Merge pull request #5404 from snyk/hotfix/CLI-465_sign_innercli_macos…

…_e2e

fix: sign macos TS CLI binaries

.circleci/config.yml

@@ -485,6 +485,7 @@ workflows:
           go_download_base_url: << pipeline.parameters.go_download_base_url >>
           executor: macos-arm64
           install_deps_extension: macos-build
+          context: snyk-macos-signing
           requires:
             - prepare-build
 
@@ -496,6 +497,7 @@ workflows:
           go_download_base_url: << pipeline.parameters.go_download_base_url >>
           executor: macos-arm64
           install_deps_extension: macos-build
+          context: snyk-macos-signing
           requires:
             - prepare-build
 

Makefile

@@ -133,10 +133,12 @@ $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-linux-arm64: prepack | $(BINARY_RELEASES_F
 
 $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI)
 	$(PKG) -t node$(PKG_NODE_VERSION)-macos-x64 -o $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos
+	$(SHELL) $(WORKING_DIR)/cliv2/scripts/sign_darwin.sh $(BINARY_RELEASES_FOLDER_TS_CLI) snyk-macos skip-notarize
 	$(MAKE) $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos.sha256
 
 $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos-arm64: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI)
 	$(PKG) -t node$(PKG_NODE_VERSION)-macos-arm64 -o $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos-arm64 --no-bytecode
+	$(SHELL) $(WORKING_DIR)/cliv2/scripts/sign_darwin.sh $(BINARY_RELEASES_FOLDER_TS_CLI) snyk-macos-arm64 skip-notarize
 	$(MAKE) $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos-arm64.sha256
 
 $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-win.exe: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI)

binary-releases/RELEASE_NOTES.md

@@ -1,11 +1,10 @@
-## [1.1292.2](https://github.com/snyk/snyk/compare/v1.1292.1...v1.1292.2) (2024-08-01)
+## [1.1292.3](https://github.com/snyk/snyk/compare/v1.1292.2...v1.1292.3) (2024-08-12)
 
 The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see [this documentation](https://docs.snyk.io/snyk-cli/releases-and-channels-for-the-snyk-cli)
 
 ## Complete changelog
 
 ### Bug Fixes
 
-- **container test:** Improve the accuracy of identifying npm projects within docker images by removing the explicit folder ignore rules
-  ([#5384](https://github.com/snyk/snyk/issues/5384))
-- **container test:** Pass platform parameter when pulling an image from a container registry ([#5360](https://github.com/snyk/snyk/issues/5360))
+- **deployment:** Add digital signature for the bundled macOS binary
+  ([#5404](https://github.com/snyk/cli/pull/5404))

cliv2/scripts/sign_darwin.sh

@@ -11,6 +11,7 @@ set -euo pipefail
 
 EXPORT_PATH=${1:-./bin}
 PRODUCT_NAME=${2:-snyk_darwin_amd64}
+SKIP_NOTARIZE=${3:-0}
 KEYCHAIN_PROFILE=AC_PASSWORD
 APP_PATH="$EXPORT_PATH/$PRODUCT_NAME"
 ZIP_PATH="$EXPORT_PATH/$PRODUCT_NAME.zip"
@@ -30,6 +31,12 @@ if [[ "$OSTYPE" != *"darwin"* ]]; then
   exit 1
 fi
 
+# if the required secrets are not available we skip signing completely without an error to enable local builds on windows. A later issigned check will catch this error in the build pipeline
+if [ -z "${APPLE_ID+x}" ]; then
+  echo "$LOG_PREFIX Skipping signing, since the required secrets are not available."
+  exit 0
+fi
+
 #
 # signing
 #
@@ -51,12 +58,16 @@ security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD"
 sleep 10
 
 echo "$LOG_PREFIX Signing binary $APP_PATH"
-codesign -s "$APPLE_SIGNING_IDENTITY" -v "$APP_PATH" --timestamp --options runtime 
+codesign -f -s "$APPLE_SIGNING_IDENTITY" -v "$APP_PATH" --timestamp --options runtime
 
 #
 # notarization
 #
 
+if [[ "$SKIP_NOTARIZE" = "skip-notarize" ]]; then
+  exit 0
+fi
+
 # create a zip file
 echo "$LOG_PREFIX Creating zip file $ZIP_PATH"
 /usr/bin/ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"