Merge branch 'rel-macos-sign-notarize' into release-3.22

Merge-request: !7463

Merge branch 'rel-macos-sign-notarize' into release-3.22
d4762d46 · Brad King · 7cc61ff9 · 432ae514 · d4762d46
Commit d4762d46 authored 2 years ago by Brad King
--- a/Utilities/Release/macos/sign-notarize.bash
+++ b/Utilities/Release/macos/sign-notarize.bash
 #!/usr/bin/env bash
 set -e
-readonly usage='usage: sign-notarize.bash -i <id> -d <dev-acct> -k <key-item> [-p <provider>] [--] <package>.dmg
+readonly usage='usage: sign-notarize.bash -i <id> -k <keychain-profile> [--] <package>.dmg

 Sign and notarize the "CMake.app" bundle inside the given "<package>.dmg" disk image.
 Also produce a "<package>.tar.gz" tarball containing the same "CMake.app".
@@ -8,9 +8,22 @@ Also produce a "<package>.tar.gz" tarball containing the same "CMake.app".
 Options:

    -i <id>                Signing Identity
-    -d <dev-acct>          Developer account name
-    -k <key-item>          Keychain item containing account credentials
-    -p <provider>          Provider short name
+    -k <keychain-profile>  Keychain profile containing stored credentials
+
+Create the keychain profile ahead of time using
+
+    xcrun notarytool store-credentials <keychain-profile> \
+      --apple-id <dev-acct> --team-id <team-id> [--password <app-specific-password>]
+
+where:
+
+    <dev-acct>              is an Apple ID of a developer account
+    <team-id>               is from https://developer.apple.com/account/#!/membership
+    <app-specific-password> is generated via https://support.apple.com/en-us/HT204397
+                            If --password is omitted, notarytool will prompt for it.
+
+This creates a keychain item called "com.apple.gke.notary.tool" with an
+account name "com.apple.gke.notary.tool.saved-creds.<keychain-profile>".
 '

 cleanup() {
@@ -29,15 +42,11 @@ die() {
 }

 id=''
-dev_acct=''
-key_item=''
-provider=''
+keychain_profile=''
 while test "$#" != 0; do
    case "$1" in
    -i) shift; id="$1" ;;
-    -d) shift; dev_acct="$1" ;;
-    -k) shift; key_item="$1" ;;
-    -p) shift; provider="$1" ;;
+    -k) shift; keychain_profile="$1" ;;
    --) shift ; break ;;
    -*) die "$usage" ;;
    *) break ;;
@@ -51,18 +60,14 @@ esac
 test "$#" = 0 || die "$usage"

 # Verify arguments.
-if test -z "$id" -o -z "$dev_acct" -o -z "$key_item"; then
+if test -z "$id" -o -z "$keychain_profile"; then
    die "$usage"
 fi
-if test -n "$provider"; then
-    provider="--provider $provider"
-fi

 # Verify environment.
-if ! xcnotary="$(type -p xcnotary)"; then
-    die "'xcnotary' not found in PATH"
+if ! xcrun --find notarytool 2>/dev/null; then
+    die "'xcrun notarytool' not found"
 fi
-readonly xcnotary

 readonly tmpdir="$(mktemp -d)"

@@ -102,7 +107,9 @@ codesign --verify --timestamp --options=runtime --verbose --deep \
  "$vol_path/CMake.app/Contents/share/cmake"*"/Modules/Internal/CPack/CPack.OSXScriptLauncher.in" \
  "$vol_path/CMake.app"

-xcnotary notarize "$vol_path/CMake.app" -d "$dev_acct" -k "$key_item" $provider
+ditto -c -k --keepParent "$vol_path/CMake.app" "$tmpdir/CMake.app.zip"
+xcrun notarytool submit "$tmpdir/CMake.app.zip" --keychain-profile "$keychain_profile" --wait
+xcrun stapler staple "$vol_path/CMake.app"

 # Create a tarball of the volume next to the original disk image.
 readonly tar_gz="${dmg/%.dmg/.tar.gz}"