JBR-1821 notarize JBR bundles as a standalone app

jb/project/tools/mac/scripts/entitlements.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+        <key>com.apple.security.cs.disable-executable-page-protection</key>
+        <true/>
+    </dict>
+</plist>

jb/project/tools/mac/scripts/notarize.sh

@@ -0,0 +1,120 @@
+#!/bin/bash
+
+APP_DIRECTORY=$1
+APPL_USER=$2
+APPL_PASSWORD=$3
+APP_NAME=$4
+BUNDLE_ID=$5
+FAKE_ROOT="${6:-fake-root}"
+
+if [[ -z "$APP_DIRECTORY" ]] || [[ -z "$APPL_USER" ]] || [[ -z "$APPL_PASSWORD" ]]; then
+  echo "Usage: $0 AppDirectory Username Password"
+  exit 1
+fi
+if [[ ! -d "$APP_DIRECTORY" ]]; then
+  echo "AppDirectory '$APP_DIRECTORY' does not exist or not a directory"
+  exit 1
+fi
+
+function log() {
+  echo "$(date '+[%H:%M:%S]') $*"
+}
+
+function publish-log() {
+  id=$1
+  file=$2
+  curl -T "$file" "$ARTIFACTORY_URL/$id" || true
+}
+
+function altool-upload() {
+  # Since altool uses same file for upload token we have to trick it into using different folders for token file location
+  # Also it copies zip into TMPDIR so we override it too, to simplify cleanup
+  OLD_HOME="$HOME"
+  export HOME="$FAKE_ROOT/home"
+  export TMPDIR="$FAKE_ROOT/tmp"
+  mkdir -p "$HOME"
+  mkdir -p "$TMPDIR"
+  export _JAVA_OPTIONS="-Duser.home=$HOME -Djava.io.tmpdir=$TMPDIR"
+  # Reduce amount of downloads, cache transporter libraries
+  shared_itmstransporter="$OLD_HOME/shared-itmstransporter"
+  if [[ -f "$shared_itmstransporter" ]]; then
+    cp -r "$shared_itmstransporter" "$HOME/.itmstransporter"
+  fi
+  # For some reason altool prints everything to stderr, not stdout
+  set +e
+  xcrun altool --notarize-app \
+    --username "$APPL_USER" --password "$APPL_PASSWORD" \
+    --primary-bundle-id "$BUNDLE_ID" \
+    --asc-provider JetBrainssro --file "$1" 2>&1 | tee "altool.init.out"
+  unset TMPDIR
+  export HOME="$OLD_HOME"
+  set -e
+}
+
+#immediately exit script with an error if a command fails
+set -euo pipefail
+
+file="$APP_NAME.zip"
+
+log "Zipping $file..."
+rm -rf "$file"
+ditto -c -k --sequesterRsrc --keepParent "$APP_DIRECTORY/Contents" "$file"
+
+log "Notarizing $file..."
+rm -rf "altool.init.out" "altool.check.out"
+altool-upload "$file"
+
+rm -rf "$file"
+
+notarization_info="$(grep -e "RequestUUID" "altool.init.out" | grep -oE '([0-9a-f-]{36})')"
+
+if [ -z "$notarization_info" ]; then
+  log "Faile to read RequestUUID from altool.init.out"
+  exit 10
+fi
+
+PATH="$PATH:/usr/local/bin/"
+
+log "Notarization request sent, awaiting response"
+spent=0
+
+while true; do
+  # For some reason altool prints everything to stderr, not stdout
+  xcrun altool --username "$APPL_USER" --notarization-info "$notarization_info" --password "$APPL_PASSWORD" >"altool.check.out" 2>&1 || true
+  status="$(grep -oe 'Status: .*' "altool.check.out" | cut -c 9- || true)"
+  log "Current status: $status"
+  if [ "$status" = "invalid" ]; then
+    log "Notarization failed"
+    ec=1
+  elif [ "$status" = "success" ]; then
+    log "Notarization succeeded"
+    ec=0
+  else
+    if [ "$status" != "in progress" ]; then
+      log "Unknown notarization status, waiting more, altool output:"
+      cat "altool.check.out"
+    fi
+    if [[ $spent -gt 60 ]]; then
+      log "Waiting time out (apx 60 minutes)"
+      ec=2
+      break
+    fi
+    sleep 60
+    ((spent += 1))
+    continue
+  fi
+  developer_log="developer_log.json"
+  log "Fetching $developer_log"
+  # TODO: Replace cut with trim or something better
+  url="$(grep -oe 'LogFileURL: .*' "altool.check.out" | cut -c 13-)"
+  wget "$url" -O "$developer_log" && cat "$developer_log" || true
+  if [ $ec != 0 ]; then
+    log "Publishing $developer_log"
+    publish-log "$notarization_info" "$developer_log"
+  fi
+  break
+done
+cat "altool.check.out"
+
+rm -rf "altool.init.out" "altool.check.out"
+exit $ec

