From 95ccc14acd7e93030a4c7d7fd1dbc258dfcf4966 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Sat, 8 Jul 2023 13:26:00 +0200 Subject: [PATCH 01/15] tools: limit MacOS notarization with gon to Xcode version < 13.0 Signed-off-by: Ulises Gascon --- tools/osx-notarize.sh | 54 +++++++++++++++++++++++++------------------ 1 file changed, 32 insertions(+), 22 deletions(-) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index 31c92c2ca426f3..340eb2706f756c 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -1,34 +1,44 @@ #!/bin/sh - -# Uses gon, from https://github.com/mitchellh/gon, to notarize a generated node-.pkg file -# with Apple for installation on macOS Catalina and later as validated by Gatekeeper. +# Notarize a generated node-.pkg file is an Apple requirement for installation on macOS Catalina and later, as validated by Gatekeeper. +# Uses gon, from https://github.com/mitchellh/gon (Xcode version < 13.0.) +# Uses notarytool (Xcode >= 13.0). set -e -gon_version="0.2.2" -gon_exe="${HOME}/.gon/gon_${gon_version}" +xcode_version=$(xcodebuild -version | awk '/Xcode/ {print $2}') + +if [[ "$xcode_version" < "13.0" ]]; then + echo "Notarization process is done with gon." + + gon_version="0.2.2" + gon_exe="${HOME}/.gon/gon_${gon_version}" + + pkgid="$1" -pkgid="$1" + [ -z "$pkgid" ] && \ + echo "Usage: $0 " \ + exit 1 -[ -z "$pkgid" ] && \ - echo "Usage: $0 " \ - exit 1 + # shellcheck disable=SC2154 + [ -z "$NOTARIZATION_ID" ] && \ + echo "No NOTARIZATION_ID environment var. Skipping notarization." \ + exit 0 -# shellcheck disable=SC2154 -[ -z "$NOTARIZATION_ID" ] && \ - echo "No NOTARIZATION_ID environment var. Skipping notarization." \ - exit 0 + set -x -set -x + mkdir -p "${HOME}/.gon/" -mkdir -p "${HOME}/.gon/" + if [ ! -f "${gon_exe}" ]; then + curl -sL "https://github.com/mitchellh/gon/releases/download/v${gon_version}/gon_${gon_version}_macos.zip" -o "${gon_exe}.zip" + (cd "${HOME}/.gon/" && rm -f gon && unzip "${gon_exe}.zip" && mv gon "${gon_exe}") + fi -if [ ! -f "${gon_exe}" ]; then - curl -sL "https://github.com/mitchellh/gon/releases/download/v${gon_version}/gon_${gon_version}_macos.zip" -o "${gon_exe}.zip" - (cd "${HOME}/.gon/" && rm -f gon && unzip "${gon_exe}.zip" && mv gon "${gon_exe}") -fi + sed -e "s/{{appleid}}/${NOTARIZATION_ID}/" -e "s/{{pkgid}}/${pkgid}/" tools/osx-gon-config.json.tmpl \ + > gon-config.json -sed -e "s/{{appleid}}/${NOTARIZATION_ID}/" -e "s/{{pkgid}}/${pkgid}/" tools/osx-gon-config.json.tmpl \ - > gon-config.json + "${gon_exe}" -log-level=info gon-config.json -"${gon_exe}" -log-level=info gon-config.json +else + echo "Notarization process is done with Notarytool." + # @TODO: Implement notarization with notarytool. +fi \ No newline at end of file From 7cc24d88b600e8580a00443f17705bad4567bdf9 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Sat, 8 Jul 2023 14:06:45 +0200 Subject: [PATCH 02/15] tools: added basic support for notarytool --- tools/osx-notarize.sh | 58 +++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 18 deletions(-) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index 340eb2706f756c..1f02fb290e4db6 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -1,31 +1,30 @@ -#!/bin/sh -# Notarize a generated node-.pkg file is an Apple requirement for installation on macOS Catalina and later, as validated by Gatekeeper. -# Uses gon, from https://github.com/mitchellh/gon (Xcode version < 13.0.) -# Uses notarytool (Xcode >= 13.0). +#!