github.com/influxdata/telegraf@v1.30.3/scripts/mac-signing.sh (about) 1 #!/bin/bash 2 3 function cleanup () { 4 echo "Cleaning up any existing Telegraf or Telegraf.app" 5 printf "\n" 6 rm -rf Telegraf 7 rm -rf Telegraf.app 8 } 9 10 function archive_notarize() 11 { 12 target="${1}" 13 14 # submit archive for notarization, extract uuid 15 uuid="$( 16 # This extracts the value from `notarytool's` output. Unfortunately, 17 # the 'id' is written to multiple times in the output. This requires 18 # `awk` to `exit` after the first instance. However, doing so closes 19 # `stdout` for `notarytool` which results with error code 141. This 20 # takes the *complete* output from `notarytool` then 21 # parses it with `awk`. 22 awk '{ if ( $1 == "id:" ) { $1 = ""; print $0; exit 0; } }' \ 23 <<< "$( 24 # shellcheck disable=SC2154 25 xcrun notarytool submit \ 26 --apple-id "${AppleUsername}" \ 27 --password "${ApplePassword}" \ 28 --team-id 'M7DN9H35QT' \ 29 "${target}" 30 )" 31 )" 32 shopt -s extglob 33 uuid="${uuid%%+([[:space:]])}" # strips leading whitespace 34 uuid="${uuid##+([[:space:]])}" # strips trailing whitespace 35 36 if [[ -z "${uuid}" ]]; then 37 exit 1 38 fi 39 40 # loop until notarization is complete 41 while true ; do 42 sleep 10 43 44 response="$( 45 # This extracts the value from `notarytool's` output. Unfortunately, 46 # the 'id' is written to multiple times in the output. This requires 47 # `awk` to `exit` after the first instance. However, doing so closes 48 # `stdout` for `notarytool` which results with error code 141. This 49 # takes the *complete* output from `notarytool` then 50 # parses it with `awk`. 51 awk '{ if ( $1 == "status:" ) { $1 = ""; print $0; exit 0; } }' \ 52 <<< "$( 53 # shellcheck disable=SC2154 54 xcrun notarytool info \ 55 --apple-id "${AppleUsername}" \ 56 --password "${ApplePassword}" \ 57 --team-id 'M7DN9H35QT' \ 58 "${uuid}" 59 )" 60 )" 61 shopt -s extglob 62 response="${response%%+([[:space:]])}" # strips leading whitespace 63 response="${response##+([[:space:]])}" # strips trailing whitespace 64 65 if [[ "${response}" != 'In Progress' ]] ; then 66 break 67 fi 68 done 69 70 if [[ "${response}" != 'Accepted' ]]; then 71 exit 1 72 fi 73 } 74 75 # Acquire the necessary certificates. 76 # MacCertificate, MacCertificatePassword, AppleSigningAuthorityCertificate are environment variables, to follow convention they should have been all caps. 77 # shellcheck disable=SC2154 78 base64 -D -o MacCertificate.p12 <<< "$MacCertificate" 79 # shellcheck disable=SC2154 80 sudo security import MacCertificate.p12 -k /Library/Keychains/System.keychain -P "$MacCertificatePassword" -A 81 # shellcheck disable=SC2154 82 base64 -D -o AppleSigningAuthorityCertificate.cer <<< "$AppleSigningAuthorityCertificate" 83 sudo security import AppleSigningAuthorityCertificate.cer -k '/Library/Keychains/System.keychain' -A 84 85 amdFile=$(find "$HOME/project/dist" -name "*darwin_amd64.tar*") 86 armFile=$(find "$HOME/project/dist" -name "*darwin_arm64.tar*") 87 macFiles=("${amdFile}" "${armFile}") 88 89 version=$(make version) 90 plutil -insert CFBundleShortVersionString -string "$version" ~/project/info.plist 91 plutil -insert CFBundleVersion -string "$version" ~/project/info.plist 92 93 for tarFile in "${macFiles[@]}"; 94 do 95 cleanup 96 97 # Create the .app bundle directory structure 98 RootAppDir="Telegraf.app/Contents" 99 mkdir -p "$RootAppDir" 100 mkdir -p "$RootAppDir/MacOS" 101 mkdir -p "$RootAppDir/Resources" 102 103 DeveloperID="Developer ID Application: InfluxData Inc. (M7DN9H35QT)" 104 105 # Sign telegraf binary and the telegraf_entry_mac script 106 echo "Extract $tarFile to $RootAppDir/Resources" 107 tar -xzvf "$tarFile" --strip-components=2 -C "$RootAppDir/Resources" 108 printf "\n" 109 TelegrafBinPath="$RootAppDir/Resources/usr/bin/telegraf" 110 codesign --force -s "$DeveloperID" --timestamp --options=runtime "$TelegrafBinPath" 111 echo "Verify if $TelegrafBinPath was signed" 112 codesign -dvv "$TelegrafBinPath" 113 114 printf "\n" 115 116 cp ~/project/scripts/telegraf_entry_mac "$RootAppDir"/MacOS 117 EntryMacPath="$RootAppDir/MacOS/telegraf_entry_mac" 118 codesign -s "$DeveloperID" --timestamp --options=runtime "$EntryMacPath" 119 echo "Verify if $EntryMacPath was signed" 120 codesign -dvv "$EntryMacPath" 121 122 printf "\n" 123 124 cp ~/project/info.plist "$RootAppDir" 125 cp ~/project/assets/windows/icon.icns "$RootAppDir/Resources" 126 127 chmod +x "$RootAppDir/MacOS/telegraf_entry_mac" 128 129 # Sign the entire .app bundle, and wrap it in a DMG. 130 codesign -s "$DeveloperID" --timestamp --options=runtime --deep --force Telegraf.app 131 baseName=$(basename "$tarFile" .tar.gz) 132 echo "$baseName" 133 hdiutil create -size 500m -volname Telegraf -srcfolder Telegraf.app "$baseName".dmg 134 codesign -s "$DeveloperID" --timestamp --options=runtime "$baseName".dmg 135 136 archive_notarize "${baseName}.dmg" 137 138 # Attach the notarization to the DMG. 139 xcrun stapler staple "$baseName".dmg 140 cleanup 141 142 mkdir -p ~/project/build/dist 143 mv "$baseName".dmg ~/project/build/dist 144 145 echo "$baseName.dmg signed and notarized!" 146 done