self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-20 01:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
teleport/build.assets/build-common.sh
Cam Hutchison 445f8b1e1e
release: Prepare for MacOS builds on GitHub Actions (#23407) 
* release: Move Mac signing vars from script to Makefile

Move the variables for Mac signing from the `build-common.sh` shell
script to the `Makefile`. These vars will need to be passed to other
build processes to parameterize the signing for different GitHub Actions
build environments.

The switch on `ENVIRONMENT_NAME` allows different secrets to be
available in GitHub Actions for production (promote) vs developer
(build) builds. The default environment name is `promote` so as to be
compatible with the existing Drone setup, which does not define
`ENVIRONMENT_NAME`.

* release: Determine Mac signing key IDs automatically

Remove the hard-coded MacOS signing key IDs from the Makefile and find
them dynamically based on the name of the key. This allows GitHub
Actions to be set up with new keys different to the ones on the Drone
builders. As long as we keep the same name on the keys, we can rotate
the keys without needing to update the IDs in the Makefile.

This requires us to be more judicious about exporting the variables as
exporting them causes them to be evaluated. We do not want to evaluate
them on non-darwin targets, and on darwin, we should only evaluate it if
needed for a recipe. So use a dynamic `eval` in the recipes that need
the environment variables.

* release: Pass key & team ID to notarize tool

Override the hard-coded values in `notarize-apple-binaries` and pass the
values we get based on the GitHub Actions environment. This allows us to
sign and notarize software in a development branch more easily when
working on the signing and notarizing process. This will not happen
automatically, but it is expected that a developer can manually trigger
a workflow to perform building, signing and notarizing from a dev
branch where the workflow has temporarily changed the environment to
`build`.

A similar change to the `Makefile` in the teleport.e repository goes
with this change.

This adds a new bundle ID of `com.goteleport.dev` for the dev build of
Teleport. This follows the same pattern as used for the dev build of the
`tsh` binary and the current production bundle ID for Teleport.
Previously there was no dev signing/notarizing process for the set of
Teleport binaries.

* release: Add script to setup the MacOS keychain for signing

Add a script for setting up the MacOS keychain for signing applications
and packages. It encapsulates the `security` commands to add either or
both application keys and installer keys. The keys can be either
base64-encoded in environment variables, or `.p12` files on disk, making
it useful for local development.

* release: Split MacOS signing vars into separate mk file

Put the MacOS signing variables into a separate `.mk` file and include
it from the main `Makefile`. Add more comments to document the purpose
of the vars and where some of the values come from.

* release: Add some more comments to keychain-setup.sh

Explain that the purpose of the script is to be run on CI, but can also
be run manually.

Add the default values used to the usage message for the keychain and
password.

* Address PR comments on keychain-setup.sh script

* Change shebang to /bin/bash
* Use heredoc instead of multiple printfs for usage message
* Move `local` declaration next to setting of kpath var

* release: Export DEVELOPER_ID_APPLICATION in release-darwin

The sub-make for enterprise needs this to be set or it cannot sign the
enterprise binaries. Export it if we are doing signing/notarizing.
2023-03-27 03:11:35 +00:00

112 lines
2.5 KiB
Bash
Raw Blame History

#!/bin/bash
#
# Common functions for build scripts. Meant to be sourced, not executed.
# Enables dry-run for some commands.
# Toggle this via flags in your main script.
DRY_RUN_PREFIX=''
# TARBALL_CACHE is used by find_or_fetch_tarball.
readonly TARBALL_CACHE=/tmp/teleport-tarballs
# log writes arguments to stderr.
log() {
echo "$*" >&2
}
# find_or_fetch_tarball finds a local tarfile or attempts to download it from
# https://get.gravitational.com.
#
# Downloaded files are kept under /tmp/teleport-tarball.
#
# * tarname is the path to the tarfile.
# Relative paths are resolved inside /tmp/teleport-tarball.
# * ret is the name of the output variable for the tarball path.
find_or_fetch_tarball() {
local tarname="$1"
local ret="$2"
if [[ -z "$tarname" || -z "$ret" ]]; then
log 'find_or_fetch_tarball: tarname and ret required'
return 1
fi
if [[ "$tarname" != /* ]]; then
tarname="$TARBALL_CACHE/$tarname"
fi
if [[ -f "$tarname" ]]; then
eval "$ret='$tarname'"
return 0
fi
if [[ "$tarname" != "$TARBALL_CACHE"/* ]]; then
log "File $tarname not found"
return 1
fi
local d=''
d="$(dirname "$tarname")"
mkdir -p "$d"
local url=''
url="https://get.gravitational.com/$(basename "$tarname")"
log "Downloading $url to $d"
curl -fsSLo "$tarname" "$url"
eval "$ret='$tarname'"
return 0
}
# notarize notarizes a target file.
#
# Relies on APPLE_USERNAME and APPLE_PASSWORD environment variables.
#
# * target is the target file.
# * teamid is the Apple Team ID.
# * bundleid is the application Bundle ID.
notarize() {
local target="$1"
local teamid="$2"
local bundleid="$3"
# XCode 13+.
if xcrun notarytool --version 1>/dev/null 2>&1; then
$DRY_RUN_PREFIX xcrun notarytool submit "$target" \
--team-id="$teamid" \
--apple-id="$APPLE_USERNAME" \
--password="$APPLE_PASSWORD" \
--wait
$DRY_RUN_PREFIX xcrun stapler staple "$target"
return 0
fi
# XCode 12.
local gondir=''
gondir="$(mktemp -d)"
# Early expansion on purpose.
#shellcheck disable=SC2064
trap "rm -fr '$gondir'" EXIT
# Gon configuration file needs a proper extension.
local goncfg="$gondir/gon.json"
cat >"$goncfg" <<EOF
{
"notarize": [{
"path": "$target",
"bundle_id": "$bundleid",
"staple": true
}],
"apple_id": {
"username": "$APPLE_USERNAME",
"password": "@env:APPLE_PASSWORD"
}
}
EOF
if [[ -n "$DRY_RUN_PREFIX" ]]; then
log "gon configuration:"
cat "$goncfg"
fi
$DRY_RUN_PREFIX gon "$goncfg"
}
Reference in a new issue View git blame Copy permalink