/bin/bash +# Notarize a generated node-.pkg file as an Apple requirement for installation on macOS Catalina and later, as validated by Gatekeeper. +# Uses gon (Xcode version < 13.0) or notarytool (Xcode >= 13.0). set -e xcode_version=$(xcodebuild -version | awk '/Xcode/ {print $2}') +pkgid="$1" + +[ -z "$pkgid" ] && { + echo "Usage: $0 " + exit 1 +} + +# shellcheck disable=SC2154 +[ -z "$NOTARIZATION_ID" ] && { + echo "No NOTARIZATION_ID environment variable. Skipping notarization." + exit 0 +} if [[ "$xcode_version" < "13.0" ]]; then echo "Notarization process is done with gon." + set -x gon_version="0.2.2" gon_exe="${HOME}/.gon/gon_${gon_version}" - pkgid="$1" - - [ -z "$pkgid" ] && \ - echo "Usage: $0 " \ - exit 1 - - # shellcheck disable=SC2154 - [ -z "$NOTARIZATION_ID" ] && \ - echo "No NOTARIZATION_ID environment var. Skipping notarization." \ - exit 0 - - set -x - mkdir -p "${HOME}/.gon/" if [ ! -f "${gon_exe}" ]; then @@ -40,5 +39,28 @@ if [[ "$xcode_version" < "13.0" ]]; then else echo "Notarization process is done with Notarytool." - # @TODO: Implement notarization with notarytool. + + if ! command -v xcrun &> /dev/null || ! xcrun --find notarytool &> /dev/null; then + echo "Notarytool is not present in the system. Notarization has failed." + exit 1 + fi + + # Submit the package for notarization + notarization_output=$( + xcrun notarytool submit "node-$pkgid.pkg" \ + --apple-id "@env:NOTARIZATION_APPLE_ID" \ + --password "@env:NOTARIZATION_PASSWORD" \ + --team-id "@env:NOTARIZATION_TEAM_ID" \ + --wait 2>&1 + ) + + if [ $? -eq 0 ]; then + # Extract the operation ID from the output + operation_id=$(echo "$notarization_output" | awk '/RequestUUID/ {print $NF}') + echo "Notarization submitted. Operation ID: $operation_id" + exit 0 + else + echo "Notarization failed. Error: $notarization_output" + exit 1 + fi fi \ No newline at end of file From dc63135777484ed10f6cd599460b859c9f1194c9 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Sat, 8 Jul 2023 14:23:20 +0200 Subject: [PATCH 03/15] fix: typo --- tools/osx-notarize.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index 1f02fb290e4db6..4656bc7b2f2f7a 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/bin/sh + # Notarize a generated node-.pkg file as an Apple requirement for installation on macOS Catalina and later, as validated by Gatekeeper. # Uses gon (Xcode version < 13.0) or notarytool (Xcode >= 13.0). From 43446db60e6dd09d0df48f0d9e8ca6b1ea0fd6a7 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Sat, 8 Jul 2023 14:36:07 +0200 Subject: [PATCH 04/15] chore: linting --- tools/osx-notarize.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index 4656bc7b2f2f7a..05f3898934f0e0 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -8,18 +8,18 @@ set -e xcode_version=$(xcodebuild -version | awk '/Xcode/ {print $2}') pkgid="$1" -[ -z "$pkgid" ] && { +if [ -z "$pkgid" ]; then echo "Usage: $0 " exit 1 -} +fi # shellcheck disable=SC2154 -[ -z "$NOTARIZATION_ID" ] && { +if [ -z "$NOTARIZATION_ID" ]; then echo "No NOTARIZATION_ID environment variable. Skipping notarization." exit 0 -} +fi -if [[ "$xcode_version" < "13.0" ]]; then +if [ "$(echo "$xcode_version < 13.0" | bc)" -eq 1 ]; then echo "Notarization process is done with gon." set -x @@ -41,7 +41,7 @@ if [[ "$xcode_version" < "13.0" ]]; then else echo "Notarization process is done with Notarytool." - if ! command -v xcrun &> /dev/null || ! xcrun --find notarytool &> /dev/null; then + if ! command -v xcrun >/dev/null || ! xcrun --find notarytool >/dev/null; then echo "Notarytool is not present in the system. Notarization has failed." exit 1 fi @@ -64,4 +64,4 @@ else echo "Notarization failed. Error: $notarization_output" exit 1 fi -fi \ No newline at end of file +fi From a25c08f0568b994eb0e405fa71c3f41c65e308ad Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Sat, 8 Jul 2023 14:47:39 +0200 Subject: [PATCH 05/15] chore: linting --- tools/osx-notarize.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index 05f3898934f0e0..94f5556b1b8c66 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -19,7 +19,7 @@ if [ -z "$NOTARIZATION_ID" ]; then exit 0 fi -if [ "$(echo "$xcode_version < 13.0" | bc)" -eq 1 ]; then +if [ $(echo "$xcode_version < 13.0" | bc) -eq 1 ]; then echo "Notarization process is done with gon." set -x From 6ef370befa02653febfa7123705dc0dfd8ecd0ae Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Sat, 8 Jul 2023 14:58:40 +0200 Subject: [PATCH 06/15] chore: linting --- tools/osx-notarize.