mirror of
https://github.com/gravitational/teleport
synced 2024-10-22 02:03:24 +00:00
9a338c5226
* release: Add build-connect target to Makefile Add a `build-connect` target to the `Makefile` to build Teleport Connect via yarn on MacOS. Linux uses the `build.assets/Makefile` `teleterm` target, and Windows build pipelines do not use `make`. Add the `CSC_NAME` make variable containing the Developer Key ID to tell electron-builder which key to use to sign the package it produces. This gives us a little more control over how the Connect built and packaged and will simplify the CI scripts to have them just call make. It is also required in order to set the `CSC_NAME` environment name correctly as the developer ID is determined by the Makefile. * darwin: Fix echo command when not notarizing Remove the leading `@` from the echo command that is run when we are not notarizing binaries. It works fine from the OSS repo, but the enterprise repo needs to do `cd .. && $(NOTARIZE_COMMAND)` and the leading `@` causes the build error: `@echo: command not found`. We'll just have to live with a little extra noise amongst all the other noise.
112 lines
5 KiB
Makefile
112 lines
5 KiB
Makefile
# MacOS/Darwin variables for packaging, signing and notarizing.
|
|
#
|
|
# These are parameterized per environment, with `promote` for official
|
|
# releases and `build` for development testing. These environment names
|
|
# come from our configuration in GitHub Actions.
|
|
|
|
# Default environment name if not specified. This is currently for Drone
|
|
# which does not set `ENVIRONMENT_NAME`. Once migrated fully to GitHub
|
|
# actions, we should change this to `build` as the default.
|
|
ENVIRONMENT_NAME ?= promote
|
|
|
|
# Variables defined here are defined with the environment name suffix
|
|
# to specify the appropriate value for that environment. The unsuffixed
|
|
# names select the appropriate value based on `ENVIRONMENT_NAME`
|
|
|
|
# Developer "team" and keys.
|
|
# TEAMID is an Apple-assigned identifier for a developer. It has two keys,
|
|
# one for signing binaries (application) and one for signing packages/images
|
|
# (installer). The keys are identified by name per-environment which we use
|
|
# to extract the key IDs. Key names can be view by running `security find-identity`.
|
|
#
|
|
# NOTE: If you need to export the DEVELOPER_ID_{APPLICATION,INSTALLER}
|
|
# variables to the environment for a command, it should be done within the
|
|
# recipe containing the command using $(eval export DEVELOPER_ID_APPLICATION ...).
|
|
# This is so the `security` shell command is only run to extract the key ID
|
|
# if necessary. If exported at the top level, it will run every time `make`
|
|
# is run.
|
|
#
|
|
# e.g.
|
|
# pkg:
|
|
# $(eval export DEVELOPER_ID_APPLICATION DEVELOPER_ID_INSTALLER)
|
|
# ./build.assets/build-package.sh ...
|
|
#
|
|
TEAMID = $(TEAMID_$(ENVIRONMENT_NAME))
|
|
DEVELOPER_ID_APPLICATION = $(call get_key_id,$(DEVELOPER_KEY_NAME_$(ENVIRONMENT_NAME)))
|
|
DEVELOPER_ID_INSTALLER = $(call get_key_id,$(INSTALLER_KEY_NAME_$(ENVIRONMENT_NAME)))
|
|
|
|
# CSC_NAME is the key ID for signing used by electron-builder for signing
|
|
# Teleport Connect.
|
|
CSC_NAME = $(DEVELOPER_ID_APPLICATION)
|
|
|
|
# Don't export DEVELOPER_ID_APPLICATION, DEVELOPER_ID_INSTALLER or CSC_NAME as
|
|
# it causes them to be evaluated, which shells out to the `security` command.
|
|
# They should only be evaluated if used.
|
|
unexport CSC_NAME DEVELOPER_ID_APPLICATION DEVELOPER_ID_INSTALLER
|
|
|
|
# Bundle IDs identify packages/images. We use different bundle IDs for
|
|
# release and development.
|
|
TELEPORT_BUNDLEID = $(TELEPORT_BUNDLEID_$(ENVIRONMENT_NAME))
|
|
TSH_BUNDLEID = $(TSH_BUNDLEID_$(ENVIRONMENT_NAME))
|
|
|
|
# TSH_SKELETON is a directory name relative to build.assets/macos/
|
|
TSH_SKELETON = $(TSH_SKELETON_$(ENVIRONMENT_NAME))
|
|
|
|
# --- promote environment
|
|
# Key names can be found on https://goteleport.com/security
|
|
TEAMID_promote = QH8AA5B8UP
|
|
DEVELOPER_KEY_NAME_promote = Developer ID Application: Gravitational Inc.
