jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-18 06:50:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

DARWIN: Use notarytool for notarization

Browse Source 
At WWDC 2021, Apple introduced notarytool, a new utility for interacting
with the Apple notary service. Concurrently, Apple deprecated altool for
notarization purposes, with plans to discontinue its functionality on
November 1, 2023.

Currently, notarize.pl relies on the deprecated altool, which is no
longer supported. This commit updates this script to use notarytool,
ensuring it remains fully functional for notarizing the OpenAFS package.

Note that the arguments for notarize.pl have changed. Users can no
longer provide a plain password or keychain reference using the
@keychain prefix. Instead, a keychain profile for the credentials must
be created first, with the profile name provided as an argument.
This change is mandated by the new notarytool workflow.

Additionally, update pkgbuild.sh.in, as this script calls notarize.pl
if the --apple-id option is provided. Since notarize.pl now requires a
keychain profile name instead of an Apple ID and password, remove the
--apple-id option from pkgbuild.sh.in and introduce a new option,
--keychain-profile, which specifies the name of the keychain profile to
be used by notarize.pl.

Change-Id: I8b513e3eebb38e49f0d7c5ff9ea4e1d46e87aa3f
Reviewed-on: https://gerrit.openafs.org/15976
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
This commit is contained in:
Marcio Barbosa 2024-12-12 14:51:11 -08:00 committed by Andrew Deason
parent 85ab7bae4e
commit 519a170da3
2 changed files with 54 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
src/packaging/MacOS/notarize.pl
View File

