From 42dee378c0dca21d822ccf11cd8d510d9189aeb8 Mon Sep 17 00:00:00 2001
From: Daniel Moody <daniel.moody@mongodb.com>
Date: Thu, 7 Jul 2022 19:51:03 +0000
Subject: SERVER-66461 added macos signing at evergreen archive step

(cherry picked from commit 362dbbd4c3c71a9604a085fbcf2636a961b5ff32)
(cherry picked from commit 6fa7f012f27fe05940223d257f7cccf4c3729a32)
---
 etc/evergreen.yml          | 11 ++++++
 etc/macos_entitlements.xml |  8 ++++
 evergreen/macos_notary.py  | 95 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 114 insertions(+)
 create mode 100644 etc/macos_entitlements.xml
 create mode 100644 evergreen/macos_notary.py

diff --git a/etc/evergreen.yml b/etc/evergreen.yml
index 4a7bbe1c045..f4f6d45f66c 100644
--- a/etc/evergreen.yml
+++ b/etc/evergreen.yml
@@ -3833,6 +3833,17 @@ tasks:
           --detect-odr-violations
           --separate-debug
           PREFIX=dist-test
+    - command: shell.exec
+      params:
+        binary: bash
+        add_expansions_to_env: true
+        working_dir: src
+        script: |
+          set -o errexit
+          set -o verbose
+
+          ${activate_virtualenv}
+          $python evergreen/macos_notary.py mongodb-binaries.${ext|tgz}
 
     - command: archive.targz_pack
       params:
diff --git a/etc/macos_entitlements.xml b/etc/macos_entitlements.xml
new file mode 100644
index 00000000000..a7e59c8d96c
--- /dev/null
+++ b/etc/macos_entitlements.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+  </dict>
+</plist>
+
diff --git a/evergreen/macos_notary.py b/evergreen/macos_notary.py
new file mode 100644
index 00000000000..ad888c48a11
--- /dev/null
+++ b/evergreen/macos_notary.py
@@ -0,0 +1,95 @@
+import os
+import platform
+import shutil
+import urllib.request
+import subprocess
+import zipfile
+import stat
+import sys
+
+if platform.system().lower() != 'darwin':
+    print("Not a macos system, skipping macos signing.")
+    sys.exit(0)
+
+if len(sys.argv) < 2:
+    print("Must provide at least 1 archive to sign.")
+    sys.exit(1)
+
+supported_archs = {
+    'arm64': 'arm64',
+    'x86_64': 'amd64'
+}
+arch = platform.uname().machine.lower()
+
+if arch not in supported_archs:
+    print(f"Unsupported platform uname arch: {arch}, must be {supported_archs.keys()}")
+    sys.exit(1)
+
+macnotary_name = f'darwin_{supported_archs[arch]}'
+
+if os.environ['is_patch'].lower() == "true":
+    signing_type = 'sign'
+else:
+    signing_type = 'notarizeAndSign'
+
+macnotary_url = f'https://macos-notary-1628249594.s3.amazonaws.com/releases/client/latest/{macnotary_name}.zip'
+print(f'Fetching macnotary tool from: {macnotary_url}')
+local_filename, headers = urllib.request.urlretrieve(macnotary_url, f'{macnotary_name}.zip')
+with zipfile.ZipFile(f'{macnotary_name}.zip') as zipf:
+    zipf.extractall()
+
+st = os.stat(f'{macnotary_name}/macnotary')
+os.chmod(f'{macnotary_name}/macnotary', st.st_mode | stat.S_IEXEC)
+
+failed = False
+archives = sys.argv[1:]
+
+for archive in archives:
+    archive_base, archive_ext = os.path.splitext(archive)
+    unsigned_archive = f'{archive_base}_unsigned{archive_ext}'
+    shutil.move(archive, unsigned_archive)
+
+    signing_cmd = [
+        f'./{macnotary_name}/macnotary',
+        '-f', f'{unsigned_archive}',
+        '-m', f'{signing_type}',
+        '-u', 'https://dev.macos-notary.build.10gen.cc/api',
+        '-k', 'server',
+        '--entitlements', 'etc/macos_entitlements.xml',
+        '--verify',
+        '-b', 'server.mongodb.com',
+        '-i', f'{os.environ["task_id"]}',
+        '-c', f'{os.environ["project"]}',
+        '-o', f'{archive}'
+    ]
+
+    signing_env = os.environ.copy()
+    signing_env['MACOS_NOTARY_SECRET'] = os.environ["macos_notarization_secret"]
+    print(' '.join(signing_cmd))
+    p = subprocess.Popen(signing_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=signing_env)
+
+    print(f"Signing tool completed with exitcode: {p.returncode}")
+    for line in iter(p.stdout.readline, b''):
+        print(f'macnotary: {line.decode("utf-8").strip()}')
+
+    # TODO: BUILD-14595 remove timeout when codesign doesn't frequently hang on macos hosts
+    timeout = 3600
+    timed_out = False
+    try:
+        p.wait(timeout=timeout)
+    except subprocess.TimeoutExpired:
+        print(f"ERROR: failed to finish signing in timeout period of {timeout} seconds. This most likely is related to hung codesign, see issues underlying BUILD-14595.")
+        timed_out = True
+        pass
+
+    if timed_out:
+        shutil.move(unsigned_archive, archive)
+    elif p.returncode != 0:
+        failed = True
+        shutil.move(unsigned_archive, archive)
+    else:
+        os.unlink(unsigned_archive)
+
+if failed:
+    exit(1)
+
-- 
cgit v1.2.1