mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 16:53:57 +00:00
d3eed17856
* build: Support ARM64 (cross)builds of fido2 et al Add support for building/cross-building the fido2 libraries (cbor, openssl and fido2), supporting ARM64 builds. This is done by adding the appropriate flags to the library builds in `build-fido2-macos.sh` based on the `C_ARCH` environment variable. If unset then the host architecture is used. The `Makefile` defined `C_ARCH` based on the `ARCH` variable, mapping it to an appropriate value for the C compiler. Building the libraries should now be done through the new `build-fido2` target, and getting the pkg-config path should be done with the `print-fido2-pkg-path`. This is instead of calling the `build-fido2-macos.sh` script directly as the `Makefile` takes care of setting the `C_ARCH` environment variable appropriately. * build: Add make target to install rust cross toolchain Add the `rustup-set-target-toolchain` target to the Makefile to ensure the right rust toolchain is installed for the version of Rust we use as well as the target architecture we wish to generate code for, based on the `ARCH` variable. This is intended to be used by CI jobs to ensure they build with the correct toolchain. * build: Support building MacOS packages for ARM64 Remove the restriction that allows only AMD64 packages to be built on MacOS for the teleport and tsh packages. This is via the existing `-a` flag to `build-package.sh` and a newly added `-a` flag to `build-pkg-tsh.sh`. This adds the architecture to the filename of the package to distinguish the packages for different architectures. Update the comments in the Makefile mentioning that `arch` is ignored. build: add architecture to package names * build: Build Teleport Connect with target architecture When packaging Teleport Connect with electron-builder, pass an architecture flag so that we can cross-build Teleport Connect. This will allow us to build MacOS ARM64 binaries on the AMD64 runners. Add the architecture to the `dmg` filename via the electron-builder config, so that the filenames for different architectures don't clash. * build: Copy Mac release artifacts to release directory Copy the Mac release artifacts to a release artifact directory so that the CI scripts do not have to. This makes it clearer what is and is not a release artifact and puts the logic in the Makefile instead of the CI yaml, so it can more easily be tested locally and to make it easier to migrate to the next CI system. This will also be useful for building universal binaries for Mac as the CI system can put the architecture-specific binaries from a previous workflow job into a common location. We should look at copying all release artifacts for the other builds (Linux tarballs and packages, etc) into this directory too. It may help with unifying the GitHub Actions release workflows. * build: Add MacOS universal builds Add support for ARCH=universal on Darwin to produce universal (fat) binaries from pre-built arm64 and amd64 binaries. Packages (pkg) and disk images (dmg) for containing universal binaries are named without an architecture in the filename, as that is the current naming for the current AMD64-only releases. These universal ones will replace those AMD64-only ones providing a single release artifact working across architectures. Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com> * build: Do not clean before release-darwin Remove the `clean` prerequisite from the `release-darwin-unsigned` target as it is not needed when building on GitHub Actions, as it starts with a fresh slate each run. We do not make releases manually so we don't need to ensure a clean working directory there either. Not doing a clean makes it easier to build a MacOS universal release as it depends on the architecture-specific tarballs from a previous release build. We would need to manually save the tarballs from the first architecture release build as they would get deleted by the `clean` from the second. So just stop cleaning as it is not needed. --------- Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
212 lines
5.8 KiB
Bash
Executable file
212 lines
5.8 KiB
Bash
Executable file
#!/bin/bash
|
|
set -eu
|
|
|
|
# Flag variables
|
|
TELEPORT_TYPE='' # -t, oss or ent
|
|
TELEPORT_VERSION='' # -v, version, without leading 'v'
|
|
TARBALL_DIRECTORY='' # -s
|
|
BUNDLEID="${TSH_BUNDLEID}"
|
|
PACKAGE_ARCH=amd64 # -a, default to amd64 for backward-compatibilty.
