blob: 55ed5916d47403f21c766daa69b1148f9b49d6c3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
#!/usr/bin/env bash
set -e
readonly usage='usage: sign-notarize.bash -i <id> -k <keychain-profile> [--] <package>.dmg
Sign and notarize the "CMake.app" bundle inside the given "<package>.dmg" disk image.
Also produce a "<package>.tar.gz" tarball containing the same "CMake.app".
Options:
-i <id> Signing Identity
-k <keychain-profile> Keychain profile containing stored credentials
Create the keychain profile ahead of time using
xcrun notarytool store-credentials <keychain-profile> \
--apple-id <dev-acct> --team-id <team-id> [--password <app-specific-password>]
where:
<dev-acct> is an Apple ID of a developer account
<team-id> is from https://developer.apple.com/account/#!/membership
<app-specific-password> is generated via https://support.apple.com/en-us/HT204397
If --password is omitted, notarytool will prompt for it.
This creates a keychain item called "com.apple.gke.notary.tool" with an
account name "com.apple.gke.notary.tool.saved-creds.<keychain-profile>".
'
cleanup() {
if test -d "$tmpdir"; then
rm -rf "$tmpdir"
fi
if test -d "$vol_path"; then
hdiutil detach "$vol_path"
fi
}
trap "cleanup" EXIT
die() {
echo "$@" 1>&2; exit 1
}
id=''
keychain_profile=''
while test "$#" != 0; do
case "$1" in
-i) shift; id="$1" ;;
-k) shift; keychain_profile="$1" ;;
--) shift ; break ;;
-*) die "$usage" ;;
*) break ;;
esac
shift
done
case "$1" in
*.dmg) readonly dmg="$1"; shift ;;
*) die "$usage" ;;
esac
test "$#" = 0 || die "$usage"
# Verify arguments.
if test -z "$id" -o -z "$keychain_profile"; then
die "$usage"
fi
# Verify environment.
if ! xcrun --find notarytool 2>/dev/null; then
die "'xcrun notarytool' not found"
fi
readonly tmpdir="$(mktemp -d)"
# Prepare entitlements.
readonly entitlements_xml="$tmpdir/entitlements.xml"
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
</dict>
</plist>' > "$entitlements_xml"
# Convert from read-only original image to read-write.
readonly udrw_dmg="$tmpdir/udrw.dmg"
hdiutil convert "$dmg" -format UDRW -o "${udrw_dmg}"
# Mount the temporary udrw image.
readonly vol_name="$(basename "${dmg%.dmg}")"
readonly vol_path="/Volumes/$vol_name"
hdiutil attach "${udrw_dmg}"
codesign --verify --timestamp --options=runtime --verbose --deep \
-s "$id" \
--entitlements "$entitlements_xml" \
"$vol_path/CMake.app/Contents/bin/cmake" \
"$vol_path/CMake.app/Contents/bin/ccmake" \
"$vol_path/CMake.app/Contents/bin/ctest" \
"$vol_path/CMake.app/Contents/bin/cpack" \
"$vol_path/CMake.app"
ditto -c -k --keepParent "$vol_path/CMake.app" "$tmpdir/CMake.app.zip"
xcrun notarytool submit "$tmpdir/CMake.app.zip" --keychain-profile "$keychain_profile" --wait
xcrun stapler staple "$vol_path/CMake.app"
# Create a tarball of the volume next to the original disk image.
readonly tar_gz="${dmg/%.dmg/.tar.gz}"
tar cvzf "$tar_gz" -C /Volumes "$vol_name/CMake.app"
# Unmount the modified udrw image.
hdiutil detach "$vol_path"
# Convert back to read-only, compressed image.
hdiutil convert "${udrw_dmg}" -format UDZO -imagekey zlib-level=9 -ov -o "$dmg"
|
