forked from influxdata/telegraf
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: mac signing issue with arm64 (influxdata#10293)
Co-authored-by: Joshua Powers <powersj@influxdata.com>
- Loading branch information
Showing
1 changed file
with
74 additions
and
52 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,79 +1,101 @@ | ||
| #!/bin/bash | ||
|
|
||
| function cleanup () { | ||
| echo "Cleaning up any existing Telegraf or Telegraf.app" | ||
| printf "\n" | ||
| rm -rf Telegraf | ||
| rm -rf Telegraf.app | ||
| } | ||
|
|
||
| # Acquire the necessary certificates. | ||
| base64 -D -o MacCertificate.p12 <<< $MacCertificate | ||
| sudo security import MacCertificate.p12 -k /Library/Keychains/System.keychain -P $MacCertificatePassword -A | ||
| base64 -D -o AppleSigningAuthorityCertificate.cer <<< $AppleSigningAuthorityCertificate | ||
| # MacCertificate, MacCertificatePassword, AppleSigningAuthorityCertificate are environment variables, to follow convention they should have been all caps. | ||
| # shellcheck disable=SC2154 | ||
| base64 -D -o MacCertificate.p12 <<< "$MacCertificate" | ||
| # shellcheck disable=SC2154 | ||
| sudo security import MacCertificate.p12 -k /Library/Keychains/System.keychain -P "$MacCertificatePassword" -A | ||
| # shellcheck disable=SC2154 | ||
| base64 -D -o AppleSigningAuthorityCertificate.cer <<< "$AppleSigningAuthorityCertificate" | ||
| sudo security import AppleSigningAuthorityCertificate.cer -k '/Library/Keychains/System.keychain' -A | ||
|
|
||
| cd dist | ||
| amdFile=$(find . -name "*darwin_amd64.tar*") | ||
| armFile=$(find . -name "*darwin_arm64.tar*") | ||
| macFiles=(${amdFile} ${armFile}) | ||
|
|
||
|
|
||
| for tarFile in ${macFiles[@]}; | ||
| do | ||
| # Extract the built mac binary and sign it. | ||
| tar -xzvf $tarFile | ||
| baseName=$(basename $tarFile .tar.gz) | ||
| cd $(find . -name "*telegraf-*" -type d) | ||
| cd usr/bin | ||
| codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime telegraf | ||
| codesign -v telegraf | ||
|
|
||
| # Reset back out to the main directory. | ||
| cd | ||
| cd project/dist | ||
| extractedFolder=$(find . -name "*telegraf-*" -type d) | ||
|
|
||
| # Sign the 'telegraf entry' script, which is required to open Telegraf upon opening the .app bundle. | ||
| codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime ../scripts/telegraf_entry_mac | ||
| codesign -v ../scripts/telegraf_entry_mac | ||
|
|
||
| # Create the .app bundle. | ||
| mkdir Telegraf | ||
| cd Telegraf | ||
| mkdir Contents | ||
| cd Contents | ||
| mkdir MacOS | ||
| mkdir Resources | ||
| cd ../.. | ||
| cp ../info.plist Telegraf/Contents | ||
| cp -R "$extractedFolder"/ Telegraf/Contents/Resources | ||
| cp ../scripts/telegraf_entry_mac Telegraf/Contents/MacOS | ||
| cp ../assets/icon.icns Telegraf/Contents/Resources | ||
| chmod +x Telegraf/Contents/MacOS/telegraf_entry_mac | ||
| mv Telegraf Telegraf.app | ||
| amdFile=$(find "$HOME/project/dist" -name "*darwin_amd64.tar*") | ||
| armFile=$(find "$HOME/project/dist" -name "*darwin_arm64.tar*") | ||
| macFiles=("${amdFile}" "${armFile}") | ||
|
|
||
| for tarFile in "${macFiles[@]}"; | ||
| do | ||
| cleanup | ||
|
|
||
| # Create the .app bundle directory structure | ||
| RootAppDir="Telegraf.app/Contents" | ||
| mkdir -p "$RootAppDir" | ||
| mkdir -p "$RootAppDir/MacOS" | ||
| mkdir -p "$RootAppDir/Resources" | ||