@ -32,57 +32,60 @@
# #
# On success, the following output can be expected: # On success, the following output can be expected:
# #
# $ sudo notarize.pl foo@bar.com "@keychain:PASSWORD" OpenAFS.dmg # $ sudo notarize.pl keychain-profile OpenAFS.dmg
# #
# notarize.pl: submitting package... # notarize.pl: processing package...
# notarize.pl: checking status...
# notarize.pl: checking status...
# notarize.pl: checking status...
# (...)
# notarize.pl: checking status...
# notarize.pl: package successfully notarized # notarize.pl: package successfully notarized
use strict; use strict;
use File::Which; use File::Which;
sub usage { sub usage {
print(STDERR "usage: notarize.pl <username> <password> <package>\n"); print(STDERR "usage: notarize.pl <profile> <package>\n");
print(STDERR "\tusername: apple id\n"); print(STDERR "\tprofile: keychain-profile for the credentials to be used\n");
print(STDERR "\tpassword: password of your apple id account\n");
print(STDERR "\tpackage: package to be notarized\n"); print(STDERR "\tpackage: package to be notarized\n");
print(STDERR "\tnote: must be root\n"); print(STDERR "\tnote: must be root\n");
print(STDERR "\t <password> can be a reference to a keychain item.\n"); print(STDERR "e.g.: \$ sudo notarize.pl keychain-profile OpenAFS.dmg\n\n");
print(STDERR "\t <password> as cleartext is not recommended.\n");
print(STDERR "e.g.: \$ sudo notarize.pl foo\@bar.com \"\@keychain:PASSWORD\" OpenAFS.dmg\n\n");
exit(1); exit(1);
} }
sub check_prerequisites { sub check_prerequisites {
my (@ARGS) = @_; my ($profile, $package) = @_;
if ($> != 0) { if ($> != 0) {
print(STDERR "error: must be root\n\n"); print(STDERR "error: must be root\n\n");
usage(); usage();
} }
if (scalar @ARGS != 3) {
print(STDERR "error: check arguments\n\n");
usage();
}
if (!which('xcrun')) { if (!which('xcrun')) {
print(STDERR "error: xcrun not found in \$PATH\n\n"); print(STDERR "error: xcrun not found in \$PATH\n\n");
usage(); usage();
} }
if (not -e $ARGS[2]) {
# Check if the given keychain-profile exists
my $output = qx(xcrun notarytool history --keychain-profile "$profile" 2>&1);
my $exitcode = $? >> 8;
if ($exitcode) {
print(STDERR "error: $exitcode\n");
print(STDERR $output);
exit(1);
}
# Check if the given package exists
if (not -e $package) {
print(STDERR "error: package not found\n\n"); print(STDERR "error: package not found\n\n");
exit(1);
} }
} }
sub submit_package { sub process_package {
my ($username, $password, $package) = @_; my ($profile, $package) = @_;
print(STDOUT "notarize.pl: submitting package...\n"); print(STDOUT "notarize.pl: processing package...\n");
my $output = qx(xcrun altool -t osx -f "$package" --primary-bundle-id org.openafs.OpenAFS --notarize-app --username "$username" --password "$password" 2>&1); # returns after submitting and processing the package, or times out if it
# takes longer than 5 minutes
my $output = qx(xcrun notarytool submit "$package" --keychain-profile "$profile" --wait --timeout 5m 2>&1);
my $exitcode = $? >> 8; my $exitcode = $? >> 8;
if ($exitcode) { if ($exitcode) {
@ -92,9 +95,18 @@ sub submit_package {
} }
# $output looks like the following sample: # $output looks like the following sample:
# #
# No errors uploading 'OpenAFS.dmg'. # Conducting pre-submission checks for OpenAFS.dmg and initiating connection
# RequestUUID = 565a4d1b-9608-47a6-aba9-53136c991bb8 # to the Apple notary service...
$output =~ m{RequestUUID = ([A-Za-z0-9\-]+)}; # Submission ID received
# id: fe4249d2-c3f7-428e-8bcd-8af665e57189
# Successfully uploaded file
# id: fe4249d2-c3f7-428e-8bcd-8af665e57189
# path: ./OpenAFS.dmg
# Waiting for processing to complete. Wait timeout is set to 300.0 second(s).
# Current status: In Progress... Current status: Accepted...... Processing complete
# id: fe4249d2-c3f7-428e-8bcd-8af665e57189
# status: Accepted
$output =~ m{id: ([A-Za-z0-9\-]+)};
if (not defined $1) { if (not defined $1) {
print(STDERR "error: uuid not found\n"); print(STDERR "error: uuid not found\n");
exit(1); exit(1);
@ -102,57 +114,6 @@ sub submit_package {
return $1; return $1;
} }
sub check_status {
my ($username, $password, $uuid) = @_;
my $output;
my $status;
my $exitcode;
while (1) {
print(STDOUT "notarize.pl: checking status...\n");
$output = qx(xcrun altool --notarization-info "$uuid" --username "$username" --password "$password" 2>&1);
$exitcode = $? >> 8;
if ($exitcode) {
print(STDERR "error: $exitcode\n");
print(STDERR $output);
exit(1);
}
# $output looks like the following samples:
#
# First, second, ..., (N-1)'th attempts:
#
# No errors getting notarization info.
#
# Date: 2019-11-26 21:07:46 +0000
# Hash: 4e10ebb01518de9eb007d4579006acda2d6ff773fe040d97786bcc686ec93gg1
# RequestUUID: 565a4d1b-9608-47a6-aba9-53136c991bb8
# Status: in progress
#
# N'th attempt:
#
# No errors getting notarization info.
#
# Date: 2019-11-26 21:07:46 +0000
# Hash: 4e10ebb01518de9eb007d4579006acda2d6ff773fe040d97786bcc686ec93gg1
# RequestUUID: 565a4d1b-9608-47a6-aba9-53136c991bb8
# Status: in progress
# Status Code: 0
# Status Message: Package Approved
$output =~ m{Status Code: (\d+)};
if (defined $1) {
$status = $1;
last;
}
sleep(5);
}
if ($status) {
print(STDERR "error: $status (uuid: $uuid)\n");
print(STDERR $output);
exit(1);
}
}
sub notarize_package { sub notarize_package {
my ($package, $uuid) = @_; my ($package, $uuid) = @_;
@ -172,13 +133,16 @@ sub notarize_package {
sub main { sub main {
my (@ARGS) = @_; my (@ARGS) = @_;
check_prerequisites(@ARGS); if (scalar @ARGS != 2) {
my $username = $ARGS[0]; print(STDERR "error: check arguments\n\n");
my $password = $ARGS[1]; usage();
my $package = $ARGS[2]; }
my $profile = $ARGS[0];
my $package = $ARGS[1];
my $uuid = submit_package($username, $password, $package); check_prerequisites($profile, $package);
check_status($username, $password, $uuid);
my $uuid = process_package($profile, $package);
notarize_package($package, $uuid); notarize_package($package, $uuid);
exit(0); exit(0);

