
|
|
# Convert back to read-only, compressed image.
|
|
|
|
hdiutil convert "${udrw_dmg}" -format UDZO -imagekey zlib-level=9 -ov -o "$dmg"
|