2021-05-27 09:53:40 +02:00
|
|
|
#!/usr/bin/env bash
|
2023-04-12 13:59:53 +02:00
|
|
|
set -eof pipefail
|
2021-05-27 09:53:40 +02:00
|
|
|
|
|
|
|
[[ $(uname) != 'Darwin' ]] && { echo 'This only works on macOS.' >&2; exit 1; }
|
|
|
|
[[ $# -ne 1 ]] && { echo 'notarize-macos-pkg.sh <bundle_to_notarize>' >&2; exit 1; }
|
|
|
|
|
|
|
|
# Credential necessary for the upload.
|
|
|
|
[[ -z "${MACOS_NOTARIZE_TEAM_ID}" ]] && { echo -e "Missing env variable: MACOS_NOTARIZE_TEAM_ID" 1>&2; exit 1; }
|
|
|
|
[[ -z "${MACOS_NOTARIZE_USERNAME}" ]] && { echo -e "Missing env variable: MACOS_NOTARIZE_USERNAME" 1>&2; exit 1; }
|
|
|
|
[[ -z "${MACOS_NOTARIZE_PASSWORD}" ]] && { echo -e "Missing env variable: MACOS_NOTARIZE_PASSWORD" 1>&2; exit 1; }
|
|
|
|
|
|
|
|
# Path to MacOS bundle created by XCode.
|
|
|
|
BUNDLE_PATH="${1}"
|
2023-08-08 14:06:06 +02:00
|
|
|
# Notarization request check timeout.
|
|
|
|
CHECK_TIMEOUT="${CHECK_TIMEOUT:-10m}"
|
|
|
|
# Xcode notarization log file paths
|
2023-04-12 13:59:53 +02:00
|
|
|
NOTARIZATION_ERR_LOG="${NOTARIZATION_ERR_LOG:-${PWD}/notarization.out.log}"
|
|
|
|
NOTARIZATION_OUT_LOG="${NOTARIZATION_OUT_LOG:-${PWD}/notarization.err.log}"
|
|
|
|
|
2023-08-08 14:06:06 +02:00
|
|
|
function show_notarization_logs() {
|
2023-04-12 13:59:53 +02:00
|
|
|
echo "FAILURE!"
|
|
|
|
echo "STDERR:"
|
|
|
|
cat "${NOTARIZATION_ERR_LOG}"
|
|
|
|
echo "STDOUT:"
|
|
|
|
cat "${NOTARIZATION_OUT_LOG}"
|
|
|
|
}
|
2023-08-08 14:06:06 +02:00
|
|
|
trap show_notarization_logs ERR
|
2021-05-27 09:53:40 +02:00
|
|
|
|
2023-08-08 14:06:06 +02:00
|
|
|
function xcrun_notarytool() {
|
2023-04-12 13:59:53 +02:00
|
|
|
# STDERR goes to /dev/null so we can capture just the JSON.
|
2023-08-08 14:06:06 +02:00
|
|
|
xcrun notarytool "${@}" \
|
2021-05-27 09:53:40 +02:00
|
|
|
--team-id "${MACOS_NOTARIZE_TEAM_ID}" \
|
2023-08-08 14:06:06 +02:00
|
|
|
--apple-id "${MACOS_NOTARIZE_USERNAME}" \
|
2021-05-27 09:53:40 +02:00
|
|
|
--password "${MACOS_NOTARIZE_PASSWORD}" \
|
|
|
|
--output-format "json" \
|
2023-04-12 13:59:53 +02:00
|
|
|
> >(tee -a "${NOTARIZATION_OUT_LOG}") \
|
|
|
|
2> >(tee -a "${NOTARIZATION_ERR_LOG}" >/dev/null)
|
2021-05-27 09:53:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Submit app for notarization. Should take 5-10 minutes.
|
|
|
|
echo -e "\n### Creating Notarization Request..."
