mirror of
https://github.com/gravitational/teleport
synced 2024-10-20 01:03:40 +00:00
445f8b1e1e
* release: Move Mac signing vars from script to Makefile Move the variables for Mac signing from the `build-common.sh` shell script to the `Makefile`. These vars will need to be passed to other build processes to parameterize the signing for different GitHub Actions build environments. The switch on `ENVIRONMENT_NAME` allows different secrets to be available in GitHub Actions for production (promote) vs developer (build) builds. The default environment name is `promote` so as to be compatible with the existing Drone setup, which does not define `ENVIRONMENT_NAME`. * release: Determine Mac signing key IDs automatically Remove the hard-coded MacOS signing key IDs from the Makefile and find them dynamically based on the name of the key. This allows GitHub Actions to be set up with new keys different to the ones on the Drone builders. As long as we keep the same name on the keys, we can rotate the keys without needing to update the IDs in the Makefile. This requires us to be more judicious about exporting the variables as exporting them causes them to be evaluated. We do not want to evaluate them on non-darwin targets, and on darwin, we should only evaluate it if needed for a recipe. So use a dynamic `eval` in the recipes that need the environment variables. * release: Pass key & team ID to notarize tool Override the hard-coded values in `notarize-apple-binaries` and pass the values we get based on the GitHub Actions environment. This allows us to sign and notarize software in a development branch more easily when working on the signing and notarizing process. This will not happen automatically, but it is expected that a developer can manually trigger a workflow to perform building, signing and notarizing from a dev branch where the workflow has temporarily changed the environment to `build`. A similar change to the `Makefile` in the teleport.e repository goes with this change. This adds a new bundle ID of `com.goteleport.dev` for the dev build of Teleport. This follows the same pattern as used for the dev build of the `tsh` binary and the current production bundle ID for Teleport. Previously there was no dev signing/notarizing process for the set of Teleport binaries. * release: Add script to setup the MacOS keychain for signing Add a script for setting up the MacOS keychain for signing applications and packages. It encapsulates the `security` commands to add either or both application keys and installer keys. The keys can be either base64-encoded in environment variables, or `.p12` files on disk, making it useful for local development. * release: Split MacOS signing vars into separate mk file Put the MacOS signing variables into a separate `.mk` file and include it from the main `Makefile`. Add more comments to document the purpose of the vars and where some of the values come from. * release: Add some more comments to keychain-setup.sh Explain that the purpose of the script is to be run on CI, but can also be run manually. Add the default values used to the usage message for the keychain and password. * Address PR comments on keychain-setup.sh script * Change shebang to /bin/bash * Use heredoc instead of multiple printfs for usage message * Move `local` declaration next to setting of kpath var * release: Export DEVELOPER_ID_APPLICATION in release-darwin The sub-make for enterprise needs this to be set or it cannot sign the enterprise binaries. Export it if we are doing signing/notarizing.
112 lines
2.5 KiB
Bash
112 lines
2.5 KiB
Bash
#!/bin/bash
|
|
#
|
|
# Common functions for build scripts. Meant to be sourced, not executed.
|
|
|
|
# Enables dry-run for some commands.
|
|
# Toggle this via flags in your main script.
|
|
DRY_RUN_PREFIX=''
|
|
|
|
# TARBALL_CACHE is used by find_or_fetch_tarball.
|
|
readonly TARBALL_CACHE=/tmp/teleport-tarballs
|
|
|
|
# log writes arguments to stderr.
|
|
log() {
|
|
echo "$*" >&2
|
|
}
|
|
|
|
# find_or_fetch_tarball finds a local tarfile or attempts to download it from
|
|
# https://get.gravitational.com.
|
|
#
|
|
# Downloaded files are kept under /tmp/teleport-tarball.
|
|
#
|
|
# * tarname is the path to the tarfile.
|
|
# Relative paths are resolved inside /tmp/teleport-tarball.
|
|
# * ret is the name of the output variable for the tarball path.
|
|
find_or_fetch_tarball() {
|
|
local tarname="$1"
|
|
local ret="$2"
|
|
|
|
if [[ -z "$tarname" || -z "$ret" ]]; then
|
|
log 'find_or_fetch_tarball: tarname and ret required'
|
|
return 1
|
|
fi
|
|
|
|
if [[ "$tarname" != /* ]]; then
|
|
tarname="$TARBALL_CACHE/$tarname"
|
|
fi
|
|
|
|
if [[ -f "$tarname" ]]; then
|
|
eval "$ret='$tarname'"
|
|
return 0
|
|
fi
|
|
|
|
if [[ "$tarname" != "$TARBALL_CACHE"/* ]]; then
|
|
log "File $tarname not found"
|
|
return 1
|
|
fi
|
|
|
|
local d=''
|
|
d="$(dirname "$tarname")"
|
|
mkdir -p "$d"
|
|
|
|
local url=''
|
|
url="https://get.gravitational.com/$(basename "$tarname")"
|
|
|
|
log "Downloading $url to $d"
|
|
curl -fsSLo "$tarname" "$url"
|
|
eval "$ret='$tarname'"
|
|
return 0
|
|
}
|
|
|
|
# notarize notarizes a target file.
|
|
#
|
|
# Relies on APPLE_USERNAME and APPLE_PASSWORD environment variables.
|
|
#
|
|
# * target is the target file.
|
|
# * teamid is the Apple Team ID.
|
|
# * bundleid is the application Bundle ID.
|
|
notarize() {
|
|
local target="$1"
|
|
local teamid="$2"
|
|
local bundleid="$3"
|
|
|
|
# XCode 13+.
|
|
if xcrun notarytool --version 1>/dev/null 2>&1; then
|
|
$DRY_RUN_PREFIX xcrun notarytool submit "$target" \
|
|
--team-id="$teamid" \
|
|
--apple-id="$APPLE_USERNAME" \
|
|
--password="$APPLE_PASSWORD" \
|
|
--wait
|
|
$DRY_RUN_PREFIX xcrun stapler staple "$target"
|
|
return 0
|
|
fi
|
|
|
|
# XCode 12.
|
|
local gondir=''
|
|
gondir="$(mktemp -d)"
|
|
# Early expansion on purpose.
|
|
#shellcheck disable=SC2064
|
|
trap "rm -fr '$gondir'" EXIT
|
|
|
|
# Gon configuration file needs a proper extension.
|
|
local goncfg="$gondir/gon.json"
|
|
cat >"$goncfg" <<EOF
|
|
{
|
|
"notarize": [{
|
|
"path": "$target",
|
|
"bundle_id": "$bundleid",
|
|
"staple": true
|
|
}],
|
|
"apple_id": {
|
|
"username": "$APPLE_USERNAME",
|
|
"password": "@env:APPLE_PASSWORD"
|
|
}
|
|
}
|
|
EOF
|
|
if [[ -n "$DRY_RUN_PREFIX" ]]; then
|
|
log "gon configuration:"
|
|
cat "$goncfg"
|
|
fi
|
|
$DRY_RUN_PREFIX gon "$goncfg"
|
|
}
|