jb/project/tools/mac/scripts/sign.sh

@@ -0,0 +1,93 @@
+#!/bin/bash
+
+APP_DIRECTORY=$1
+JB_CERT=$2
+
+if [[ -z "$APP_DIRECTORY" ]] || [[ -z "$JB_CERT" ]]; then
+  echo "Usage: $0 AppDirectory CertificateID"
+  exit 1
+fi
+if [[ ! -d "$APP_DIRECTORY" ]]; then
+  echo "AppDirectory '$APP_DIRECTORY' does not exist or not a directory"
+  exit 1
+fi
+
+function log() {
+  echo "$(date '+[%H:%M:%S]') $*"
+}
+
+#immediately exit script with an error if a command fails
+set -euo pipefail
+
+# Cleanup files left from previous sign attempt (if any)
+find "$APP_DIRECTORY" -name '*.cstemp' -exec rm '{}' \;
+
+log "Signing libraries and executables..."
+# -perm +111 searches for executables
+for f in \
+   "Contents/Home/bin" \
+   "Contents/Home/lib"; do
+  if [ -d "$APP_DIRECTORY/$f" ]; then
+    find "$APP_DIRECTORY/$f" \
+      -type f \( -name "*.jnilib" -o -name "*.dylib" -o -name "*.so" -o -perm +111 \) \
+      -exec codesign --timestamp \
+      -v -s "$JB_CERT" --options=runtime \
+      --entitlements entitlements.xml {} \;
+  fi
+done
+
+log "Signing libraries in jars in $PWD"
+
+# todo: add set -euo pipefail; into the inner sh -c
+# `-e` prevents `grep -q && printf` loginc
+# with `-o pipefail` there's no input for 'while' loop
+find "$APP_DIRECTORY" -name '*.jar' \
+  -exec sh -c "set -u; unzip -l \"\$0\" | grep -q -e '\.dylib\$' -e '\.jnilib\$' -e '\.so\$' -e '^jattach\$' && printf \"\$0\0\" " {} \; |
+  while IFS= read -r -d $'\0' file; do
+    log "Processing libraries in $file"
+
+    rm -rf jarfolder jar.jar
+    mkdir jarfolder
+    filename="${file##*/}"
+    log "Filename: $filename"
+    cp "$file" jarfolder && (cd jarfolder && jar xf "$filename" && rm "$filename")
+
+    find jarfolder \
+      -type f \( -name "*.jnilib" -o -name "*.dylib" -o -name "*.so" -o -name "jattach" \) \
+      -exec codesign --timestamp \
+      -v -s "$JB_CERT" --options=runtime \
+      --entitlements entitlements.xml {} \;
+
+    (cd jarfolder; zip -q -r -o ../jar.jar .)
+    mv jar.jar "$file"
+  done
+
+rm -rf jarfolder jar.jar
+
+log "Signing other files..."
+for f in \
+  "Contents/MacOS"; do
+  if [ -d "$APP_DIRECTORY/$f" ]; then
+    find "$APP_DIRECTORY/$f" \
+      -type f \( -name "*.jnilib" -o -name "*.dylib" -o -name "*.so" -o -perm +111 \) \
+      -exec codesign --timestamp \
+      -v -s "$JB_CERT" --options=runtime \
+      --entitlements entitlements.xml {} \;
+  fi
+done
+
+#log "Signing executable..."
+#codesign --timestamp \
+#    -v -s "$JB_CERT" --options=runtime \
+#    --force \
+#    --entitlements entitlements.xml "$APP_DIRECTORY/Contents/MacOS/idea"
+
+log "Signing whole app..."
+codesign --timestamp \
+  -v -s "$JB_CERT" --options=runtime \
+  --force \
+  --entitlements entitlements.xml "$APP_DIRECTORY"
+
+log "Verifying java is not broken"
+find "$APP_DIRECTORY" \
+  -type f -name 'java' -perm +111 -exec {} -version \;