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index 94f5556b1b8c66..05f3898934f0e0 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -19,7 +19,7 @@ if [ -z "$NOTARIZATION_ID" ]; then exit 0 fi -if [ $(echo "$xcode_version < 13.0" | bc) -eq 1 ]; then +if [ "$(echo "$xcode_version < 13.0" | bc)" -eq 1 ]; then echo "Notarization process is done with gon." set -x From 3b7c993a7cad69cafa5b06bf43212c9218911b25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 13 Sep 2023 21:51:07 +0200 Subject: [PATCH 07/15] fix: update script credentials --- tools/osx-notarize.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index 05f3898934f0e0..91e7e6dc5d0a93 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -49,9 +49,8 @@ else # Submit the package for notarization notarization_output=$( xcrun notarytool submit "node-$pkgid.pkg" \ - --apple-id "@env:NOTARIZATION_APPLE_ID" \ + --apple-id "@env:NOTARIZATION_ID" \ --password "@env:NOTARIZATION_PASSWORD" \ - --team-id "@env:NOTARIZATION_TEAM_ID" \ --wait 2>&1 ) From ec27e52a99c1709cc0f686e565a985ce57309bed Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 14 Sep 2023 13:18:00 +0200 Subject: [PATCH 08/15] fix: update script xcode version evaluation --- tools/osx-notarize.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index 91e7e6dc5d0a93..49b5a209be0f08 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -5,6 +5,8 @@ set -e +function version { echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'; } + xcode_version=$(xcodebuild -version | awk '/Xcode/ {print $2}') pkgid="$1" @@ -19,7 +21,7 @@ if [ -z "$NOTARIZATION_ID" ]; then exit 0 fi -if [ "$(echo "$xcode_version < 13.0" | bc)" -eq 1 ]; then +if [ $(version $VAR) -lt $(version "13.0") ]; then echo "Notarization process is done with gon." set -x From 9a6e60ce18e70a9dd0ce7355e5aa0523e6b5bed9 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 14 Sep 2023 15:36:21 +0200 Subject: [PATCH 09/15] fix: simplification and linting errors --- tools/osx-notarize.sh | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index 49b5a209be0f08..6c8583c4853827 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -3,11 +3,13 @@ # Notarize a generated node-.pkg file as an Apple requirement for installation on macOS Catalina and later, as validated by Gatekeeper. # Uses gon (Xcode version < 13.0) or notarytool (Xcode >= 13.0). -set -e - -function version { echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'; } +version() { + echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }' || echo "0" +} xcode_version=$(xcodebuild -version | awk '/Xcode/ {print $2}') +xcode_version_result=$(version "$xcode_version") +xcode_version_threshold=$(version "13.0") pkgid="$1" if [ -z "$pkgid" ]; then @@ -21,7 +23,7 @@ if [ -z "$NOTARIZATION_ID" ]; then exit 0 fi -if [ $(version $VAR) -lt $(version "13.0") ]; then +if [ "$xcode_version_result" -lt "$xcode_version_threshold" ]; then echo "Notarization process is done with gon." set -x @@ -43,9 +45,10 @@ if [ $(version $VAR) -lt $(version "13.0") ]; then else echo "Notarization process is done with Notarytool." - if ! command -v xcrun >/dev/null || ! xcrun --find notarytool >/dev/null; then - echo "Notarytool is not present in the system. Notarization has failed." - exit 1 + if ! command -v notarytool > /dev/null + then + echo "Notarytool is not present in the system. Notarization has failed." + exit 1 fi # Submit the package for notarization @@ -65,4 +68,4 @@ else echo "Notarization failed. Error: $notarization_output" exit 1 fi -fi +fi \ No newline at end of file From 0e96609bd05f4f297e4c2f896295099420717127 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 14 Sep 2023 16:58:37 +0200 Subject: [PATCH 10/15] fix: typo in command name --- tools/osx-notarize.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index 6c8583c4853827..02b2a2bcc2cdfa 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -45,7 +45,7 @@ if [ "$xcode_version_result" -lt "$xcode_version_threshold" ]; then else echo "Notarization process is done with Notarytool." - if ! command -v notarytool > /dev/null + if ! command -v xcrun notarytool > /dev/null then echo "Notarytool is not present in the system. Notarization has failed." exit 1 From 94ca88372437b224553bf90c57184d6c39ef938f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 14 Sep 2023 18:10:15 +0200 Subject: [PATCH 11/15] fix: add notarization team id --- tools/osx-notarize.