|
2023-08-08 14:06:06 +02:00
|
|
|
OUT=$(xcrun_notarytool submit --wait --timeout "${CHECK_TIMEOUT}" "${BUNDLE_PATH}")
|
2021-05-27 09:53:40 +02:00
|
|
|
# Necessary to track notarization request progress.
|
2023-08-08 14:06:06 +02:00
|
|
|
REQUEST_UUID=$(echo "${OUT}" | jq -r '.id')
|
2021-05-27 09:53:40 +02:00
|
|
|
|
ci: show output from xcrun_altool on notarize error
Right now we don't see what's actually happening:
```
!!! Notariztion Error
{"tool-version":"5.4211.13411","tool-path":"\/Applications\/Xcode.app\/Contents\/SharedFrameworks\/ContentDeliveryServices.framework\/Versions\/A\/Frameworks\/AppStoreService.framework","os-version":"12.3.1","product-errors":[{"message":"You supplied an invalid RequestUUID: null","userInfo":{"NSLocalizedFailureReason":"Apple Services operation failed.","NSLocalizedRecoverySuggestion":"You supplied an invalid RequestUUID: null","NSLocalizedDescription":"You supplied an invalid RequestUUID: null"},"code":1515}],"warnings":[{"message":"altool has been deprecated for notarization and starting in late 2023 will no longer be supported by the Apple notary service. You should start using notarytool to notarize your software.","userInfo":{"NSLocalizedDescription":"altool has been deprecated for notarization and starting in late 2023 will no longer be supported by the Apple notary service. You should start using notarytool to notarize your software."},"code":-1030}]}
make: *** [notarize-macos] Error 1
```
Signed-off-by: Jakub Sokołowski <jakub@status.im>
2022-12-08 19:51:11 +01:00
|
|
|
if [[ -z "${REQUEST_UUID}" ]] || [[ "${REQUEST_UUID}" == "null" ]]; then
|
2021-05-27 09:53:40 +02:00
|
|
|
echo "\n!!! FAILURE: No notarization request UUID found." >&1
|
ci: show output from xcrun_altool on notarize error
Right now we don't see what's actually happening:
```
!!! Notariztion Error
{"tool-version":"5.4211.13411","tool-path":"\/Applications\/Xcode.app\/Contents\/SharedFrameworks\/ContentDeliveryServices.framework\/Versions\/A\/Frameworks\/AppStoreService.framework","os-version":"12.3.1","product-errors":[{"message":"You supplied an invalid RequestUUID: null","userInfo":{"NSLocalizedFailureReason":"Apple Services operation failed.","NSLocalizedRecoverySuggestion":"You supplied an invalid RequestUUID: null","NSLocalizedDescription":"You supplied an invalid RequestUUID: null"},"code":1515}],"warnings":[{"message":"altool has been deprecated for notarization and starting in late 2023 will no longer be supported by the Apple notary service. You should start using notarytool to notarize your software.","userInfo":{"NSLocalizedDescription":"altool has been deprecated for notarization and starting in late 2023 will no longer be supported by the Apple notary service. You should start using notarytool to notarize your software."},"code":-1030}]}
make: *** [notarize-macos] Error 1
```
Signed-off-by: Jakub Sokołowski <jakub@status.im>
2022-12-08 19:51:11 +01:00
|
|
|
echo "Full output:"
|
|
|
|
echo "${OUT}"
|
2021-05-27 09:53:40 +02:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
echo -e "\n### Request ID: ${REQUEST_UUID}"
|
|
|
|
|
2023-08-08 14:06:06 +02:00
|
|
|
# Check notarization ticket status.
|
2021-05-27 09:53:40 +02:00
|
|
|
echo -e "\n### Checking Notarization Status..."
|
2023-08-08 14:06:06 +02:00
|
|
|
if $(echo "${OUT}" | jq -er '.status == "Accepted"'); then
|
|
|
|
echo -e "\n### Successful Notarization"
|
|
|
|
else
|
|
|
|
echo -e "\n!!! Notariztion Error"
|
|
|
|
echo "${OUT}" >&2
|
|
|
|
exit 1
|
|
|
|
fi
|
2021-05-27 09:53:40 +02:00
|
|
|
|
|
|
|
# Optional but preferrable to attach the ticket to the bundle.
|
|
|
|
echo -e "\n### Stapling Notarization Ticket..."
|
|
|
|
xcrun stapler staple "${BUNDLE_PATH}"
|
2023-08-10 19:57:33 +02:00
|
|
|
|
|
|
|
echo -e "\n### Validating Signature and Notarization..."
|
|
|
|
spctl --verbose=2 \
|
|
|
|
--assess --type open \
|
|
|
|
--context context:primary-signature \
|
|
|
|
"${BUNDLE_PATH}"
|
|
|
|
|
2021-05-27 09:53:40 +02:00
|
|
|
exit $?
|