mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 00:33:50 +00:00
darwin: Use notarytool to notarize instead of altool (#25407)
Switch to using the newer `notarytool` to notarize MacOS binaries instead of the older `altool`, as `altool` is deprecated and will no longer work come Fall 2023. This also makes for a quieter build as altool's output was quite verbose, and anecdotally, it seems to be more reliable - I haven't had a single notarization failure this way as opposed to the many we see in CI with `altool`. We used to use `gon` as part of our notarizing tool. `gon` still has an open issue to upgrade to `notarytool`, so we've switched away from it and used the Apple CLI tools instead to do the notarization. This is available now that we have moved to GitHub Actions for builds as it has a newer Xcode that contains notarytool. Update the Teleport Connect notarization, which was quite a bit simpler, although we do need an extra `$TEAMID` input, so handle it when that is not supplied and document in the README that it is needed.
This commit is contained in:
parent
f7968e794f
commit
97db758e84
|
@ -41,7 +41,8 @@ CSC_NAME = $(DEVELOPER_ID_APPLICATION)
|
|||
|
||||
# Don't export DEVELOPER_ID_APPLICATION, DEVELOPER_ID_INSTALLER or CSC_NAME as
|
||||
# it causes them to be evaluated, which shells out to the `security` command.
|
||||
# They should only be evaluated if used.
|
||||
# They should only be evaluated if used. Any variables below that reference
|
||||
# these are also unexported for the same reason.
|
||||
unexport CSC_NAME DEVELOPER_ID_APPLICATION DEVELOPER_ID_INSTALLER
|
||||
|
||||
# Bundle IDs identify packages/images. We use different bundle IDs for
|
||||
|
@ -94,18 +95,33 @@ SHOULD_NOTARIZE = $(if $(and $(APPLE_USERNAME),$(APPLE_PASSWORD)),true)
|
|||
# to not evaluate its arguments (DEVELOPER_ID_APPLICATION) if we are not
|
||||
# goint to use them, preventing a missing key error defined above.
|
||||
NOTARIZE_BINARIES = $(if $(SHOULD_NOTARIZE),$(notarize_binaries_cmd),$(not_notarizing_cmd))
|
||||
|
||||
define notarize_binaries_cmd
|
||||
cd build.assets/tooling && \
|
||||
go run ./cmd/notarize-apple-binaries \
|
||||
--developer-id=$(DEVELOPER_ID_APPLICATION) \
|
||||
--bundle-id=$(TELEPORT_BUNDLEID) \
|
||||
--log-level=debug \
|
||||
$(ABSOLUTE_BINARY_PATHS)
|
||||
endef
|
||||
unexport NOTARIZE_BINARIES
|
||||
|
||||
not_notarizing_cmd = echo Not notarizing binaries. APPLE_USERNAME or APPLE_PASSWORD not set.
|
||||
|
||||
# Dont export not_notarizing_cmd since it contains DEVELOPER_ID_APPLICATION
|
||||
# and we do not want that evaluated.
|
||||
notary_dir = $(BUILDDIR)/notarize
|
||||
notary_file = $(BUILDDIR)/notarize.zip
|
||||
|
||||
# notarize_binaries_cmd must be a single command - multiple commands must be
|
||||
# joined with "&& \". This is so the command can be prefixed with "cd .. &&"
|
||||
# for the enterprise invocation.
|
||||
define notarize_binaries_cmd
|
||||
codesign \
|
||||
--sign $(DEVELOPER_ID_APPLICATION) \
|
||||
--force \
|
||||
--verbose \
|
||||
--timestamp \
|
||||
--options runtime \
|
||||
$(ABSOLUTE_BINARY_PATHS) && \
|
||||
rm -rf $(notary_dir) && \
|
||||
mkdir $(notary_dir) && \
|
||||
ditto $(ABSOLUTE_BINARY_PATHS) $(notary_dir) && \
|
||||
ditto -c -k $(notary_dir) $(notary_file) && \
|
||||
xcrun notarytool submit $(notary_file) \
|
||||
--team-id="$(TEAMID)" \
|
||||
--apple-id="$(APPLE_USERNAME)" \
|
||||
--password="$(APPLE_PASSWORD)" \
|
||||
--wait && \
|
||||
rm -rf $(notary_dir) $(notary_file)
|
||||
endef
|
||||
unexport notarize_binaries_cmd
|
||||
|
|
|
@ -115,6 +115,7 @@ When running `yarn package-term`, you need to provide these environment variable
|
|||
- `APPLE_PASSWORD`
|
||||
- `CONNECT_TSH_APP_PATH`
|
||||
- `CSC_NAME` (optional, developer certificate ID)
|
||||
- `TEAMID`
|
||||
|
||||
The details behind those vars are described below.
|
||||
|
||||
|
@ -151,6 +152,11 @@ On top of that, you must provide env vars that will be used for notarization. `A
|
|||
be set to the account email address associated with the developer ID. `APPLE_PASSWORD` must be [an
|
||||
app-specific password](https://support.apple.com/en-us/HT204397), not the account password.
|
||||
|
||||
The Team ID needed as an input for notarization must be provided via the `TEAMID` environment
|
||||
variable. The top-level `Makefile` exports this when `yarm package-term` is called from `make
|
||||
release-connect` with either the developer or production Team ID depending on the `ENVIRONMENT_NAME`
|
||||
environment variable. See the top-level `darwin-signing.mk` for details.
|
||||
|
||||
## Architecture
|
||||
|
||||
### Resource lifecycle
|
||||
|
|
|
@ -13,6 +13,13 @@ exports.default = async function notarizing(context) {
|
|||
return;
|
||||
}
|
||||
|
||||
if (!process.env.TEAMID) {
|
||||
console.warn(
|
||||
'missing $TEAMID: notarization will be skipped. Run `make release-connect` instead'
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
const appName = context.packager.appInfo.productFilename;
|
||||
const appBundleId = context.packager.appInfo.macBundleIdentifier;
|
||||
|
||||
|
@ -21,5 +28,7 @@ exports.default = async function notarizing(context) {
|
|||
appPath: `${appOutDir}/${appName}.app`,
|
||||
appleId: process.env.APPLE_USERNAME,
|
||||
appleIdPassword: process.env.APPLE_PASSWORD,
|
||||
tool: 'notarytool',
|
||||
teamId: process.env.TEAMID,
|
||||
});
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue