Merge pull request OpenShot#5336 from OpenShot/new-mac-notarytool

Migrate from altool to notarytool (for Mac Notarization)

.gitlab-ci.yml

@@ -28,7 +28,7 @@ linux-builder:
     - ~/auto-update-sphinx "$CI_PROJECT_DIR/build" "$CI_COMMIT_REF_NAME"
     - python3 -u freeze.py build --git-branch=$CI_COMMIT_REF_NAME
     - for dir in "build/*/"; do /bin/sh ./installer/mangle-hw-libs.sh $(realpath "${dir}"); done 
-    - python3 -u installer/build_server.py "$SLACK_TOKEN" "$WINDOWS_KEY" "$WINDOWS_PASSWORD" "$GITHUB_USER" "$GITHUB_PASS" "False" "$CI_COMMIT_REF_NAME"
+    - python3 -u installer/build_server.py "$SLACK_TOKEN" "$WINDOWS_KEY" "$WINDOWS_PASSWORD" "$GITHUB_USER" "$GITHUB_PASS" "False" "$CI_COMMIT_REF_NAME" "$MAC_PASSWORD"
   when: always
   except:
   - tags
@@ -70,7 +70,7 @@ mac-builder:
     - echo -e "CI_PROJECT_NAME:$CI_PROJECT_NAME\nCI_COMMIT_REF_NAME:$CI_COMMIT_REF_NAME\nCI_COMMIT_SHA:$CI_COMMIT_SHA\nCI_JOB_ID:$CI_JOB_ID\nCI_PIPELINE_ID:$CI_PIPELINE_ID\nVERSION:$VERSION" > "build/install-x64/share/$CI_PROJECT_NAME.env"
     - git log $(git describe --tags --abbrev=0 @^)..@ --oneline --pretty=format:"- %C(auto,yellow)%h%C(auto,magenta)% %C(auto,blue)%>(12,trunc)%ad %C(auto,green)%<(25,trunc)%aN%C(auto,reset)%s%C(auto,red)% gD% D" --date=short > "build/install-x64/share/$CI_PROJECT_NAME.log"
     - python3 -u freeze.py bdist_mac --git-branch=$CI_COMMIT_REF_NAME --iconfile=installer/openshot.icns --custom-info-plist=installer/Info.plist --bundle-name="OpenShot Video Editor"
-    - python3 -u installer/build_server.py "$SLACK_TOKEN" "$WINDOWS_KEY" "$WINDOWS_PASSWORD" "$GITHUB_USER" "$GITHUB_PASS" "False" "$CI_COMMIT_REF_NAME"
+    - python3 -u installer/build_server.py "$SLACK_TOKEN" "$WINDOWS_KEY" "$WINDOWS_PASSWORD" "$GITHUB_USER" "$GITHUB_PASS" "False" "$CI_COMMIT_REF_NAME" "$MAC_PASSWORD"
   when: always
   except:
   - tags
@@ -107,7 +107,7 @@ windows-builder-x64:
     - $PREV_GIT_LABEL=(git describe --tags --abbrev=0 '@^')
     - git log "$PREV_GIT_LABEL..@" --oneline --pretty=format:"- %C(auto,yellow)%h%C(auto,magenta)% %C(auto,blue)%>(12,trunc)%ad %C(auto,green)%<(25,trunc)%aN%C(auto,reset)%s%C(auto,red)% gD% D" --date=short > "build/install-x64/share/$CI_PROJECT_NAME.log"
     - python3 -u freeze.py build --git-branch=$CI_COMMIT_REF_NAME
-    - python3 -u installer/build_server.py "$SLACK_TOKEN" "$WINDOWS_KEY" "$WINDOWS_PASSWORD" "$GITHUB_USER" "$GITHUB_PASS" "False" "$CI_COMMIT_REF_NAME"
+    - python3 -u installer/build_server.py "$SLACK_TOKEN" "$WINDOWS_KEY" "$WINDOWS_PASSWORD" "$GITHUB_USER" "$GITHUB_PASS" "False" "$CI_COMMIT_REF_NAME" "$MAC_PASSWORD"
   when: always
   except:
   - tags
@@ -146,7 +146,7 @@ windows-builder-x86:
     - python3 -u freeze.py build --git-branch=$CI_COMMIT_REF_NAME
     - $EXE_PATH = "$CI_PROJECT_DIR\build\exe.mingw-" + $PY_ABI + "\openshot-qt.exe"
     - editbin /LARGEADDRESSAWARE "$EXE_PATH"
-    - python3 -u installer/build_server.py "$SLACK_TOKEN" "$WINDOWS_KEY" "$WINDOWS_PASSWORD" "$GITHUB_USER" "$GITHUB_PASS" "True" "$CI_COMMIT_REF_NAME"
+    - python3 -u installer/build_server.py "$SLACK_TOKEN" "$WINDOWS_KEY" "$WINDOWS_PASSWORD" "$GITHUB_USER" "$GITHUB_PASS" "True" "$CI_COMMIT_REF_NAME" "$MAC_PASSWORD"
   when: always
   except:
   - tags

installer/build-mac-dmg.sh

@@ -3,6 +3,7 @@
 # XXX: These paths should be set using `brew prefix` commands,
 #      for future-proofing against upgrades
 PATH=/usr/local/Cellar/python@3.7/3.7.9_2/Frameworks/Python.framework/Versions/3.7/bin:/opt/local/bin:/opt/local/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/qt5/5.5/clang_64/bin:/opt/X11/bin
+MAC_NOTARIZE_PASSWORD=$1
 
