DARWIN: Add --with-macos-* packaging options

To create the OpenAFS client for macOS, the current process involves
building the code, signing the binaries, creating the package, and
notarizing it. Each step is typically performed separately and requires
distinct parameters and credentials, making this process cumbersome and
difficult to follow.

To simplify this process, introduce the following '--with' options:

--with-macos-app-key
--with-macos-inst-key
--with-macos-keychain-profile

These options allow users to specify the credentials needed for signing
and notarizing the package upfront.

With these enhancements, users will be able to perform the entire
workflow - building, signing, creating, and notarizing the package -
with a single 'make packages' command, significantly simplifying this
process.

Change-Id: Ibf114f4f5bbe9bc72f37adc487c046e5243f5a97
Reviewed-on: https://gerrit.openafs.org/15977
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: Andrew Deason <adeason@sinenomine.net>

Makefile.in

@@ -878,8 +878,11 @@ distclean: clean
 	src/pam/Makefile \
 	src/platform/Makefile \
 	src/platform/${MKAFS_OSTYPE}/Makefile \
-	src/platform/DARWIN/growlagent/Makefile \
+	src/platform/DARWIN/AFSPreference/Info.plist \
 	src/platform/DARWIN/PrivilegedHelper/Makefile \
+	src/platform/DARWIN/PrivilegedHelper/privhelper-info.plist \
+	src/platform/DARWIN/PrivilegedHelper/privhelper.c \
+	src/platform/DARWIN/growlagent/Makefile \
 	src/procmgmt/Makefile \
 	src/procmgmt/test/Makefile \
 	src/ptserver/Makefile \

configure.ac

@@ -110,8 +110,11 @@ AC_CONFIG_FILES([
     src/pam/Makefile
     src/platform/Makefile
     src/platform/${MKAFS_OSTYPE}/Makefile
-    src/platform/DARWIN/growlagent/Makefile
+    src/platform/DARWIN/AFSPreference/Info.plist
     src/platform/DARWIN/PrivilegedHelper/Makefile
+    src/platform/DARWIN/PrivilegedHelper/privhelper-info.plist
+    src/platform/DARWIN/PrivilegedHelper/privhelper.c
+    src/platform/DARWIN/growlagent/Makefile
     src/procmgmt/Makefile
     src/procmgmt/test/Makefile
     src/ptserver/Makefile

src/cf/options.m4

@@ -263,6 +263,21 @@ AC_ARG_WITH([dot],
         [use graphviz dot to generate dependency graphs with doxygen (defaults to autodetect)]),
         [], [with_dot="maybe"])
 
+AC_ARG_WITH([macos-app-key],
+        AS_HELP_STRING([--with-macos-app-key=key],
+        [macOS: use the given app key to sign the code (optional, defaults to no key)]),
+        [AC_SUBST([MACOS_APP_KEY], [$withval])])
+
+AC_ARG_WITH([macos-inst-key],
+        AS_HELP_STRING([--with-macos-inst-key=key],
+        [macOS: use the given inst key to sign the installer (optional, defaults to no key)]),
+        [AC_SUBST([MACOS_INST_KEY], [$withval])])
+
+AC_ARG_WITH([macos-keychain-profile],
+        AS_HELP_STRING([--with-macos-keychain-profile=profile],
+        [macOS: use the given keychain profile to notarize the package (optional, defaults to no profile)]),
+        [AC_SUBST([MACOS_KEYCHAIN_PROFILE], [$withval])])
+
 enable_login="no"
 
