teleport/build.assets/build-pkg-tsh.sh

#!/bin/bash
set -eu

# Flag variables
TELEPORT_TYPE=''     # -t, oss or ent
TELEPORT_VERSION=''  # -v, version, without leading 'v'
TARBALL_DIRECTORY='' # -s

usage() {
  log "Usage: $0 -t oss|eng -v version [-s tarball_directory] [-n]"
}

main() {
  local buildassets=''
  buildassets="$(dirname "$0")"

  # Don't follow sourced script.
  #shellcheck disable=SC1090
  #shellcheck disable=SC1091
  . "$buildassets/build-common.sh"

  local opt=''
  while getopts "t:v:s:n" opt; do
    case "$opt" in
      t)
        if [[ "$OPTARG" != "oss" && "$OPTARG" != "ent" ]]; then
          log "$0: invalid value for -$opt, want 'oss' or 'ent'"
          usage
          exit 1
        fi
        TELEPORT_TYPE="$OPTARG"
        ;;
      v)
        TELEPORT_VERSION="$OPTARG"
        ;;
      s)
        # Find out the absolute path to -s.
        if [[ "$OPTARG" != /* ]]; then
          OPTARG="$PWD/$OPTARG"
        fi
        TARBALL_DIRECTORY="$OPTARG"
        ;;
      n)
        DRY_RUN_PREFIX='echo + '  # declared by build-common.sh
        ;;
      *)
        usage
        exit 1
        ;;
    esac
  done
  shift $((OPTIND-1))

  # Cut leading 'v' from version, in case it's there.
  if [[ "$TELEPORT_VERSION" == v* ]]; then
    TELEPORT_VERSION="${TELEPORT_VERSION:1}"
  fi

  if [[ -z "$TELEPORT_TYPE" || -z "${TELEPORT_VERSION}" ]]; then
    usage
    exit 1
  fi

  # Verify environment varibles.
  if [[ "${APPLE_USERNAME:-}" == "" ]]; then
    echo "\
The APPLE_USERNAME environment variable needs to be set to the Apple ID used\
for notarization requests"
    exit 1
  fi
  if [[ "${APPLE_PASSWORD:-}" == "" ]]; then
    echo "\
The APPLE_PASSWORD environment variable needs to be set to an app-specific\
password created by APPLE_USERNAME"
    exit 1
  fi

  # Use similar find-or-download logic as build-package.sh for compatibility
  # purposes.
  local ent=''
  [[ "$TELEPORT_TYPE" == 'ent' ]] && ent='-ent'
  local tarname=''
  tarname="$(printf \
    "teleport%s-v%s-darwin-amd64-bin.tar.gz" \
    "$ent" "$TELEPORT_VERSION")"
  [[ -n "$TARBALL_DIRECTORY" ]] && tarname="$TARBALL_DIRECTORY/$tarname"

  tarout='' # find_or_fetch_tarball writes to this
  find_or_fetch_tarball "$tarname" tarout
  log "Using tarball at $tarout"
  tarname="$tarout"

  # Unpack tar, get ready to sign/notarize/package.
  local tmp=''
  tmp="$(mktemp -d)"
  [[ -n "$DRY_RUN_PREFIX" ]] && log "tmp = $tmp"
  $DRY_RUN_PREFIX trap "rm -fr '$tmp'" EXIT

  # $tmp/ (eventually) looks like this:
  #   teleport/tsh          # oss
  #   teleport-ent/tsh      # ent
  #   scripts               # cloned from build.assets
  #   root/tsh-vXXX.app     # package root
  #   tsh-vXXX.pkg.unsigned # created by the script
  #   tsh-vXXX.pkg          # created by the script
  mkdir "$tmp/root"

  # This creates either 'teleport/' or 'teleport-ent/' under tmp.
  # We only care about the 'tsh' file for the script.
  tar xzf "$tarname" -C "$tmp"

  # Copy and edit scripts, then write the correct VERSION variable.
  cp -r "$buildassets/macos/scripts" "$tmp/"
  sed -i '' "s/VERSION=''/VERSION='-v$TELEPORT_VERSION'/g" "$tmp/scripts"/*

  # Prepare app shell.
  local skel="$buildassets/macos/$TSH_SKELETON"
  local target="$tmp/root/tsh-v$TELEPORT_VERSION.app"
  cp -r "$skel/tsh.app" "$target"
  mkdir -p "$target/Contents/MacOS/"
  cp "$tmp"/teleport*/tsh "$target/Contents/MacOS/"

