Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
Kitware
GitHub Repository: Kitware/CMake
 Path: blob/master/Utilities/Release/macos/sign-notarize.bash
5025 views
1
#!/usr/bin/env bash

2
set -e

3
readonly usage='usage: sign-notarize.bash <options>... [--] <package>.dmg

4


5
Sign and notarize the "CMake.app" bundle inside the given "<package>.dmg" disk image.

6
Also produce a "<package>.tar.gz" tarball containing the same "CMake.app".

7


8
Options:

9


10
    -id <id>               Signing Identity

11
    -kp <keychain-profile> Keychain profile containing notarization credentials.

12
    -kc <keychain-path>    Keychain path containing named profile.

13


14
Create the keychain profile ahead of time using

15


16
    xcrun notarytool store-credentials <keychain-profile> \

17
      --apple-id <dev-acct> --team-id <team-id> \

18
      [--keychain <keychain-path>] [--password <app-specific-password>]

19


20
where:

21


22
    <dev-acct>              is an Apple ID of a developer account

23
    <team-id>               is from https://developer.apple.com/account/#!/membership

24
    <app-specific-password> is generated via https://support.apple.com/en-us/HT204397

25
                            If --password is omitted, notarytool will prompt for it.

26


27
This creates a keychain item called "com.apple.gke.notary.tool" with an

28
account name "com.apple.gke.notary.tool.saved-creds.<keychain-profile>".

29
'

30


31
cleanup() {

32
    if test -d "$tmpdir"; then

33
        rm -rf "$tmpdir"

34
    fi

35
    if test -d "$vol_path"; then

36
        hdiutil detach "$vol_path"

37
    fi

38
}

39


40
trap "cleanup" EXIT

41


42
die() {

43
    echo "$@" 1>&2; exit 1

44
}

45


46
id=''

47
keychain=''

48
keychain_profile=''

49
while test "$#" != 0; do

50
    case "$1" in

51
    -id|-i) shift; id="$1" ;;

52
    -kc|--keychain) shift; keychain="$1" ;;

53
    -kp|-k|--keychain-profile) shift; keychain_profile="$1" ;;

54
    --) shift ; break ;;

55
    -*) die "$usage" ;;

56
    *) break ;;

57
    esac

58
    shift

59
done

60
case "$1" in

61
*.dmg) readonly dmg="$1"; shift ;;

62
*) die "$usage" ;;

63
esac

64
test "$#" = 0 || die "$usage"

65


66
# Verify environment.

67
if ! xcrun --find notarytool 2>/dev/null; then

68
    die "'xcrun notarytool' not found"

69
fi

70


71
# If a signing identity is not provided on the command-line,

72
# check for a GitLab CI variable in the environment, and then

73
# fall back to finding one automatically.

74
if test -z "$id" -a -n "$CODESIGN_IDENTITY"; then

75
    id="$CODESIGN_IDENTITY"

76
elif test -z "$id" && found_id="$(security find-identity -v -p codesigning 2>/dev/null | grep -E -m 1 -o '\<[0-9A-F]{40}\>')"; then

77
    id="$found_id"

78
else

79
    echo "No codesigning identity detected." 1>&2

80
fi

81


82
# If a keychain path/profile is not provided on the command-line,

83
# check for a GitLab CI variable in the environment.

84
if test -z "$keychain" -a -n "$NOTARYTOOL_KEYCHAIN"; then

85
    keychain="$NOTARYTOOL_KEYCHAIN"

86
fi

87
if test -z "$keychain_profile" -a -n "$NOTARYTOOL_KEYCHAIN_PROFILE"; then

88
    keychain_profile="$NOTARYTOOL_KEYCHAIN_PROFILE"

89
fi

90


91
# Verify arguments.

92
if test -z "$id" -o -z "$keychain_profile"; then

93
    die "$usage"

94
fi

95


96
readonly tmpdir="$(mktemp -d)"

97


98
# Prepare entitlements.

99
readonly entitlements_xml="$tmpdir/entitlements.xml"

100
echo '<?xml version="1.0" encoding="UTF-8"?>

101
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

102
<plist version="1.0">

103
<dict>

104
  <key>com.apple.security.cs.allow-dyld-environment-variables</key>

105
  <true/>

106
</dict>

107
</plist>' > "$entitlements_xml"

108


109
# Convert from read-only original image to read-write.

110
readonly udrw_dmg="$tmpdir/udrw.dmg"

111
hdiutil convert "$dmg" -format UDRW -o "${udrw_dmg}"

112


113
# Mount the temporary udrw image.

114
readonly vol_name="$(basename "${dmg%.dmg}")"

115
readonly vol_path="/Volumes/$vol_name"

116
hdiutil attach "${udrw_dmg}"

117


118
# Sign the application.

119
codesign --verify --timestamp --options=runtime --verbose --force \

120
  -s "$id" \

121
  --entitlements "$entitlements_xml" \

122
  "$vol_path"/CMake.app/Contents/bin/cmake \

123
  "$vol_path"/CMake.app/Contents/bin/ccmake \

124
  "$vol_path"/CMake.app/Contents/bin/ctest \

125
  "$vol_path"/CMake.app/Contents/bin/cpack \

126
  "$vol_path"/CMake.app/Contents/Frameworks/*.framework/Versions/[A56]/Qt* \

127
  "$vol_path"/CMake.app/Contents/PlugIns/*/lib*.dylib \

128
  "$vol_path"/CMake.app

129


130
# Prepare an application archive.

131
ditto -c -k --keepParent "$vol_path/CMake.app" "$tmpdir/CMake.app.zip"

132


133
# Notarize the application.

134
notarize="xcrun notarytool submit '$tmpdir/CMake.app.zip'"

135
if test -n "$keychain_profile"; then

136
    notarize="$notarize --keychain-profile '$keychain_profile'"

137
    if test -n "$keychain"; then

138
        notarize="$notarize --keychain '$keychain'"

139
    fi

140
fi

141
notarize="$notarize --wait"

142
eval "$notarize"

143


144
# Staple the notarization.

145
xcrun stapler staple "$vol_path/CMake.app"

146


147
# Create a tarball of the volume next to the original disk image.

148
readonly tar_gz="${dmg/%.dmg/.tar.gz}"

149
tar cvzf "$tar_gz" -C /Volumes "$vol_name/CMake.app"

150


151
# Unmount the modified udrw image.

152
hdiutil detach "$vol_path"

153


154
# Convert back to read-only, compressed image.

155
hdiutil convert "${udrw_dmg}" -format UDZO -imagekey zlib-level=9 -ov -o "$dmg"

156


157