|
|
|
|
usage() {
|
|
log "Usage: $0 -t oss|eng -v version [-s tarball_directory] [-b bundle_id] [-n]"
|
|
}
|
|
|
|
# make_non_relocatable_plist changes the default component plist of the $root
|
|
# package to non-relocatable.
|
|
# This makes install paths consistent, which also facilitates pathing in
|
|
# pre/postscripts.
|
|
# Creates component_plist.
|
|
# See `man pkgbuild` for reference.
|
|
make_non_relocatable_plist() {
|
|
local root="$1"
|
|
local component_plist="$2"
|
|
|
|
pkgbuild --analyze --root "$root" "$component_plist"
|
|
plutil -replace BundleIsRelocatable -bool NO "$component_plist"
|
|
}
|
|
|
|
main() {
|
|
local buildassets=''
|
|
buildassets="$(dirname "$0")"
|
|
|
|
# Don't follow sourced script.
|
|
#shellcheck disable=SC1090
|
|
#shellcheck disable=SC1091
|
|
. "$buildassets/build-common.sh"
|
|
|
|
local opt=''
|
|
while getopts "t:v:s:b:a:n" opt; do
|
|
case "$opt" in
|
|
t)
|
|
if [[ "$OPTARG" != "oss" && "$OPTARG" != "ent" ]]; then
|
|
log "$0: invalid value for -$opt, want 'oss' or 'ent'"
|
|
usage
|
|
exit 1
|
|
fi
|
|
TELEPORT_TYPE="$OPTARG"
|
|
;;
|
|
v)
|
|
TELEPORT_VERSION="$OPTARG"
|
|
;;
|
|
s)
|
|
# Find out the absolute path to -s.
|
|
if [[ "$OPTARG" != /* ]]; then
|
|
OPTARG="$PWD/$OPTARG"
|
|
fi
|
|
TARBALL_DIRECTORY="$OPTARG"
|
|
;;
|
|
b)
|
|
BUNDLEID="$OPTARG"
|
|
;;
|
|
a)
|
|
PACKAGE_ARCH="$OPTARG"
|
|
;;
|
|
n)
|
|
DRY_RUN_PREFIX='echo + ' # declared by build-common.sh
|
|
;;
|
|
*)
|
|
usage
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
shift $((OPTIND-1))
|
|
|
|
# Cut leading 'v' from version, in case it's there.
|
|
if [[ "$TELEPORT_VERSION" == v* ]]; then
|
|
TELEPORT_VERSION="${TELEPORT_VERSION:1}"
|
|
fi
|
|
|
|
if [[ -z "$TELEPORT_TYPE" || -z "${TELEPORT_VERSION}" ]]; then
|
|
usage
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -z "${BUNDLEID}" ]]; then
|
|
echo "No bundle ID specified. Either set TSH_BUNDLEID or use -b bundle_id"
|
|
usage
|
|
exit 1
|
|
fi
|
|
|
|
# Verify environment varibles.
|
|
if [[ "${APPLE_USERNAME:-}" == "" ]]; then
|
|
echo "\
|
|
The APPLE_USERNAME environment variable needs to be set to the Apple ID used\
|
|
for notarization requests"
|
|
exit 1
|
|
fi
|
|
if [[ "${APPLE_PASSWORD:-}" == "" ]]; then
|
|
echo "\
|
|
The APPLE_PASSWORD environment variable needs to be set to an app-specific\
|
|
password created by APPLE_USERNAME"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -z "${DEVELOPER_ID_APPLICATION}" ]]; then
|
|
echo "\
|
|
The DEVELOPER_ID_APPLICATION environment variable needs to be set to the hash\
|
|
of the key to sign applications"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -z "${DEVELOPER_ID_INSTALLER}" ]]; then
|
|
echo "\
|
|
The DEVELOPER_ID_INSTALLER environment variable needs to be set to the hash\
|
|
of the key to sign packages"