|
|
||
| DeveloperID="Developer ID Application: InfluxData Inc. (M7DN9H35QT)" | ||
|
|
||
| # Sign telegraf binary and the telegraf_entry_mac script | ||
| echo "Extract $tarFile to $RootAppDir/Resources" | ||
| tar -xzvf "$tarFile" --strip-components=2 -C "$RootAppDir/Resources" | ||
| printf "\n" | ||
| TelegrafBinPath="$RootAppDir/Resources/usr/bin/telegraf" | ||
| codesign --force -s "$DeveloperID" --timestamp --options=runtime "$TelegrafBinPath" | ||
| echo "Verify if $TelegrafBinPath was signed" | ||
| codesign -dvv "$TelegrafBinPath" | ||
|
|
||
| printf "\n" | ||
|
|
||
| cp ~/project/scripts/telegraf_entry_mac "$RootAppDir"/MacOS | ||
| EntryMacPath="$RootAppDir/MacOS/telegraf_entry_mac" | ||
| codesign -s "$DeveloperID" --timestamp --options=runtime "$EntryMacPath" | ||
| echo "Verify if $EntryMacPath was signed" | ||
| codesign -dvv "$EntryMacPath" | ||
|
|
||
| printf "\n" | ||
|
|
||
| cp ~/project/info.plist "$RootAppDir" | ||
| cp ~/project/assets/icon.icns "$RootAppDir/Resources" | ||
|
|
||
| chmod +x "$RootAppDir/MacOS/telegraf_entry_mac" | ||
|
|
||
| # Sign the entire .app bundle, and wrap it in a DMG. | ||
| codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime --deep --force Telegraf.app | ||
| codesign -s "$DeveloperID" --timestamp --options=runtime --deep --force Telegraf.app | ||
| baseName=$(basename "$tarFile" .tar.gz) | ||
| echo "$baseName" | ||
| hdiutil create -size 500m -volname Telegraf -srcfolder Telegraf.app "$baseName".dmg | ||
| codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime "$baseName".dmg | ||
| codesign -s "$DeveloperID" --timestamp --options=runtime "$baseName".dmg | ||
|
|
||
| # Send the DMG to be notarized. | ||
| # AppleUsername and ApplePassword are environment variables, to follow convention they should have been all caps. | ||
| # shellcheck disable=SC2154 | ||
| uuid=$(xcrun altool --notarize-app --primary-bundle-id "com.influxdata.telegraf" --username "$AppleUsername" --password "$ApplePassword" --file "$baseName".dmg | awk '/RequestUUID/ { print $NF; }') | ||
| echo $uuid | ||
| if [[ $uuid == "" ]]; then | ||
| echo "UUID: $uuid" | ||
| if [[ $uuid == "" ]]; then | ||
| echo "Could not upload for notarization." | ||
| exit 1 | ||
| fi | ||
|
|
||
| printf "\n" | ||
|
|
||
| # Wait until the status returns something other than 'in progress'. | ||
| request_status="in progress" | ||
| while [[ "$request_status" == "in progress" ]]; do | ||
| sleep 10 | ||
| request_status=$(xcrun altool --notarization-info $uuid --username "$AppleUsername" --password "$ApplePassword" 2>&1 | awk -F ': ' '/Status:/ { print $2; }' ) | ||
| request_response=$(xcrun altool --notarization-info "$uuid" --username "$AppleUsername" --password "$ApplePassword" 2>&1) | ||
| request_status=$(echo "$request_response" | awk -F ': ' '/Status:/ { print $2; }' ) | ||
| done | ||
|
|
||
| if [[ $request_status != "success" ]]; then | ||
| echo "Failed to notarize." | ||
| echo "$request_response" | ||
| cleanup | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Attach the notarization to the DMG. | ||
| xcrun stapler staple "$baseName".dmg | ||
| rm -rf Telegraf.app | ||
| rm -rf $extractedFolder | ||
| ls | ||
| cleanup | ||
|
|
||
| mv "$baseName".dmg ~/project/dist | ||
|
|
||
| echo "$tarFile Signed and notarized!" | ||
| done | ||
| echo "$baseName.dmg signed and notarized!" | ||
| done |