From 32bbda291e0bbbb38aef229074ceca00a4e555f8 Mon Sep 17 00:00:00 2001 From: Vladislav Rassokhin Date: Mon, 1 May 2023 17:42:48 +0200 Subject: [PATCH] JBR-5600 Notarize macOS binaries using notarytool (cherry picked from commit 7916ed31b7a6b079b4b0748b5c64bbd8aa98cf7a) --- jb/project/tools/mac/scripts/notarize.sh | 122 ++++------------------- jb/project/tools/mac/scripts/signapp.sh | 11 +- 2 files changed, 21 insertions(+), 112 deletions(-) diff --git a/jb/project/tools/mac/scripts/notarize.sh b/jb/project/tools/mac/scripts/notarize.sh index e5d7bfe963e0..b635d5d6e774 100755 --- a/jb/project/tools/mac/scripts/notarize.sh +++ b/jb/project/tools/mac/scripts/notarize.sh @@ -1,21 +1,16 @@ #!/bin/bash +#immediately exit script with an error if a command fails set -euo pipefail -set -x -APP_DIRECTORY=$1 -APPL_USER=$2 -APPL_PASSWORD=$3 -APP_NAME=$4 -BUNDLE_ID=$5 -FAKE_ROOT="${6:-fake-root}" +APP_PATH=$1 -if [[ -z "$APP_DIRECTORY" ]] || [[ -z "$APPL_USER" ]] || [[ -z "$APPL_PASSWORD" ]]; then - echo "Usage: $0 AppDirectory Username Password" +if [[ -z "$APP_PATH" ]]; then + echo "Usage: $0 AppPath" exit 1 fi -if [[ ! -d "$APP_DIRECTORY" ]]; then - echo "AppDirectory '$APP_DIRECTORY' does not exist or not a directory" +if [[ ! -f "$APP_PATH" ]]; then + echo "AppName '$APP_PATH' does not exist or not a file" exit 1 fi @@ -23,99 +18,22 @@ function log() { echo "$(date '+[%H:%M:%S]') $*" } -function publish-log() { - id=$1 - file=$2 - curl -T "$file" "$ARTIFACTORY_URL/$id" || true -} -function altool-upload() { - # Since altool uses same file for upload token we have to trick it into using different folders for token file location - # Also it copies zip into TMPDIR so we override it too, to simplify cleanup - OLD_HOME="$HOME" - export HOME="$FAKE_ROOT/home" - export TMPDIR="$FAKE_ROOT/tmp" - mkdir -p "$HOME" - mkdir -p "$TMPDIR" - export _JAVA_OPTIONS="-Duser.home=$HOME -Djava.io.tmpdir=$TMPDIR" - # Reduce amount of downloads, cache transporter libraries - shared_itmstransporter="$OLD_HOME/shared-itmstransporter" - if [[ -f "$shared_itmstransporter" ]]; then - cp -r "$shared_itmstransporter" "$HOME/.itmstransporter" - fi - # For some reason altool prints everything to stderr, not stdout - set +e - xcrun altool --notarize-app \ - --username "$APPL_USER" --password "$APPL_PASSWORD" \ - --primary-bundle-id "$BUNDLE_ID" \ - --asc-provider JetBrainssro --file "$1" 2>&1 | tee "altool.init.out" - unset TMPDIR - export HOME="$OLD_HOME" - set -e -} +# check required parameters +: "${APPLE_ISSUER_ID}" +: "${APPLE_KEY_ID}" +: "${APPLE_PRIVATE_KEY}" -#immediately exit script with an error if a command fails -set -euo pipefail +# shellcheck disable=SC2064 +trap "rm -f \"$PWD/tmp_key\"" INT EXIT RETURN +echo -n "${APPLE_PRIVATE_KEY}" > tmp_key -#file="$APP_NAME.zip" +log "Notarizing $APP_PATH..." +xcrun notarytool submit --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}" "$APP_PATH" 2>&1 | tee "notarytool.submit.out" +REQUEST_ID="$(grep -e " id: " "notarytool.submit.out" | grep -oE '([0-9a-f-]{36})'| head -n1)" -#log "Zipping $file..." -#rm -rf "$file" -#ditto -c -k --sequesterRsrc --keepParent "$APP_DIRECTORY" "$file" +xcrun notarytool wait "$REQUEST_ID" --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}" --timeout 6h ||: +xcrun notarytool log "$REQUEST_ID" --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}" developer_log.json ||: +xcrun notarytool info "$REQUEST_ID" --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}" -log "Notarizing $APP_NAME..." -rm -rf "altool.init.out" "altool.check.out" -altool-upload "$APP_NAME" - -notarization_info="$(grep -e "RequestUUID" "altool.init.out" | grep -oE '([0-9a-f-]{36})')" - -if [ -z "$notarization_info" ]; then - log "Faile to read RequestUUID from altool.init.out" - exit 10 -fi - -PATH="$PATH:/usr/local/bin/" - -log "Notarization request sent, awaiting response" -spent=0 - -while true; do - # For some reason altool prints everything to stderr, not stdout - xcrun altool --username "$APPL_USER" --notarization-info "$notarization_info" --password "$APPL_PASSWORD" >"altool.check.out" 2>&1 || true - status="$(grep -oe 'Status: .*' "altool.check.out" | cut -c 9- || true)" - log "Current status: $status" - if [ "$status" = "invalid" ]; then - log "Notarization failed" - ec=1 - elif [ "$status" = "success" ]; then - log "Notarization succeeded" - ec=0 - else - if [ "$status" != "in progress" ]; then - log "Unknown notarization status, waiting more, altool output:" - cat "altool.check.out" - fi - if [[ $spent -gt 60 ]]; then - log "Waiting time out (apx 60 minutes)" - ec=2 - break - fi - sleep 60 - ((spent += 1)) - continue - fi - developer_log="developer_log.json" - log "Fetching $developer_log" - # TODO: Replace cut with trim or something better - url="$(grep -oe 'LogFileURL: .*' "altool.check.out" | cut -c 13-)" - wget "$url" -O "$developer_log" && cat "$developer_log" || true - if [ $ec != 0 ]; then - log "Publishing $developer_log" - publish-log "$notarization_info" "$developer_log" - fi - break -done -cat "altool.check.out" - -rm -rf "altool.init.out" "altool.check.out" -exit $ec +log "Notarizing finished" diff --git a/jb/project/tools/mac/scripts/signapp.sh b/jb/project/tools/mac/scripts/signapp.sh index 13b1c36408ef..2b91c94c4076 100755 --- a/jb/project/tools/mac/scripts/signapp.sh +++ b/jb/project/tools/mac/scripts/signapp.sh @@ -106,16 +106,7 @@ set -e if [ "$NOTARIZE" = "yes" ]; then log "Notarizing..." - # shellcheck disable=SC1090 - source "$HOME/.notarize_token" - # Since notarization tool uses same file for upload token we have to trick it into using different folders, hence fake root - # Also it leaves copy of zip file in TMPDIR, so notarize.sh overrides it and uses FAKE_ROOT as location for temp TMPDIR - FAKE_ROOT="$(pwd)/fake-root" - mkdir -p "$FAKE_ROOT" - echo "Notarization will use fake root: $FAKE_ROOT" - ./notarize.sh "$APPLICATION_PATH" "$APPLE_USERNAME" "$APPLE_PASSWORD" "$APP_NAME.pkg" "$BUNDLE_ID" "$FAKE_ROOT" - rm -rf "$FAKE_ROOT" - + "$SCRIPT_DIR/notarize.sh" "$APP_NAME.pkg" set +e log "Stapling..." xcrun stapler staple "$APPLICATION_PATH"