  # Sign app.
  $DRY_RUN_PREFIX codesign -f \
    -o kill,hard,runtime \
    -s "$DEVELOPER_ID_APPLICATION" \
    -i "$TSH_BUNDLEID" \
    --entitlements "$skel"/tsh*.entitlements \
    --timestamp \
    "$target"

  # Prepare and sign the installer package.
  target="$tmp/tsh-v$TELEPORT_VERSION.pkg" # switches from app to pkg
  pkgbuild \
    --root "$tmp/root/" \
    --identifier "$TSH_BUNDLEID" \
    --version "v$TELEPORT_VERSION" \
    --install-location /Applications \
    --scripts "$tmp/scripts" \
    "$target.unsigned"
  $DRY_RUN_PREFIX productsign \
    --sign "$DEVELOPER_ID_INSTALLER" \
    --timestamp \
    "$target.unsigned" \
    "$target"
  # Make sure $target exists in case of dry runs.
  if [[ -n "$DRY_RUN_PREFIX" ]]; then
    cp "$target.unsigned" "$target"
  fi

  # Notarize.
  notarize "$target" "$TEAMID" "$TSH_BUNDLEID"

  # Copy resulting package to $PWD, generate hashes.
  mv "$target" .
  local bn=''
  bn="$(basename "$target")"
  sha256sum "$bn" > "$bn.sha256"
}

main "$@"
Build macOS installer for tsh.app (#12751) Changes how `make pkg-tsh` works so instead of building an installer for the `tsh` binary, placed under `/usr/local/bin`, we install an app to `/Applications/tsh-vXXX.app` and link its `tsh` binary to `/usr/local/bin`. The app shell is necessary to distribute a provisioning profile along with the signed/entitled/notarized binary. All of that is required for Touch ID to work. Naked `tsh` binaries are unable to use Touch ID, even if built with the correct build tags. I've elected to split the logic from `build-package.sh` into a separate script - it already does too much as-is. `build-pkg-tsh.sh` is more idiomatic, clears additional `shellcheck` rules and is easier to dry-run. #9160 * Build macOS installer for tsh.app * Add resources to build the tshdev app Moved from e/ * Add resources to build the tsh app (prod) * Use production values * Remove 'tsh' mode from build-package.tsh * Appease buildbox linter * Clarify one-time setup 2022-05-23 20:56:21 +00:00			`#!/bin/bash`
			`set -eu`

			`# Flag variables`
			`TELEPORT_TYPE='' # -t, oss or ent`
			`TELEPORT_VERSION='' # -v, version, without leading 'v'`
			`TARBALL_DIRECTORY='' # -s`

			`usage() {`
			`log "Usage: $0 -t oss\|eng -v version [-s tarball_directory] [-n]"`
			`}`

			`main() {`
			`local buildassets=''`
			`buildassets="$(dirname "$0")"`

			`# Don't follow sourced script.`
			`#shellcheck disable=SC1090`
			`#shellcheck disable=SC1091`
			`. "$buildassets/build-common.sh"`

			`local opt=''`
			`while getopts "t:v:s:n" opt; do`
			`case "$opt" in`
			`t)`
			`if [[ "$OPTARG" != "oss" && "$OPTARG" != "ent" ]]; then`
			`log "$0: invalid value for -$opt, want 'oss' or 'ent'"`
			`usage`
			`exit 1`
			`fi`
			`TELEPORT_TYPE="$OPTARG"`
			`;;`
			`v)`
			`TELEPORT_VERSION="$OPTARG"`
			`;;`
			`s)`
			`# Find out the absolute path to -s.`
			`if [[ "$OPTARG" != /* ]]; then`
			`OPTARG="$PWD/$OPTARG"`
			`fi`
			`TARBALL_DIRECTORY="$OPTARG"`
			`;;`
			`n)`
			`DRY_RUN_PREFIX='echo + ' # declared by build-common.sh`
			`;;`
			`*)`
			`usage`
			`exit 1`
			`;;`
			`esac`
			`done`
			`shift $((OPTIND-1))`

			`# Cut leading 'v' from version, in case it's there.`
			`if [[ "$TELEPORT_VERSION" == v* ]]; then`
			`TELEPORT_VERSION="${TELEPORT_VERSION:1}"`
			`fi`

			`if [[ -z "$TELEPORT_TYPE" \|\| -z "${TELEPORT_VERSION}" ]]; then`
			`usage`
			`exit 1`
			`fi`

