diff options
| author | Daniel Moody <daniel.moody@mongodb.com> | 2022-07-07 19:51:03 +0000 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2022-07-13 17:21:26 +0000 |
| commit | 42dee378c0dca21d822ccf11cd8d510d9189aeb8 (patch) | |
| tree | b25319af8d83de9624faa2d9b46f3d7f9ee385c2 | |
| parent | e2c6bf59b4983f936f387e6f6e1cb4cfd91b8f90 (diff) | |
| download | mongo-42dee378c0dca21d822ccf11cd8d510d9189aeb8.tar.gz | |
SERVER-66461 added macos signing at evergreen archive step
(cherry picked from commit 362dbbd4c3c71a9604a085fbcf2636a961b5ff32)
(cherry picked from commit 6fa7f012f27fe05940223d257f7cccf4c3729a32)
| -rw-r--r-- | etc/evergreen.yml | 11 | ||||
| -rw-r--r-- | etc/macos_entitlements.xml | 8 | ||||
| -rw-r--r-- | evergreen/macos_notary.py | 95 |
3 files changed, 114 insertions, 0 deletions
diff --git a/etc/evergreen.yml b/etc/evergreen.yml index 4a7bbe1c045..f4f6d45f66c 100644 --- a/etc/evergreen.yml +++ b/etc/evergreen.yml @@ -3833,6 +3833,17 @@ tasks: --detect-odr-violations --separate-debug PREFIX=dist-test + - command: shell.exec + params: + binary: bash + add_expansions_to_env: true + working_dir: src + script: | + set -o errexit + set -o verbose + + ${activate_virtualenv} + $python evergreen/macos_notary.py mongodb-binaries.${ext|tgz} - command: archive.targz_pack params: diff --git a/etc/macos_entitlements.xml b/etc/macos_entitlements.xml new file mode 100644 index 00000000000..a7e59c8d96c --- /dev/null +++ b/etc/macos_entitlements.xml @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> + <dict> + <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/> + </dict> +</plist> + diff --git a/evergreen/macos_notary.py b/evergreen/macos_notary.py new file mode 100644 index 00000000000..ad888c48a11 --- /dev/null +++ b/evergreen/macos_notary.py @@ -0,0 +1,95 @@ +import os +import platform +import shutil +import urllib.request +import subprocess +import zipfile +import stat +import sys + +if platform.system().lower() != 'darwin': + print("Not a macos system, skipping macos signing.") + sys.exit(0) + +if len(sys.argv) < 2: + print("Must provide at least 1 archive to sign.") + sys.exit(1) + +supported_archs = { + 'arm64': 'arm64', + 'x86_64': 'amd64' +} +arch = platform.uname().machine.lower() + +if arch not in supported_archs: + print(f"Unsupported platform uname arch: {arch}, must be {supported_archs.keys()}") + sys.exit(1) + +macnotary_name = f'darwin_{supported_archs[arch]}' + +if os.environ['is_patch'].lower() == "true": + signing_type = 'sign' +else: + signing_type = 'notarizeAndSign' + +macnotary_url = f'https://macos-notary-1628249594.s3.amazonaws.com/releases/client/latest/{macnotary_name}.zip' +print(f'Fetching macnotary tool from: {macnotary_url}') +local_filename, headers = urllib.request.urlretrieve(macnotary_url, f'{macnotary_name}.zip') +with zipfile.ZipFile(f'{macnotary_name}.zip') as zipf: + zipf.extractall() + +st = os.stat(f'{macnotary_name}/macnotary') +os.chmod(f'{macnotary_name}/macnotary', st.st_mode | stat.S_IEXEC) + +failed = False +archives = sys.argv[1:] + +for archive in archives: + archive_base, archive_ext = os.path.splitext(archive) + unsigned_archive = f'{archive_base}_unsigned{archive_ext}' + shutil.move(archive, unsigned_archive) + + signing_cmd = [ + f'./{macnotary_name}/macnotary', + '-f', f'{unsigned_archive}', + '-m', f'{signing_type}', + '-u', 'https://dev.macos-notary.build.10gen.cc/api', + '-k', 'server', + '--entitlements', 'etc/macos_entitlements.xml', + '--verify', + '-b', 'server.mongodb.com', + '-i', f'{os.environ["task_id"]}', + '-c', f'{os.environ["project"]}', + '-o', f'{archive}' + ] + + signing_env = os.environ.copy() + signing_env['MACOS_NOTARY_SECRET'] = os.environ["macos_notarization_secret"] + print(' '.join(signing_cmd)) + p = subprocess.Popen(signing_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=signing_env) + + print(f"Signing tool completed with exitcode: {p.returncode}") + for line in iter(p.stdout.readline, b''): + print(f'macnotary: {line.decode("utf-8").strip()}') + + # TODO: BUILD-14595 remove timeout when codesign doesn't frequently hang on macos hosts + timeout = 3600 + timed_out = False + try: + p.wait(timeout=timeout) + except subprocess.TimeoutExpired: + print(f"ERROR: failed to finish signing in timeout period of {timeout} seconds. This most likely is related to hung codesign, see issues underlying BUILD-14595.") + timed_out = True + pass + + if timed_out: + shutil.move(unsigned_archive, archive) + elif p.returncode != 0: + failed = True + shutil.move(unsigned_archive, archive) + else: + os.unlink(unsigned_archive) + +if failed: + exit(1) + |