JBR-5600 Notarize macOS binaries using notarytool

(cherry picked from commit 7916ed31b7)

jb/project/tools/mac/scripts/notarize.sh

@@ -1,21 +1,16 @@
 #!/bin/bash
 
+#immediately exit script with an error if a command fails
 set -euo pipefail
-set -x
 
-APP_DIRECTORY=$1
-APPL_USER=$2
-APPL_PASSWORD=$3
-APP_NAME=$4
-BUNDLE_ID=$5
-FAKE_ROOT="${6:-fake-root}"
+APP_PATH=$1
 
-if [[ -z "$APP_DIRECTORY" ]] || [[ -z "$APPL_USER" ]] || [[ -z "$APPL_PASSWORD" ]]; then
-  echo "Usage: $0 AppDirectory Username Password"
+if [[ -z "$APP_PATH" ]]; then
+  echo "Usage: $0 AppPath"
   exit 1
 fi
-if [[ ! -d "$APP_DIRECTORY" ]]; then
-  echo "AppDirectory '$APP_DIRECTORY' does not exist or not a directory"
+if [[ ! -f "$APP_PATH" ]]; then
+  echo "AppName '$APP_PATH' does not exist or not a file"
   exit 1
 fi
 
@@ -23,99 +18,22 @@ function log() {
   echo "$(date '+[%H:%M:%S]') $*"
 }
 
-function publish-log() {
-  id=$1
-  file=$2
-  curl -T "$file" "$ARTIFACTORY_URL/$id" || true
-}
 
-function altool-upload() {
-  # Since altool uses same file for upload token we have to trick it into using different folders for token file location
-  # Also it copies zip into TMPDIR so we override it too, to simplify cleanup
-  OLD_HOME="$HOME"
-  export HOME="$FAKE_ROOT/home"
-  export TMPDIR="$FAKE_ROOT/tmp"
-  mkdir -p "$HOME"
-  mkdir -p "$TMPDIR"
-  export _JAVA_OPTIONS="-Duser.home=$HOME -Djava.io.tmpdir=$TMPDIR"
-  # Reduce amount of downloads, cache transporter libraries
-  shared_itmstransporter="$OLD_HOME/shared-itmstransporter"
-  if [[ -f "$shared_itmstransporter" ]]; then
-    cp -r "$shared_itmstransporter" "$HOME/.itmstransporter"
-  fi
-  # For some reason altool prints everything to stderr, not stdout
-  set +e
-  xcrun altool --notarize-app \
-    --username "$APPL_USER" --password "$APPL_PASSWORD" \
-    --primary-bundle-id "$BUNDLE_ID" \
-    --asc-provider JetBrainssro --file "$1" 2>&1 | tee "altool.init.out"
-  unset TMPDIR
-  export HOME="$OLD_HOME"
-  set -e
-}
+# check required parameters
+: "${APPLE_ISSUER_ID}"
+: "${APPLE_KEY_ID}"
+: "${APPLE_PRIVATE_KEY}"
 
-#immediately exit script with an error if a command fails
-set -euo pipefail
+# shellcheck disable=SC2064
+trap "rm -f \"$PWD/tmp_key\"" INT EXIT RETURN
+echo -n "${APPLE_PRIVATE_KEY}" > tmp_key
 
-#file="$APP_NAME.zip"
+log "Notarizing $APP_PATH..."
+xcrun notarytool submit --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}" "$APP_PATH" 2>&1 | tee "notarytool.submit.out"
+REQUEST_ID="$(grep -e " id: " "notarytool.submit.out" | grep -oE '([0-9a-f-]{36})'| head -n1)"
 
-#log "Zipping $file..."
-#rm -rf "$file"
-#ditto -c -k --sequesterRsrc --keepParent "$APP_DIRECTORY" "$file"
+xcrun notarytool wait "$REQUEST_ID" --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}" --timeout 6h ||:
+xcrun notarytool log  "$REQUEST_ID" --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}" developer_log.json ||:
+xcrun notarytool info "$REQUEST_ID" --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}"
 
-log "Notarizing $APP_NAME..."
-rm -rf "altool.init.out" "altool.check.out"
-altool-upload "$APP_NAME"
-
-notarization_info="$(grep -e "RequestUUID" "altool.init.out" | grep -oE '([0-9a-f-]{36})')"
-
-if [ -z "$notarization_info" ]; then
-  log "Faile to read RequestUUID from altool.init.out"
-  exit 10
-fi
-
-PATH="$PATH:/usr/local/bin/"
-
-log "Notarization request sent, awaiting response"
-spent=0
-
-while true; do
-  # For some reason altool prints everything to stderr, not stdout
-  xcrun altool --username "$APPL_USER" --notarization-info "$notarization_info" --password "$APPL_PASSWORD" >"altool.check.out" 2>&1 || true
-  status="$(grep -oe 'Status: .*' "altool.check.out" | cut -c 9- || true)"
-  log "Current status: $status"
-  if [ "$status" = "invalid" ]; then
-    log "Notarization failed"
-    ec=1
-  elif [ "$status" = "success" ]; then
-    log "Notarization succeeded"
-    ec=0
-  else
-    if [ "$status" != "in progress" ]; then
-      log "Unknown notarization status, waiting more, altool output:"
-      cat "altool.check.out"
-    fi
-    if [[ $spent -gt 60 ]]; then
-      log "Waiting time out (apx 60 minutes)"
-      ec=2
-      break
-    fi
-    sleep 60
-    ((spent += 1))
-    continue
-  fi
-  developer_log="developer_log.json"
-  log "Fetching $developer_log"
-  # TODO: Replace cut with trim or something better
-  url="$(grep -oe 'LogFileURL: .*' "altool.check.out" | cut -c 13-)"
-  wget "$url" -O "$developer_log" && cat "$developer_log" || true
-  if [ $ec != 0 ]; then
-    log "Publishing $developer_log"
-    publish-log "$notarization_info" "$developer_log"
-  fi
-  break
-done
-cat "altool.check.out"
-
-rm -rf "altool.init.out" "altool.check.out"
-exit $ec
+log "Notarizing finished"

jb/project/tools/mac/scripts/signapp.sh

@@ -106,16 +106,7 @@ set -e
 
 if [ "$NOTARIZE" = "yes" ]; then
   log "Notarizing..."
-  # shellcheck disable=SC1090
-  source "$HOME/.notarize_token"
-  # Since notarization tool uses same file for upload token we have to trick it into using different folders, hence fake root
-  # Also it leaves copy of zip file in TMPDIR, so notarize.sh overrides it and uses FAKE_ROOT as location for temp TMPDIR
-  FAKE_ROOT="$(pwd)/fake-root"
-  mkdir -p "$FAKE_ROOT"
-  echo "Notarization will use fake root: $FAKE_ROOT"
-  ./notarize.sh "$APPLICATION_PATH" "$APPLE_USERNAME" "$APPLE_PASSWORD" "$APP_NAME.pkg" "$BUNDLE_ID" "$FAKE_ROOT"
-  rm -rf "$FAKE_ROOT"
-
+  "$SCRIPT_DIR/notarize.sh" "$APP_NAME.pkg"
   set +e
   log "Stapling..."
   xcrun stapler staple "$APPLICATION_PATH"