Update the build scripts to properly set up the key for signing packages
using `productsign`, and parameterise the bundle ID for packages in the
packaging scripts.
* release: Move Mac signing vars from script to Makefile
Move the variables for Mac signing from the `build-common.sh` shell
script to the `Makefile`. These vars will need to be passed to other
build processes to parameterize the signing for different GitHub Actions
build environments.
The switch on `ENVIRONMENT_NAME` allows different secrets to be
available in GitHub Actions for production (promote) vs developer
(build) builds. The default environment name is `promote` so as to be
compatible with the existing Drone setup, which does not define
`ENVIRONMENT_NAME`.
* release: Determine Mac signing key IDs automatically
Remove the hard-coded MacOS signing key IDs from the Makefile and find
them dynamically based on the name of the key. This allows GitHub
Actions to be set up with new keys different to the ones on the Drone
builders. As long as we keep the same name on the keys, we can rotate
the keys without needing to update the IDs in the Makefile.
This requires us to be more judicious about exporting the variables as
exporting them causes them to be evaluated. We do not want to evaluate
them on non-darwin targets, and on darwin, we should only evaluate it if
needed for a recipe. So use a dynamic `eval` in the recipes that need
the environment variables.
* release: Pass key & team ID to notarize tool
Override the hard-coded values in `notarize-apple-binaries` and pass the
values we get based on the GitHub Actions environment. This allows us to
sign and notarize software in a development branch more easily when
working on the signing and notarizing process. This will not happen
automatically, but it is expected that a developer can manually trigger
a workflow to perform building, signing and notarizing from a dev
branch where the workflow has temporarily changed the environment to
`build`.
A similar change to the `Makefile` in the teleport.e repository goes
with this change.
This adds a new bundle ID of `com.goteleport.dev` for the dev build of
Teleport. This follows the same pattern as used for the dev build of the
`tsh` binary and the current production bundle ID for Teleport.
Previously there was no dev signing/notarizing process for the set of
Teleport binaries.
* release: Add script to setup the MacOS keychain for signing
Add a script for setting up the MacOS keychain for signing applications
and packages. It encapsulates the `security` commands to add either or
both application keys and installer keys. The keys can be either
base64-encoded in environment variables, or `.p12` files on disk, making
it useful for local development.
* release: Split MacOS signing vars into separate mk file
Put the MacOS signing variables into a separate `.mk` file and include
it from the main `Makefile`. Add more comments to document the purpose
of the vars and where some of the values come from.
* release: Add some more comments to keychain-setup.sh
Explain that the purpose of the script is to be run on CI, but can also
be run manually.
Add the default values used to the usage message for the keychain and
password.
* Address PR comments on keychain-setup.sh script
* Change shebang to /bin/bash
* Use heredoc instead of multiple printfs for usage message
* Move `local` declaration next to setting of kpath var
* release: Export DEVELOPER_ID_APPLICATION in release-darwin
The sub-make for enterprise needs this to be set or it cannot sign the
enterprise binaries. Export it if we are doing signing/notarizing.
