#!/usr/bin/env bash set -e readonly usage='usage: sign-notarize.bash -i -k [--] .dmg Sign and notarize the "CMake.app" bundle inside the given ".dmg" disk image. Also produce a ".tar.gz" tarball containing the same "CMake.app". Options: -i Signing Identity -k Keychain profile containing stored credentials Create the keychain profile ahead of time using xcrun notarytool store-credentials \ --apple-id --team-id [--password ] where: is an Apple ID of a developer account is from https://developer.apple.com/account/#!/membership is generated via https://support.apple.com/en-us/HT204397 If --password is omitted, notarytool will prompt for it. This creates a keychain item called "com.apple.gke.notary.tool" with an account name "com.apple.gke.notary.tool.saved-creds.". ' cleanup() { if test -d "$tmpdir"; then rm -rf "$tmpdir" fi if test -d "$vol_path"; then hdiutil detach "$vol_path" fi } trap "cleanup" EXIT die() { echo "$@" 1>&2; exit 1 } id='' keychain_profile='' while test "$#" != 0; do case "$1" in -i) shift; id="$1" ;; -k) shift; keychain_profile="$1" ;; --) shift ; break ;; -*) die "$usage" ;; *) break ;; esac shift done case "$1" in *.dmg) readonly dmg="$1"; shift ;; *) die "$usage" ;; esac test "$#" = 0 || die "$usage" # Verify arguments. if test -z "$id" -o -z "$keychain_profile"; then die "$usage" fi # Verify environment. if ! xcrun --find notarytool 2>/dev/null; then die "'xcrun notarytool' not found" fi readonly tmpdir="$(mktemp -d)" # Prepare entitlements. readonly entitlements_xml="$tmpdir/entitlements.xml" echo ' com.apple.security.cs.allow-dyld-environment-variables ' > "$entitlements_xml" # Extract SLA readonly sla_xml="$tmpdir/sla.xml" hdiutil udifderez -xml "$dmg" > "$sla_xml" plutil -remove 'blkx' "$sla_xml" plutil -remove 'plst' "$sla_xml" # Convert from read-only original image to read-write. readonly udrw_dmg="$tmpdir/udrw.dmg" hdiutil convert "$dmg" -format UDRW -o "${udrw_dmg}" # Mount the temporary udrw image. readonly vol_name="$(basename "${dmg%.dmg}")" readonly vol_path="/Volumes/$vol_name" hdiutil attach "${udrw_dmg}" codesign --verify --timestamp --options=runtime --verbose --deep \ -s "$id" \ --entitlements "$entitlements_xml" \ "$vol_path/CMake.app/Contents/bin/cmake" \ "$vol_path/CMake.app/Contents/bin/ccmake" \ "$vol_path/CMake.app/Contents/bin/ctest" \ "$vol_path/CMake.app/Contents/bin/cpack" \ "$vol_path/CMake.app" ditto -c -k --keepParent "$vol_path/CMake.app" "$tmpdir/CMake.app.zip" xcrun notarytool submit "$tmpdir/CMake.app.zip" --keychain-profile "$keychain_profile" --wait xcrun stapler staple "$vol_path/CMake.app" # Create a tarball of the volume next to the original disk image. readonly tar_gz="${dmg/%.dmg/.tar.gz}" tar cvzf "$tar_gz" -C /Volumes "$vol_name/CMake.app" # Unmount the modified udrw image. hdiutil detach "$vol_path" # Convert back to read-only, compressed image. hdiutil convert "${udrw_dmg}" -format UDZO -imagekey zlib-level=9 -ov -o "$dmg" # Re-insert SLA. hdiutil udifrez -xml "${sla_xml}" 'FIXME_WHY_IS_THIS_ARGUMENT_NEEDED' "$dmg"