26
src/packaging/MacOS/pkgbuild.sh.in
View File

@ -6,20 +6,11 @@ usage() {
exec >&2 exec >&2
echo 'Usage: pkgbuild.sh [-x] [--app-key <appkey>] [--inst-key <instkey>]' echo 'Usage: pkgbuild.sh [-x] [--app-key <appkey>] [--inst-key <instkey>]'
echo ' [--apple-id <appleid> <password>]' echo ' [--keychain-profile <profile>]'
echo ' [--pass N] [--csdb <CellServDB>] <binary-dir>' echo ' [--pass N] [--csdb <CellServDB>] <binary-dir>'
echo echo
echo '--app-key and --inst-key are for signing. -x prints all comamnds as ' echo '--app-key and --inst-key are for signing. -x prints all comamnds as '
echo 'they are run. --apple-id is for notarizing.' echo 'they are run. --keychain-profile is for notarizing.'
echo
echo 'Note: the password associated with <appleid> can be a reference to a'
echo 'keychain item. Including your password as cleartext is not'
echo 'recommended. e.g.'
echo
echo '--apple-id foo@bar.com "@keychain:PASSWORD"'
echo
echo 'In this case, keychain must hold a keychain item named PASSWORD with'
echo 'an account matching foo@bar.com.'
echo echo
echo 'By default, all passes are run. Available passes:' echo 'By default, all passes are run. Available passes:'
echo ' --pass 1: prepare pkgroot' echo ' --pass 1: prepare pkgroot'
@ -40,10 +31,9 @@ PASS2=
APP_KEY= APP_KEY=
INST_KEY= INST_KEY=
APPLE_ID=
APPLE_PW=
DEST_DIR= DEST_DIR=
CSDB= CSDB=
KEYCHAIN_PROFILE=
CODESIGN_OPTS= CODESIGN_OPTS=
@ -60,10 +50,8 @@ while [ x"$#" != x0 ] ; do
INST_KEY="$1" INST_KEY="$1"
shift shift
;; ;;
--apple-id) --keychain-profile)
APPLE_ID="$1" KEYCHAIN_PROFILE="$1"
shift
APPLE_PW="$1"
shift shift
;; ;;
--csdb) --csdb)
@ -583,8 +571,8 @@ if [ x"$PASS2" = x1 ]; then
echo echo
echo "Created $CURDIR/OpenAFS-@PACKAGE_VERSION@-$RELNAME".dmg echo "Created $CURDIR/OpenAFS-@PACKAGE_VERSION@-$RELNAME".dmg
if [ x"$APPLE_ID" != x ] ; then if [ x"$KEYCHAIN_PROFILE" != x ] ; then
echo "Notarizing package..." echo "Notarizing package..."
./notarize.pl "$APPLE_ID" "$APPLE_PW" "$CURDIR/OpenAFS-@PACKAGE_VERSION@-$RELNAME.dmg" ./notarize.pl "$KEYCHAIN_PROFILE" "$CURDIR/OpenAFS-@PACKAGE_VERSION@-$RELNAME.dmg"
fi fi
fi fi