diff options
author | Rod Vagg <rod@vagg.org> | 2020-01-22 14:38:11 +1100 |
---|---|---|
committer | Rod Vagg <rod@vagg.org> | 2020-03-10 20:14:52 +1100 |
commit | 6db6af405729d47d675edc0a5e87eb2aeb39df7b (patch) | |
tree | 714d0c089bc568bd51a241ac741b978edd83476d | |
parent | 811b3a9931b658b2fc2ced2574462069abfa5aa2 (diff) | |
download | node-new-6db6af405729d47d675edc0a5e87eb2aeb39df7b.tar.gz |
build: macOS package notarization
Includes hardened-runtime patch from gdams from
https://github.com/nodejs/node/issues/29216#issuecomment-546932966
PR-URL: https://github.com/nodejs/node/pull/31459
Refs: https://github.com/nodejs/node/issues/29216
Reviewed-By: Christian Clauss <cclauss@me.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ash Cripps <ashley.cripps@ibm.com>
Signed-off-by: Rod Vagg <rod@vagg.org>
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | Makefile | 1 | ||||
-rw-r--r-- | tools/osx-codesign.sh | 11 | ||||
-rw-r--r-- | tools/osx-entitlements.plist | 16 | ||||
-rw-r--r-- | tools/osx-gon-config.json.tmpl | 12 | ||||
-rwxr-xr-x | tools/osx-notarize.sh | 37 |
6 files changed, 77 insertions, 1 deletions
diff --git a/.gitignore b/.gitignore index 160b96f74a..425a5ddbec 100644 --- a/.gitignore +++ b/.gitignore @@ -33,6 +33,7 @@ /doc/api.xml /node /node_g +/gon-config.json /*.exe /*.swp /out @@ -1003,6 +1003,7 @@ $(PKG): release-only --resources $(MACOSOUTDIR)/installer/productbuild/Resources \ --package-path $(MACOSOUTDIR)/pkgs ./$(PKG) SIGN="$(PRODUCTSIGN_CERT)" PKG="$(PKG)" bash tools/osx-productsign.sh + bash tools/osx-notarize.sh $(FULLVERSION) .PHONY: pkg # Builds the macOS installer for releases. diff --git a/tools/osx-codesign.sh b/tools/osx-codesign.sh index 6a954c737f..7ca80ca746 100644 --- a/tools/osx-codesign.sh +++ b/tools/osx-codesign.sh @@ -8,4 +8,13 @@ if [ "X$SIGN" == "X" ]; then exit 0 fi -codesign -s "$SIGN" "$PKGDIR"/bin/node +# All macOS executable binaries in the bundle must be codesigned with the +# hardened runtime enabled. +# See https://github.com/nodejs/node/pull/31459 + +codesign \ + --sign "$SIGN" \ + --entitlements tools/osx-entitlements.plist \ + --options runtime \ + --timestamp \ + "$PKGDIR"/bin/node diff --git a/tools/osx-entitlements.plist b/tools/osx-entitlements.plist new file mode 100644 index 0000000000..555c10f7ff --- /dev/null +++ b/tools/osx-entitlements.plist @@ -0,0 +1,16 @@ + <?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>com.apple.security.cs.allow-jit</key> + <true/> + <key>com.apple.security.cs.allow-unsigned-executable-memory</key> + <true/> + <key>com.apple.security.cs.disable-executable-page-protection</key> + <true/> + <key>com.apple.security.cs.allow-dyld-environment-variables</key> + <true/> + <key>com.apple.security.cs.disable-library-validation</key> + <true/> +</dict> +</plist> diff --git a/tools/osx-gon-config.json.tmpl b/tools/osx-gon-config.json.tmpl new file mode 100644 index 0000000000..3ea16465fc --- /dev/null +++ b/tools/osx-gon-config.json.tmpl @@ -0,0 +1,12 @@ +{ + "notarize": [{ + "path": "node-{{pkgid}}.pkg", + "bundle_id": "org.nodejs.pkg.{{pkgid}}", + "staple": true + }], + + "apple_id": { + "username": "{{appleid}}", + "password": "@env:NOTARIZATION_PASSWORD" + } +} diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh new file mode 100755 index 0000000000..97bb091272 --- /dev/null +++ b/tools/osx-notarize.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +# Uses gon, from https://github.com/mitchellh/gon, to notarize a generated node-<version>.pkg file +# with Apple for installation on macOS Catalina and later as validated by Gatekeeper. + +set -e + +gon_version="0.2.2" +gon_exe="${HOME}/.gon/gon_${gon_version}" + +__dirname="$(CDPATH= cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +pkgid="$1" + +if [ "X${pkgid}" == "X" ]; then + echo "Usage: $0 <pkgid>" + exit 1 +fi + +if [ "X$NOTARIZATION_ID" == "X" ]; then + echo "No NOTARIZATION_ID environment var. Skipping notarization." + exit 0 +fi + +set -x + +mkdir -p "${HOME}/.gon/" + +if [ ! -f "${gon_exe}" ]; then + curl -sL "https://github.com/mitchellh/gon/releases/download/v${gon_version}/gon_${gon_version}_macos.zip" -o "${gon_exe}.zip" + (cd "${HOME}/.gon/" && rm -f gon && unzip "${gon_exe}.zip" && mv gon "${gon_exe}") +fi + +cat tools/osx-gon-config.json.tmpl \ + | sed -e "s/{{appleid}}/${NOTARIZATION_ID}/" -e "s/{{pkgid}}/${pkgid}/" \ + > gon-config.json + +"${gon_exe}" -log-level=info gon-config.json |