CoCalc -- sign-notarize.bash

GitHub Repository: Kitware/CMake
Path: blob/master/Utilities/Release/macos/sign-notarize.bash
³¹⁵³ views
1
#!/usr/bin/env bash
2
set -e
3
readonly usage='usage: sign-notarize.bash -i <id> -k <keychain-profile> [--] <package>.dmg
4

5
Sign and notarize the "CMake.app" bundle inside the given "<package>.dmg" disk image.
6
Also produce a "<package>.tar.gz" tarball containing the same "CMake.app".
7

8
Options:
9

10
    -i <id>                Signing Identity
11
    -k <keychain-profile>  Keychain profile containing stored credentials
12

13
Create the keychain profile ahead of time using
14

15
    xcrun notarytool store-credentials <keychain-profile> \
16
      --apple-id <dev-acct> --team-id <team-id> [--password <app-specific-password>]
17

18
where:
19

20
    <dev-acct>              is an Apple ID of a developer account
21
    <team-id>               is from https://developer.apple.com/account/#!/membership
22
    <app-specific-password> is generated via https://support.apple.com/en-us/HT204397
23
                            If --password is omitted, notarytool will prompt for it.
24

25
This creates a keychain item called "com.apple.gke.notary.tool" with an
26
account name "com.apple.gke.notary.tool.saved-creds.<keychain-profile>".
27
'
28

29
cleanup() {
30
    if test -d "$tmpdir"; then
31
        rm -rf "$tmpdir"
32
    fi
33
    if test -d "$vol_path"; then
34
        hdiutil detach "$vol_path"
35
    fi
36
}
37

38
trap "cleanup" EXIT
39

40
die() {
41
    echo "$@" 1>&2; exit 1
42
}
43

44
id=''
45
keychain_profile=''
46
while test "$#" != 0; do
47
    case "$1" in
48
    -i) shift; id="$1" ;;
49
    -k) shift; keychain_profile="$1" ;;
50
    --) shift ; break ;;
51
    -*) die "$usage" ;;
52
    *) break ;;
53
    esac
54
    shift
55
done
56
case "$1" in
57
*.dmg) readonly dmg="$1"; shift ;;
58
*) die "$usage" ;;
59
esac
60
test "$#" = 0 || die "$usage"
61

62
# Verify arguments.
63
if test -z "$id" -o -z "$keychain_profile"; then
64
    die "$usage"
65
fi
66

67
# Verify environment.
68
if ! xcrun --find notarytool 2>/dev/null; then
69
    die "'xcrun notarytool' not found"
70
fi
71

72
readonly tmpdir="$(mktemp -d)"
73

74
# Prepare entitlements.
75
readonly entitlements_xml="$tmpdir/entitlements.xml"
76
echo '<?xml version="1.0" encoding="UTF-8"?>
77
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
78
<plist version="1.0">
79
<dict>
80
  <key>com.apple.security.cs.allow-dyld-environment-variables</key>
81
  <true/>
82
</dict>
83
</plist>' > "$entitlements_xml"
84

85
# Convert from read-only original image to read-write.
86
readonly udrw_dmg="$tmpdir/udrw.dmg"
87
hdiutil convert "$dmg" -format UDRW -o "${udrw_dmg}"
88

89
# Mount the temporary udrw image.
90
readonly vol_name="$(basename "${dmg%.dmg}")"
91
readonly vol_path="/Volumes/$vol_name"
92
hdiutil attach "${udrw_dmg}"
93

94
codesign --verify --timestamp --options=runtime --verbose --deep \
95
  -s "$id" \
96
  --entitlements "$entitlements_xml" \
97
  "$vol_path/CMake.app/Contents/bin/cmake" \
98
  "$vol_path/CMake.app/Contents/bin/ccmake" \
99
  "$vol_path/CMake.app/Contents/bin/ctest" \
100
  "$vol_path/CMake.app/Contents/bin/cpack" \
101
  "$vol_path/CMake.app"
102

103
ditto -c -k --keepParent "$vol_path/CMake.app" "$tmpdir/CMake.app.zip"
104
xcrun notarytool submit "$tmpdir/CMake.app.zip" --keychain-profile "$keychain_profile" --wait
105
xcrun stapler staple "$vol_path/CMake.app"
106

107
# Create a tarball of the volume next to the original disk image.
108
readonly tar_gz="${dmg/%.dmg/.tar.gz}"
109
tar cvzf "$tar_gz" -C /Volumes "$vol_name/CMake.app"
110

111
# Unmount the modified udrw image.
112
hdiutil detach "$vol_path"
113

114
# Convert back to read-only, compressed image.
115
hdiutil convert "${udrw_dmg}" -format UDZO -imagekey zlib-level=9 -ov -o "$dmg"
116

117
Product

Resources

Company