|
|
INSTALLER_KEY_NAME_promote = Developer ID Installer: Gravitational Inc.
|
|
TELEPORT_BUNDLEID_promote = com.gravitational.teleport
|
|
TSH_BUNDLEID_promote = $(TEAMID).com.gravitational.teleport.tsh
|
|
TSH_SKELETON_promote = tsh
|
|
|
|
# --- build environment
|
|
TEAMID_build = K497G57PDJ
|
|
DEVELOPER_KEY_NAME_build = Developer ID Application: Ada Lin
|
|
INSTALLER_KEY_NAME_build = Developer ID Installer: Ada Lin
|
|
TELEPORT_BUNDLEID_build = com.goteleport.dev
|
|
TSH_BUNDLEID_build = $(TEAMID).com.goteleport.tshdev
|
|
TSH_SKELETON_build = tshdev
|
|
|
|
# --- utility
|
|
# Extract application/installer key ID from keychain. This looks at all
|
|
# keychains in the search path. It should be used with $(call ...).
|
|
# e.g. $(call get_key_id,Key Name goes here)
|
|
get_key_id = $(or $(word 2,$(shell $(get_key_id_cmd))), $(missing_key_error))
|
|
get_key_id_cmd = security find-identity -v -s codesigning | grep --fixed-strings --max-count=1 "$(1)"
|
|
missing_key_error = $(error Could not find key named "$(1)" in keychain)
|
|
|
|
# Dont export missing_key_error or get_key_id as it evaluates them
|
|
unexport missing_key_error get_key_id
|
|
|
|
# SHOULD_NOTARIZE evalutes to "true" if we should sign and notarize binaries,
|
|
# and the empty string if not. We only notarize if APPLE_USERNAME and
|
|
# APPLE_PASSWORD are set in the environment.
|
|
SHOULD_NOTARIZE = $(if $(and $(APPLE_USERNAME),$(APPLE_PASSWORD)),true)
|
|
|
|
# NOTARIZE_BINARIES runs the notarize-apple-binaries tool. It is expected that
|
|
# the current working directory is the root of the OSS Teleport repo, so to call
|
|
# from the enterprise repo, invoke it as:
|
|
# cd .. && $(NOTARIZE_BINARIES)
|
|
# It will not run the command if $APPLE_USERNAME or $APPLE_PASSWORD are empty.
|
|
# It uses the make $(if ...) construct instead of doing it in the shell so as
|
|
# to not evaluate its arguments (DEVELOPER_ID_APPLICATION) if we are not
|
|
# goint to use them, preventing a missing key error defined above.
|
|
NOTARIZE_BINARIES = $(if $(SHOULD_NOTARIZE),$(notarize_binaries_cmd),$(not_notarizing_cmd))
|
|
|
|
define notarize_binaries_cmd
|
|
cd build.assets/tooling && \
|
|
go run ./cmd/notarize-apple-binaries \
|
|
--developer-id=$(DEVELOPER_ID_APPLICATION) \
|
|
--bundle-id=$(TELEPORT_BUNDLEID) \
|
|
--log-level=debug \
|
|
$(ABSOLUTE_BINARY_PATHS)
|
|
endef
|
|
|
|
not_notarizing_cmd = echo Not notarizing binaries. APPLE_USERNAME or APPLE_PASSWORD not set.
|
|
|
|
# Dont export not_notarizing_cmd since it contains DEVELOPER_ID_APPLICATION
|
|
# and we do not want that evaluated.
|
|
unexport notarize_binaries_cmd
|