diff options
-rw-r--r-- | etc/evergreen.yml | 8 | ||||
-rw-r--r-- | etc/macos_entitlements.xml | 8 | ||||
-rw-r--r-- | evergreen/macos_notary.py | 95 | ||||
-rw-r--r-- | evergreen/run_python_script.sh | 11 |
4 files changed, 122 insertions, 0 deletions
diff --git a/etc/evergreen.yml b/etc/evergreen.yml index 4a7bbe1c045..25d006b90f2 100644 --- a/etc/evergreen.yml +++ b/etc/evergreen.yml @@ -3833,6 +3833,14 @@ tasks: --detect-odr-violations --separate-debug PREFIX=dist-test + - command: subprocess.exec + params: + binary: bash + add_expansions_to_env: true + args: + - "src/evergreen/run_python_script.sh" + - "evergreen/macos_notary.py" + - "mongodb-binaries.${ext|tgz}" - command: archive.targz_pack params: diff --git a/etc/macos_entitlements.xml b/etc/macos_entitlements.xml new file mode 100644 index 00000000000..a7e59c8d96c --- /dev/null +++ b/etc/macos_entitlements.xml @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> + <dict> + <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/> + </dict> +</plist> + diff --git a/evergreen/macos_notary.py b/evergreen/macos_notary.py new file mode 100644 index 00000000000..ad888c48a11 --- /dev/null +++ b/evergreen/macos_notary.py @@ -0,0 +1,95 @@ +import os +import platform +import shutil +import urllib.request +import subprocess +import zipfile +import stat +import sys + +if platform.system().lower() != 'darwin': + print("Not a macos system, skipping macos signing.") + sys.exit(0) + +if len(sys.argv) < 2: + print("Must provide at least 1 archive to sign.") + sys.exit(1) + +supported_archs = { + 'arm64': 'arm64', + 'x86_64': 'amd64' +} +arch = platform.uname().machine.lower() + +if arch not in supported_archs: + print(f"Unsupported platform uname arch: {arch}, must be {supported_archs.keys()}") + sys.exit(1) + +macnotary_name = f'darwin_{supported_archs[arch]}' + +if os.environ['is_patch'].lower() == "true": + signing_type = 'sign' +else: + signing_type = 'notarizeAndSign' + +macnotary_url = f'https://macos-notary-1628249594.s3.amazonaws.com/releases/client/latest/{macnotary_name}.zip' +print(f'Fetching macnotary tool from: {macnotary_url}') +local_filename, headers = urllib.request.urlretrieve(macnotary_url, f'{macnotary_name}.zip') +with zipfile.ZipFile(f'{macnotary_name}.zip') as zipf: + zipf.extractall() + +st = os.stat(f'{macnotary_name}/macnotary') +os.chmod(f'{macnotary_name}/macnotary', st.st_mode | stat.S_IEXEC) + +failed = False +archives = sys.argv[1:] + +for archive in archives: + archive_base, archive_ext = os.path.splitext(archive) + unsigned_archive = f'{archive_base}_unsigned{archive_ext}' + shutil.move(archive, unsigned_archive) + + signing_cmd = [ + f'./{macnotary_name}/macnotary', + '-f', f'{unsigned_archive}', + '-m', f'{signing_type}', + '-u', 'https://dev.macos-notary.build.10gen.cc/api', + '-k', 'server', + '--entitlements', 'etc/macos_entitlements.xml', + '--verify', + '-b', 'server.mongodb.com', + '-i', f'{os.environ["task_id"]}', + '-c', f'{os.environ["project"]}', + '-o', f'{archive}' + ] + + signing_env = os.environ.copy() + signing_env['MACOS_NOTARY_SECRET'] = os.environ["macos_notarization_secret"] + print(' '.join(signing_cmd)) + p = subprocess.Popen(signing_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=signing_env) + + print(f"Signing tool completed with exitcode: {p.returncode}") + for line in iter(p.stdout.readline, b''): + print(f'macnotary: {line.decode("utf-8").strip()}') + + # TODO: BUILD-14595 remove timeout when codesign doesn't frequently hang on macos hosts + timeout = 3600 + timed_out = False + try: + p.wait(timeout=timeout) + except subprocess.TimeoutExpired: + print(f"ERROR: failed to finish signing in timeout period of {timeout} seconds. This most likely is related to hung codesign, see issues underlying BUILD-14595.") + timed_out = True + pass + + if timed_out: + shutil.move(unsigned_archive, archive) + elif p.returncode != 0: + failed = True + shutil.move(unsigned_archive, archive) + else: + os.unlink(unsigned_archive) + +if failed: + exit(1) + diff --git a/evergreen/run_python_script.sh b/evergreen/run_python_script.sh new file mode 100644 index 00000000000..35181dec3c1 --- /dev/null +++ b/evergreen/run_python_script.sh @@ -0,0 +1,11 @@ +unset workdir +DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)" +. "$DIR/prelude.sh" + +set -o errexit +set -o verbose + +cd src + +activate_venv +$python $@ |