summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--etc/evergreen.yml8
-rw-r--r--etc/macos_entitlements.xml8
-rw-r--r--evergreen/macos_notary.py95
-rw-r--r--evergreen/run_python_script.sh11
4 files changed, 122 insertions, 0 deletions
diff --git a/etc/evergreen.yml b/etc/evergreen.yml
index 4a7bbe1c045..25d006b90f2 100644
--- a/etc/evergreen.yml
+++ b/etc/evergreen.yml
@@ -3833,6 +3833,14 @@ tasks:
--detect-odr-violations
--separate-debug
PREFIX=dist-test
+ - command: subprocess.exec
+ params:
+ binary: bash
+ add_expansions_to_env: true
+ args:
+ - "src/evergreen/run_python_script.sh"
+ - "evergreen/macos_notary.py"
+ - "mongodb-binaries.${ext|tgz}"
- command: archive.targz_pack
params:
diff --git a/etc/macos_entitlements.xml b/etc/macos_entitlements.xml
new file mode 100644
index 00000000000..a7e59c8d96c
--- /dev/null
+++ b/etc/macos_entitlements.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+ <dict>
+ <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+ </dict>
+</plist>
+
diff --git a/evergreen/macos_notary.py b/evergreen/macos_notary.py
new file mode 100644
index 00000000000..ad888c48a11
--- /dev/null
+++ b/evergreen/macos_notary.py
@@ -0,0 +1,95 @@
+import os
+import platform
+import shutil
+import urllib.request
+import subprocess
+import zipfile
+import stat
+import sys
+
+if platform.system().lower() != 'darwin':
+ print("Not a macos system, skipping macos signing.")
+ sys.exit(0)
+
+if len(sys.argv) < 2:
+ print("Must provide at least 1 archive to sign.")
+ sys.exit(1)
+
+supported_archs = {
+ 'arm64': 'arm64',
+ 'x86_64': 'amd64'
+}
+arch = platform.uname().machine.lower()
+
+if arch not in supported_archs:
+ print(f"Unsupported platform uname arch: {arch}, must be {supported_archs.keys()}")
+ sys.exit(1)
+
+macnotary_name = f'darwin_{supported_archs[arch]}'
+
+if os.environ['is_patch'].lower() == "true":
+ signing_type = 'sign'
+else:
+ signing_type = 'notarizeAndSign'
+
+macnotary_url = f'https://macos-notary-1628249594.s3.amazonaws.com/releases/client/latest/{macnotary_name}.zip'
+print(f'Fetching macnotary tool from: {macnotary_url}')
+local_filename, headers = urllib.request.urlretrieve(macnotary_url, f'{macnotary_name}.zip')
+with zipfile.ZipFile(f'{macnotary_name}.zip') as zipf:
+ zipf.extractall()
+
+st = os.stat(f'{macnotary_name}/macnotary')
+os.chmod(f'{macnotary_name}/macnotary', st.st_mode | stat.S_IEXEC)
+
+failed = False
+archives = sys.argv[1:]
+
+for archive in archives:
+ archive_base, archive_ext = os.path.splitext(archive)
+ unsigned_archive = f'{archive_base}_unsigned{archive_ext}'
+ shutil.move(archive, unsigned_archive)
+
+ signing_cmd = [
+ f'./{macnotary_name}/macnotary',
+ '-f', f'{unsigned_archive}',
+ '-m', f'{signing_type}',
+ '-u', 'https://dev.macos-notary.build.10gen.cc/api',
+ '-k', 'server',
+ '--entitlements', 'etc/macos_entitlements.xml',
+ '--verify',
+ '-b', 'server.mongodb.com',
+ '-i', f'{os.environ["task_id"]}',
+ '-c', f'{os.environ["project"]}',
+ '-o', f'{archive}'
+ ]
+
+ signing_env = os.environ.copy()
+ signing_env['MACOS_NOTARY_SECRET'] = os.environ["macos_notarization_secret"]
+ print(' '.join(signing_cmd))
+ p = subprocess.Popen(signing_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=signing_env)
+
+ print(f"Signing tool completed with exitcode: {p.returncode}")
+ for line in iter(p.stdout.readline, b''):
+ print(f'macnotary: {line.decode("utf-8").strip()}')
+
+ # TODO: BUILD-14595 remove timeout when codesign doesn't frequently hang on macos hosts
+ timeout = 3600
+ timed_out = False
+ try:
+ p.wait(timeout=timeout)
+ except subprocess.TimeoutExpired:
+ print(f"ERROR: failed to finish signing in timeout period of {timeout} seconds. This most likely is related to hung codesign, see issues underlying BUILD-14595.")
+ timed_out = True
+ pass
+
+ if timed_out:
+ shutil.move(unsigned_archive, archive)
+ elif p.returncode != 0:
+ failed = True
+ shutil.move(unsigned_archive, archive)
+ else:
+ os.unlink(unsigned_archive)
+
+if failed:
+ exit(1)
+
diff --git a/evergreen/run_python_script.sh b/evergreen/run_python_script.sh
new file mode 100644
index 00000000000..35181dec3c1
--- /dev/null
+++ b/evergreen/run_python_script.sh
@@ -0,0 +1,11 @@
+unset workdir
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
+. "$DIR/prelude.sh"
+
+set -o errexit
+set -o verbose
+
+cd src
+
+activate_venv
+$python $@