|
|
exit 1
|
|
fi
|
|
|
|
# Use similar find-or-download logic as build-package.sh for compatibility
|
|
# purposes.
|
|
local ent=''
|
|
[[ "$TELEPORT_TYPE" == 'ent' ]] && ent='-ent'
|
|
local tarname=''
|
|
tarname="$(printf \
|
|
"teleport%s-v%s-darwin-%s-bin.tar.gz" \
|
|
"$ent" "$TELEPORT_VERSION" "$PACKAGE_ARCH")"
|
|
[[ -n "$TARBALL_DIRECTORY" ]] && tarname="$TARBALL_DIRECTORY/$tarname"
|
|
|
|
tarout='' # find_or_fetch_tarball writes to this
|
|
find_or_fetch_tarball "$tarname" tarout
|
|
log "Using tarball at $tarout"
|
|
tarname="$tarout"
|
|
|
|
# Unpack tar, get ready to sign/notarize/package.
|
|
local tmp=''
|
|
tmp="$(mktemp -d)"
|
|
[[ -n "$DRY_RUN_PREFIX" ]] && log "tmp = $tmp"
|
|
$DRY_RUN_PREFIX trap "rm -fr '$tmp'" EXIT
|
|
|
|
# $tmp/ (eventually) looks like this:
|
|
# teleport/tsh # oss
|
|
# teleport-ent/tsh # ent
|
|
# scripts # cloned from build.assets
|
|
# root/tsh-vXXX.app # package root
|
|
# tsh-vXXX.pkg.unsigned # created by the script
|
|
# tsh-vXXX.pkg # created by the script
|
|
mkdir "$tmp/root"
|
|
|
|
# This creates either 'teleport/' or 'teleport-ent/' under tmp.
|
|
# We only care about the 'tsh' file for the script.
|
|
tar xzf "$tarname" -C "$tmp"
|
|
|
|
# Prepare app shell.
|
|
local skel="$buildassets/macos/$TSH_SKELETON"
|
|
local target="$tmp/root/tsh.app"
|
|
cp -r "$skel/tsh.app" "$target"
|
|
mkdir -p "$target/Contents/MacOS/"
|
|
cp "$tmp"/teleport*/tsh "$target/Contents/MacOS/"
|
|
|
|
# Sign app.
|
|
$DRY_RUN_PREFIX codesign -f \
|
|
-o kill,hard,runtime \
|
|
-s "$DEVELOPER_ID_APPLICATION" \
|
|
-i "$BUNDLEID" \
|
|
--entitlements "$skel"/tsh*.entitlements \
|
|
--timestamp \
|
|
"$target"
|
|
|
|
# Prepare and sign the installer package.
|
|
# Note that the installer does __NOT__ have a `v` in the version number.
|
|
# The package for the universal binary does not have an architecture in the name.
|
|
local arch_tag=""
|
|
if [[ "$PACKAGE_ARCH" != "universal" ]]; then
|
|
arch_tag="-$PACKAGE_ARCH"
|
|
fi
|
|
target="$tmp/tsh-$TELEPORT_VERSION$arch_tag.pkg" # switches from app to pkg
|
|
local pkg_root="$tmp/root"
|
|
local pkg_component_plist="$tmp/tsh-component.plist"
|
|
local pkg_scripts="$buildassets/macos/scripts"
|
|
make_non_relocatable_plist "$pkg_root" "$pkg_component_plist"
|
|
pkgbuild \
|
|
--root "$pkg_root" \
|
|
--component-plist "$pkg_component_plist" \
|
|
--identifier "$BUNDLEID" \
|
|
--version "v$TELEPORT_VERSION" \
|
|
--install-location /Applications \
|
|
--scripts "$pkg_scripts" \
|
|
"$target.unsigned"
|
|
|
|
$DRY_RUN_PREFIX productsign \
|
|
--sign "$DEVELOPER_ID_INSTALLER" \
|
|
--timestamp \
|
|
"$target.unsigned" \
|
|
"$target"
|
|
# Make sure $target exists in case of dry runs.
|
|
if [[ -n "$DRY_RUN_PREFIX" ]]; then
|
|
cp "$target.unsigned" "$target"
|
|
fi
|
|
|
|
# Notarize.
|
|
notarize "$target" "$TEAMID" "$BUNDLEID"
|
|
|
|
# Copy resulting package to $PWD, generate hashes.
|
|
mv "$target" .
|
|
local bn=''
|
|
bn="$(basename "$target")"
|
|
shasum -a 256 "$bn" > "$bn.sha256"
|
|
}
|
|
|
|
main "$@"
|