tools: added support for notarytool for osx notarization

[UlisesGascon]

Main Changes

• Encapsulated gon to be used only when notarytool is not available (Xcode version < 13.0)
• Added notarytool pkg submission by using user, pass, teamId combination.

How to test this code?

There is a cloned job in the ci-release named testing-new-osx-notarization-ojs+release where you can build with parameters as always. Please always use disttype: test.

As an example:

The Build 14 is passing. see. The pkg files are working fine

The output from the Jenkins process is the expected:

Notes

In order to properly work is required to include a new environmental variable NOTARIZATION_TEAM_ID in the Jenkins job, this data is not sensitive information.

I am a bit rusty in bash, so feel free to improve the script. Only the linter steps are relevant in the CI validation for this PR.

This is working with the existing credentials (NOTARIZATION_PASSWORD and NOTARIZATION_ID) so there is no breaking changes in the credentials for gon

Context

TL;DR:

By November 1, 2023, we should be able to use notarytool to notarize Node.js. Currently, we use gon, but there is no support for notarytool yet. Additionally, we want to replace gon as notarytool currently provides the option to wait for the notarization to be completed with the argument --wait.

• Fix Action required by Apple: Transition to the notarytool command-line utility build#3385.
• CC: @nodejs/build

[UlisesGascon]

We have a new job in the release CI to test this script: https://ci-release.nodejs.org/job/testing-new-osx-notarization-ojs+release/.

Next steps:

• Consolidate the script
• Check the binaries generated
• remove the temporary job and merge this PR (after review)
• Try the standard job with the new script and validate the binaries in a canary build

Thanks for the great pairing session @mhdawson!

[mhdawson]

LGTM, @UlisesGascon thanks for putting this together

[mhdawson]

To clarify for readers in terms of

By November 1, 2023, we should be able to use notarytool to notarize Node.js.

It is really By November 1, 2023 we must use notarytool so we need this PR landed and backported to all release lines before then.

[UlisesGascon]

To clarify for readers in terms of

By November 1, 2023, we should be able to use notarytool to notarize Node.js.

It is really By November 1, 2023 we must use notarytool so we need this PR landed and backported to all release lines before then.

I think that this will make imposible to notarize releases with macos10.15 since Nov, so we can repurpose/upgrade the hardware (release-nearform-macos10.15-x64-1 and release-orka-macos10.15-x64-1) and reconfigure the Jenkins jobs in separate PRs.

Based on xcodereleases

Important: Node.js should/can be tested in macos 10.15, this only affect the release process

[mhdawson]

landed in e97d256

[richardlau]

Maybe someone with a mac can verify if the https://nodejs.org/download/nightly/v21.0.0-nightly202309295570c29780/node-v21.0.0-nightly202309295570c29780.pkg macOS build was notarized? We didn't get a "Your Mac software was successfully notarized." email from Apple for v21.0.0-nightly202309295570c29780 but maybe that's a change with the use of the new tool?

FWIW https://ci-release.nodejs.org/job/iojs+release/9667/nodes=osx11-release-pkg/console succeeded but the parsed operation_id was empty:

08:08:23 sh tools/osx-notarize.sh v21.0.0-nightly202309295570c29780
08:08:23 objc[10383]: Class AMSupportURLConnectionDelegate is implemented in both /usr/lib/libauthinstall.dylib (0x202f4f490) and /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice (0x10f3942b8). One of the two will be used. Which one is undefined.
08:08:23 objc[10383]: Class AMSupportURLSession is implemented in both /usr/lib/libauthinstall.dylib (0x202f4f4e0) and /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice (0x10f394308). One of the two will be used. Which one is undefined.
08:08:23 Notarization process is done with Notarytool.
08:10:23 Notarization submitted. Operation ID: 
08:10:23 ssh node-www "mkdir -p nodejs/nightly/v21.0.0-nightly202309295570c29780"

node/tools/osx-notarize.sh

Lines 69 to 83 in 6aa7101

	notarization_output=$(
	xcrun notarytool submit \
	--apple-id "$NOTARIZATION_ID" \
	--password "$NOTARIZATION_PASSWORD" \
	--team-id "$NOTARIZATION_TEAM_ID" \
	--wait \
	"node-$pkgid.pkg" 2>&1
	)
	if [ $? -eq 0 ]; then
	# Extract the operation ID from the output
	operation_id=$(echo "$notarization_output" | awk '/RequestUUID/ {print $NF}')
	echo "Notarization submitted. Operation ID: $operation_id"
	exit 0
	else

[mhdawson]

I was able to install the sep 29th on my mac without any messages/complaints so looks to me like it worked. Would be good to get other people to install/test as well to be double sure.

[BethGriggs]

Looks good to me:

$ /usr/local/bin/node --version                
v21.0.0-nightly202309295570c29780
$ spctl -a -vvv -t install /usr/local/bin/node
/usr/local/bin/node: accepted
source=Notarized Developer ID
origin=Developer ID Application: Node.js Foundation (HX7739G8FX)

[mhdawson]

Looks good in terms of nightlies, removed the don't land tags