summaryrefslogtreecommitdiff
path: root/evergreen/macos_notary.py
diff options
context:
space:
mode:
Diffstat (limited to 'evergreen/macos_notary.py')
-rw-r--r--evergreen/macos_notary.py95
1 files changed, 95 insertions, 0 deletions
diff --git a/evergreen/macos_notary.py b/evergreen/macos_notary.py
new file mode 100644
index 00000000000..ce112e66556
--- /dev/null
+++ b/evergreen/macos_notary.py
@@ -0,0 +1,95 @@
+import os
+import platform
+import shutil
+import urllib.request
+import subprocess
+import zipfile
+import stat
+import sys
+
+if platform.system().lower() != 'darwin':
+ print("Not a macos system, skipping macos signing.")
+ sys.exit(0)
+
+if len(sys.argv) < 2:
+ print("Must provide at least 1 archive to sign.")
+ sys.exit(1)
+
+supported_archs = {
+ 'arm64': 'arm64',
+ 'x86_64': 'amd64'
+}
+arch = platform.uname().machine.lower()
+
+if arch not in supported_archs:
+ print(f"Unsupported platform uname arch: {arch}, must be {supported_archs.keys()}")
+ sys.exit(1)
+
+macnotary_name = f'darwin_{supported_archs[arch]}'
+print(os.environ['is_patch'])
+if os.environ['is_patch'].lower() == "true":
+ signing_type = 'sign'
+else:
+ signing_type = 'notarizeAndSign'
+
+macnotary_url = f'https://macos-notary-1628249594.s3.amazonaws.com/releases/client/latest/{macnotary_name}.zip'
+print(f'Fetching macnotary tool from: {macnotary_url}')
+local_filename, headers = urllib.request.urlretrieve(macnotary_url, f'{macnotary_name}.zip')
+with zipfile.ZipFile(f'{macnotary_name}.zip') as zipf:
+ zipf.extractall()
+
+st = os.stat(f'{macnotary_name}/macnotary')
+os.chmod(f'{macnotary_name}/macnotary', st.st_mode | stat.S_IEXEC)
+
+failed = False
+archives = sys.argv[1:]
+
+for archive in archives:
+ archive_base, archive_ext = os.path.splitext(archive)
+ unsigned_archive = f'{archive_base}_unsigned{archive_ext}'
+ shutil.move(archive, unsigned_archive)
+
+ signing_cmd = [
+ f'./{macnotary_name}/macnotary',
+ '-f', f'{unsigned_archive}',
+ '-m', f'{signing_type}',
+ '-u', 'https://dev.macos-notary.build.10gen.cc/api',
+ '-k', 'server',
+ '--entitlements', 'etc/macos_entitlements.xml',
+ '--verify',
+ '-b', 'server.mongodb.com',
+ '-i', f'{os.environ["task_id"]}',
+ '-c', f'{os.environ["project"]}',
+ '-o', f'{archive}'
+ ]
+
+ signing_env = os.environ.copy()
+ signing_env['MACOS_NOTARY_SECRET'] = os.environ["macos_notarization_secret"]
+ print(' '.join(signing_cmd))
+ p = subprocess.Popen(signing_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=signing_env)
+
+ print(f"Signing tool completed with exitcode: {p.returncode}")
+ for line in iter(p.stdout.readline, b''):
+ print(f'macnotary: {line.decode("utf-8").strip()}')
+
+ # TODO: BUILD-14595 remove timeout when codesign doesn't frequently hang on macos hosts
+ timeout = 3600
+ timed_out = False
+ try:
+ p.wait(timeout=timeout)
+ except subprocess.TimeoutExpired:
+ print(f"ERROR: failed to finish signing in timeout period of {timeout} seconds. This most likely is related to hung codesign, see issues underlying BUILD-14595.")
+ timed_out = True
+ pass
+
+ if timed_out:
+ shutil.move(unsigned_archive, archive)
+ elif p.returncode != 0:
+ failed = True
+ shutil.move(unsigned_archive, archive)
+ else:
+ os.unlink(unsigned_archive)
+
+if failed:
+ exit(1)
+