			`# Verify environment varibles.`
			`if [[ "${APPLE_USERNAME:-}" == "" ]]; then`
			`echo "\`
			`The APPLE_USERNAME environment variable needs to be set to the Apple ID used\`
			`for notarization requests"`
			`exit 1`
			`fi`
			`if [[ "${APPLE_PASSWORD:-}" == "" ]]; then`
			`echo "\`
			`The APPLE_PASSWORD environment variable needs to be set to an app-specific\`
			`password created by APPLE_USERNAME"`
			`exit 1`
			`fi`

			`# Use similar find-or-download logic as build-package.sh for compatibility`
			`# purposes.`
			`local ent=''`
			`[[ "$TELEPORT_TYPE" == 'ent' ]] && ent='-ent'`
			`local tarname=''`
			`tarname="$(printf \`
			`"teleport%s-v%s-darwin-amd64-bin.tar.gz" \`
			`"$ent" "$TELEPORT_VERSION")"`
			`[[ -n "$TARBALL_DIRECTORY" ]] && tarname="$TARBALL_DIRECTORY/$tarname"`

			`tarout='' # find_or_fetch_tarball writes to this`
			`find_or_fetch_tarball "$tarname" tarout`
			`log "Using tarball at $tarout"`
			`tarname="$tarout"`

			`# Unpack tar, get ready to sign/notarize/package.`
			`local tmp=''`
			`tmp="$(mktemp -d)"`
			`[[ -n "$DRY_RUN_PREFIX" ]] && log "tmp = $tmp"`
			`$DRY_RUN_PREFIX trap "rm -fr '$tmp'" EXIT`

			`# $tmp/ (eventually) looks like this:`
			`# teleport/tsh # oss`
			`# teleport-ent/tsh # ent`
			`# scripts # cloned from build.assets`
			`# root/tsh-vXXX.app # package root`
			`# tsh-vXXX.pkg.unsigned # created by the script`
			`# tsh-vXXX.pkg # created by the script`
			`mkdir "$tmp/root"`

			`# This creates either 'teleport/' or 'teleport-ent/' under tmp.`
			`# We only care about the 'tsh' file for the script.`
			`tar xzf "$tarname" -C "$tmp"`

			`# Copy and edit scripts, then write the correct VERSION variable.`
			`cp -r "$buildassets/macos/scripts" "$tmp/"`
			`sed -i '' "s/VERSION=''/VERSION='-v$TELEPORT_VERSION'/g" "$tmp/scripts"/*`

			`# Prepare app shell.`
			`local skel="$buildassets/macos/$TSH_SKELETON"`
			`local target="$tmp/root/tsh-v$TELEPORT_VERSION.app"`
			`cp -r "$skel/tsh.app" "$target"`
			`mkdir -p "$target/Contents/MacOS/"`
			`cp "$tmp"/teleport*/tsh "$target/Contents/MacOS/"`

			`# Sign app.`
			`$DRY_RUN_PREFIX codesign -f \`
			`-o kill,hard,runtime \`
			`-s "$DEVELOPER_ID_APPLICATION" \`
			`-i "$TSH_BUNDLEID" \`
			`--entitlements "$skel"/tsh*.entitlements \`
			`--timestamp \`
			`"$target"`

			`# Prepare and sign the installer package.`
			`target="$tmp/tsh-v$TELEPORT_VERSION.pkg" # switches from app to pkg`
			`pkgbuild \`
			`--root "$tmp/root/" \`
			`--identifier "$TSH_BUNDLEID" \`
			`--version "v$TELEPORT_VERSION" \`
			`--install-location /Applications \`
			`--scripts "$tmp/scripts" \`
			`"$target.unsigned"`
			`$DRY_RUN_PREFIX productsign \`
			`--sign "$DEVELOPER_ID_INSTALLER" \`
			`--timestamp \`
			`"$target.unsigned" \`
			`"$target"`
			`# Make sure $target exists in case of dry runs.`
			`if [[ -n "$DRY_RUN_PREFIX" ]]; then`
			`cp "$target.unsigned" "$target"`
			`fi`

			`# Notarize.`
			`notarize "$target" "$TEAMID" "$TSH_BUNDLEID"`

			`# Copy resulting package to $PWD, generate hashes.`
			`mv "$target" .`
			`local bn=''`
			`bn="$(basename "$target")"`
			`sha256sum "$bn" > "$bn.sha256"`
			`}`

			`main "$@"`