 ])
@@ -312,6 +327,32 @@ else
                 VFSCK="vfsck"
         fi
 fi
+
+AS_IF([test "x$with_macos_app_key" != "x"], [
+    # Retrieve the Team ID (OU field) associated with a certificate. MACOS_TEAM_ID is extracted from the
+    # certificate subject using openssl and awk.
+    #
+    # Example subject string:
+    # subject=UID=SKMME9E2Y8, CN=Developer ID Application: Org (SKMME9E2Y8), OU=SKMME9E2Y8, O=org, C=US
+    macos_app_key="$with_macos_app_key"
+    AC_MSG_CHECKING([for macOS team ID])
+
+    macos_cert=$(security find-certificate -c "$macos_app_key" -p 2>/dev/null)
+    AS_IF([test x"$macos_cert" = x],
+	  [AC_MSG_ERROR([Failed to retrieve the certificate for app key: $macos_app_key])])
+
+    macos_subject=$(echo "$macos_cert" | openssl x509 -noout -subject 2>/dev/null)
+    AS_IF([test x"$macos_subject" = x],
+	  [AC_MSG_ERROR([Failed to process the certificate using openssl])])
+
+    MACOS_TEAM_ID=$(echo "$macos_subject" | awk 'BEGIN { FS="OU=" } {print $[]2}' | awk 'BEGIN { FS="," } {print$[]1}')
+    AS_IF([test x"$MACOS_TEAM_ID" = x],
+	  [AC_MSG_ERROR([Failed to extract the macOS Team ID])])
+
+    AC_MSG_RESULT([$MACOS_TEAM_ID])
+    AC_SUBST([MACOS_TEAM_ID])
+])
+
 ])
 
 AC_DEFUN([OPENAFS_MORE_OPTION_TESTS],[

src/packaging/MacOS/pkgbuild.sh.in

@@ -29,11 +29,11 @@ anypass=0
 PASS1=
 PASS2=
 
-APP_KEY=
-INST_KEY=
+APP_KEY="@MACOS_APP_KEY@"
+INST_KEY="@MACOS_INST_KEY@"
 DEST_DIR=
 CSDB=
-KEYCHAIN_PROFILE=
+KEYCHAIN_PROFILE="@MACOS_KEYCHAIN_PROFILE@"
 
 CODESIGN_OPTS=
 

src/platform/DARWIN/AFSPreference/.gitignore

@@ -5,3 +5,4 @@ build/*
 *.mode2v3
 *.perspectivev3
 config
+Info.plist

src/platform/DARWIN/AFSPreference/Info.plist.in

@@ -30,13 +30,10 @@
 	<string>OpenAFS</string>
 	<key>NSPrincipalClass</key>
 	<string>AFSCommanderPref</string>
-	<!-- Uncomment the following block and add your signature (XXXXXXXXXX) -->
-	<!--
 	<key>SMPrivilegedExecutables</key>
 	<dict>
 		<key>org.openafs.privhelper</key>
-		<string>identifier "org.openafs.privhelper" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = XXXXXXXXXX</string>
+		<string>identifier "org.openafs.privhelper" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = @MACOS_TEAM_ID@</string>
 	</dict>
-	-->
 </dict>
 </plist>

src/platform/DARWIN/PrivilegedHelper/.gitignore

@@ -3,3 +3,5 @@
 # to check that you haven't inadvertently ignored any tracked files.
 
 /org.openafs.privhelper
+/privhelper-info.plist
+/privhelper.c

src/platform/DARWIN/PrivilegedHelper/privhelper-info.plist.in

@@ -10,12 +10,9 @@
 	<string>privhelper</string>
 	<key>CFBundleVersion</key>
 	<string>1.0</string>
-	<!-- Uncomment the following block and add your signature (XXXXXXXXXX) -->
-	<!--
 	<key>SMAuthorizedClients</key>
 	<array>
-	    <string>identifier "it.infn.lnf.network.openafs" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = XXXXXXXXXX</string>
+	    <string>identifier "it.infn.lnf.network.openafs" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = @MACOS_TEAM_ID@</string>
 	</array>
-	-->
 </dict>
 </plist>

src/platform/DARWIN/PrivilegedHelper/privhelper.c.in

@@ -69,9 +69,6 @@
  *
  * "certificate leaf[subject.OU] = @MACOS_TEAM_ID@" means the code was signed
  * by us.
- *
- * Replace @MACOS_TEAM_ID@ by your team ID. For example:
- *     "certificate leaf[subject.OU] = SKMME9E2Y8"
  */
 #define CLI_SIGNATURES	"((identifier \"com.apple.systempreferences.legacyLoader.x86_64\" and anchor apple) or " \
 			 "(identifier \"com.apple.systempreferences.legacyLoader.arm64\" and anchor apple) or " \