 # Get Version
 VERSION=$(grep -E '^VERSION = "(.*)"' src/classes/info.py | awk '{print $3}' | tr -d '"')
@@ -64,54 +65,31 @@ appdmg "installer/dmg-template.json" "build/$OS_DMG_NAME"
 echo "Code Sign DMG"
 codesign -s "OpenShot Studios, LLC" --force --entitlements "installer/openshot.entitlements" --timestamp=http://timestamp.apple.com/ts01 "build/$OS_DMG_NAME"
 
-echo "Notarize DMG file (send to apple)"
+echo "Notarize DMG file (submit to Apple)"
 # No errors uploading '/Users/jonathan/builds/7d5103a1/0/OpenShot/openshot-qt/build/test.zip'.
 # RequestUUID = cc285719-823f-4f0b-8e71-2df4bbbdaf72
-notarize_output=$(xcrun altool --notarize-app --primary-bundle-id "org.openshot.openshot-qt.zip" --username "jonathan@openshot.org" --password "@keychain:NOTARIZE_AUTH" --file "build/$OS_DMG_NAME")
+notarize_output=$(xcrun notarytool submit --apple-id "jonathan@openshot.org" --password "$MAC_NOTARIZE_PASSWORD" --team-id "C94ZNQ5JF3" --wait "build/$OS_DMG_NAME")
 echo "$notarize_output"
 
-echo "Parse Notarize Output and get Notarization RequestUUID"
-pat='RequestUUID = (.*)'
+echo "Parse Notarize Output and get Notarization ID & Status"
+pat='.*id: (.*)\n.*status: ([^'$'\n'']*)'
 [[ "$notarize_output" =~ $pat ]]
 REQUEST_UUID="${BASH_REMATCH[1]}"
-echo " RequestUUID Found: $REQUEST_UUID"
+echo " Notarization ID: $REQUEST_UUID"
+REQUEST_STATUS="${BASH_REMATCH[2]}"
+echo " Notarization Status: $REQUEST_STATUS"
 
 if [ "$REQUEST_UUID" == "" ]; then
-    echo "Failed to locate REQUEST_UUID, exiting with error."
+    echo "Failed to locate Notarization ID, exiting with error."
+    exit 1
+fi
+if [ "$REQUEST_STATUS" != "Accepted" ]; then
+    echo "Failed to locate Notarization Status of Accepted, exiting with error."
     exit 1
 fi
-
-echo "Check Notarization Progress... (list recent notarization records)"
-xcrun altool --notarization-history 0 -u "jonathan@openshot.org" -p "@keychain:NOTARIZE_AUTH" | head -n 10
-
-echo "Check Notarization Info (loop until status detected)"
-# Wait up to 60 minutes for notarization status to change
-START=$(date +%s)
-while [ "$(( $(date +%s) - 3600 ))" -lt "$START" ]; do
-    notarize_info=$(xcrun altool --notarization-info "$REQUEST_UUID" -u "jonathan@openshot.org" -p "@keychain:NOTARIZE_AUTH")
-    echo "$notarize_info"
-
-    # Match status (stop at newline)
-    pat='Status: ([^'$'\n'']*)'
-    [[ "$notarize_info" =~ $pat ]]
-    notarize_status="${BASH_REMATCH[1]}"
-    echo "Notarization Status Found: $notarize_status"
-
-    if [ "$notarize_status" != "in progress" ] && [ "$notarize_status" != "" ]; then
-      echo "Wait for notarization to appear in --notarization-history/"
-      verify_output=$(xcrun altool --notarization-history 0 -u "jonathan@openshot.org" -p "@keychain:NOTARIZE_AUTH" | grep "$REQUEST_UUID")
-      if [ "$verify_output" != "" ]; then
-        echo "Notarization record found, and ready for stapling!"
-        break
-      fi
-    fi
-
-    # Wait a few seconds (so we don't spam the API)
-    sleep 60
-done
 
 # Wait a few more seconds (otherwise the stapler can sometimes fail to find the ticket)
-sleep 180
+sleep 120
 
 echo "Staple Notarization Ticket to DMG"
 xcrun stapler staple "build/$OS_DMG_NAME"

installer/build_server.py

@@ -234,6 +234,10 @@ def main():
         if len(sys.argv) >= 8:
             git_branch_name = sys.argv[7]
 
+        mac_password = ""
+        if len(sys.argv) >= 9:
+            mac_password = sys.argv[8]
+
         # Start log
         output(
             "%s Build Log for %s (branch: %s)" % (
@@ -405,7 +409,7 @@ def main():
             app_image_success = False
 
             # Build app.bundle and create DMG
-            for line in run_command("bash installer/build-mac-dmg.sh"):
+            for line in run_command(f'bash installer/build-mac-dmg.sh "{mac_password}"'):
                 output(line)
                 if (
                         ("error".encode("UTF-8") in line