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index 02b2a2bcc2cdfa..3c1f4125f9b104 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -56,6 +56,7 @@ else xcrun notarytool submit "node-$pkgid.pkg" \ --apple-id "@env:NOTARIZATION_ID" \ --password "@env:NOTARIZATION_PASSWORD" \ + --team-id "@env:NOTARIZATION_TEAM_ID" \ --wait 2>&1 ) From 1e82540a7bc44956537bb89017cac6325ba4f7fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 14 Sep 2023 20:39:08 +0200 Subject: [PATCH 12/15] fix: arguments order --- tools/osx-notarize.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index 3c1f4125f9b104..4a53a28882fb5b 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -53,11 +53,12 @@ else # Submit the package for notarization notarization_output=$( - xcrun notarytool submit "node-$pkgid.pkg" \ + xcrun notarytool submit \ --apple-id "@env:NOTARIZATION_ID" \ --password "@env:NOTARIZATION_PASSWORD" \ --team-id "@env:NOTARIZATION_TEAM_ID" \ - --wait 2>&1 + --wait \ + "node-$pkgid.pkg" 2>&1 ) if [ $? -eq 0 ]; then From 4cb6407fd1ba7b16be1676081a02575885c3ade2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Fri, 15 Sep 2023 20:06:05 +0200 Subject: [PATCH 13/15] fix: environmental variables management --- tools/osx-notarize.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index 4a53a28882fb5b..b260e256ab64b6 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -23,6 +23,16 @@ if [ -z "$NOTARIZATION_ID" ]; then exit 0 fi +if [ -z "$NOTARIZATION_PASSWORD" ]; then + echo "No NOTARIZATION_PASSWORD environment variable. Skipping notarization." + exit 0 +fi + +if [ -z "$NOTARIZATION_TEAM_ID" ]; then + echo "No NOTARIZATION_TEAM_ID environment variable. Skipping notarization." + exit 0 +fi + if [ "$xcode_version_result" -lt "$xcode_version_threshold" ]; then echo "Notarization process is done with gon." set -x @@ -54,9 +64,9 @@ else # Submit the package for notarization notarization_output=$( xcrun notarytool submit \ - --apple-id "@env:NOTARIZATION_ID" \ - --password "@env:NOTARIZATION_PASSWORD" \ - --team-id "@env:NOTARIZATION_TEAM_ID" \ + --apple-id "$NOTARIZATION_ID" \ + --password "$NOTARIZATION_PASSWORD" \ + --team-id "$NOTARIZATION_TEAM_ID" \ --wait \ "node-$pkgid.pkg" 2>&1 ) From 639dcb37c3007f6b29dd8f9f1238056a87dc1d62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 19 Sep 2023 17:21:22 +0200 Subject: [PATCH 14/15] Update tools/osx-notarize.sh Co-authored-by: Moshe Atlow --- tools/osx-notarize.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index b260e256ab64b6..1f2c722868969d 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -80,4 +80,4 @@ else echo "Notarization failed. Error: $notarization_output" exit 1 fi -fi \ No newline at end of file +fi From 076dbcb91647a51df3a8848ce031fbb4fde64f59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 21 Sep 2023 12:36:18 +0200 Subject: [PATCH 15/15] doc: add TODOs for OSX Notarization next steps --- tools/osx-notarize.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh index 1f2c722868969d..beea7041793cdf 100755 --- a/tools/osx-notarize.sh +++ b/tools/osx-notarize.sh @@ -33,6 +33,8 @@ if [ -z "$NOTARIZATION_TEAM_ID" ]; then exit 0 fi +# TODO(@ulisesGascon): remove support for gon +# when https://github.com/nodejs/build/issues/3385#issuecomment-1729281269 is ready if [ "$xcode_version_result" -lt "$xcode_version_threshold" ]; then echo "Notarization process is done with gon." set -x @@ -62,6 +64,8 @@ else fi # Submit the package for notarization + # TODO(@ulisesGascon): refactor to use --keychain-profile + # when https://github.com/nodejs/build/issues/3385#issuecomment-1729281269 is ready notarization_output=$( xcrun notarytool submit \ --apple-id "$NOTARIZATION_ID" \