jb/project/tools/mac/scripts/signapp.sh

@@ -0,0 +1,139 @@
+#!/bin/bash
+
+#immediately exit script with an error if a command fails
+set -euo pipefail
+
+export COPY_EXTENDED_ATTRIBUTES_DISABLE=true
+export COPYFILE_DISABLE=true
+
+INPUT_FILE=$1
+EXPLODED=$2.exploded
+BACKUP_JMODS=$2.backup
+USERNAME=$3
+PASSWORD=$4
+CODESIGN_STRING=$5
+NOTARIZE=$6
+BUNDLE_ID=$7
+
+cd "$(dirname "$0")"
+
+function log() {
+  echo "$(date '+[%H:%M:%S]') $*"
+}
+
+log "Deleting $EXPLODED ..."
+if test -d "$EXPLODED"; then
+  find "$EXPLODED" -mindepth 1 -maxdepth 1 -exec chmod -R u+wx '{}' \;
+fi
+rm -rf "$EXPLODED"
+mkdir "$EXPLODED"
+rm -rf "$BACKUP_JMODS"
+mkdir "$BACKUP_JMODS"
+
+log "Unzipping $INPUT_FILE to $EXPLODED ..."
+tar -xzvf "$INPUT_FILE" --directory $EXPLODED
+rm "$INPUT_FILE"
+BUILD_NAME="$(ls "$EXPLODED")"
+if test -d $EXPLODED/$BUILD_NAME/Contents/Home/jmods; then
+  mv $EXPLODED/$BUILD_NAME/Contents/Home/jmods $BACKUP_JMODS
+fi
+if test -f $EXPLODED/$BUILD_NAME/Contents/MacOS/libjli.dylib; then
+  mv $EXPLODED/$BUILD_NAME/Contents/MacOS/libjli.dylib $BACKUP_JMODS
+fi
+
+#log "$INPUT_FILE unzipped and removed"
+log "$INPUT_FILE extracted and removed"
+
+APPLICATION_PATH="$EXPLODED/$BUILD_NAME"
+
+find "$APPLICATION_PATH/Contents/Home/bin" \
+  -maxdepth 1 -type f -name '*.jnilib' -print0 |
+  while IFS= read -r -d $'\0' file; do
+    if [ -f "$file" ]; then
+      log "Linking $file"
+      b="$(basename "$file" .jnilib)"
+      ln -sf "$b.jnilib" "$(dirname "$file")/$b.dylib"
+    fi
+  done
+
+find "$APPLICATION_PATH/Contents/" \
+  -maxdepth 1 -type f -name '*.txt' -print0 |
+  while IFS= read -r -d $'\0' file; do
+    if [ -f "$file" ]; then
+      log "Moving $file"
+      mv "$file" "$APPLICATION_PATH/Contents/Resources"
+    fi
+  done
+
+non_plist=$(find "$APPLICATION_PATH/Contents/" -maxdepth 1 -type f -and -not -name 'Info.plist' | wc -l)
+if [[ $non_plist -gt 0 ]]; then
+  log "Only Info.plist file is allowed in Contents directory but found $non_plist file(s):"
+  log "$(find "$APPLICATION_PATH/Contents/" -maxdepth 1 -type f -and -not -name 'Info.plist')"
+  exit 1
+fi
+
+log "Unlocking keychain..."
+# Make sure *.p12 is imported into local KeyChain
+security unlock-keychain -p "$PASSWORD" "/Users/$USERNAME/Library/Keychains/login.keychain"
+
+attempt=1
+limit=3
+set +e
+while [[ $attempt -le $limit ]]; do
+  log "Signing (attempt $attempt) $APPLICATION_PATH ..."
+  ./sign.sh "$APPLICATION_PATH" "$CODESIGN_STRING"
+  ec=$?
+  if [[ $ec -ne 0 ]]; then
+    ((attempt += 1))
+    if [ $attempt -eq $limit ]; then
+      set -e
+    fi
+    log "Signing failed, wait for 30 sec and try to sign again"
+    sleep 30
+  else
+    log "Signing done"
+    codesign -v "$APPLICATION_PATH" -vvvvv
+    log "Check sign done"
+    ((attempt += limit))
+  fi
+done
+
+set -e
+
+if [ "$NOTARIZE" = "yes" ]; then
+  log "Notarizing..."
+  # shellcheck disable=SC1090
+  source "$HOME/.notarize_token"
+  APP_NAME=$(echo ${INPUT_FILE} | awk -F"." '{ print $1 }')
+  # Since notarization tool uses same file for upload token we have to trick it into using different folders, hence fake root
+  # Also it leaves copy of zip file in TMPDIR, so notarize.sh overrides it and uses FAKE_ROOT as location for temp TMPDIR
+  FAKE_ROOT="$(pwd)/fake-root"
+  mkdir -p "$FAKE_ROOT"
+  echo "Notarization will use fake root: $FAKE_ROOT"
+  ./notarize.sh "$APPLICATION_PATH" "$APPLE_USERNAME" "$APPLE_PASSWORD" "$APP_NAME" "$BUNDLE_ID" "$FAKE_ROOT"
+  rm -rf "$FAKE_ROOT"
+
+  set +e
+  log "Stapling..."
+  xcrun stapler staple "$APPLICATION_PATH"
+else
+  log "Notarization disabled"
+  log "Stapling disabled"
+fi
+
+log "Zipping $BUILD_NAME to $INPUT_FILE ..."
+(
+  #cd "$EXPLODED"
+  #ditto -c -k --sequesterRsrc --keepParent "$BUILD_NAME" "../$INPUT_FILE"
+  if test ! -z $(ls $BACKUP_JMODS/libjli.dylib); then
+    mv $BACKUP_JMODS/libjli.dylib $EXPLODED/$BUILD_NAME/Contents/MacOS
+  fi
+  if test -d $BACKUP_JMODS/jmods; then
+    mv $BACKUP_JMODS/jmods $EXPLODED/$BUILD_NAME/Contents/Home
+  fi
+
+  COPYFILE_DISABLE=1 tar -pczf $INPUT_FILE --exclude='*.dSYM' --exclude='man' -C $EXPLODED $BUILD_NAME
+  log "Finished zipping"
+)
+rm -rf "$EXPLODED"
+log "Done"