From 28c4c947c00a7397ffb52b5b243153b3af280f07 Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Tue, 24 Aug 2021 16:24:59 -0700
Subject: [PATCH] GitLab CI: Enable macOS Arm notarization.

Enable code signing & notarization in the macOS Arm Package job. Add
"needs: []". Verify the .dmg after notarizing it.
---
 .gitlab-ci.yml                   | 16 +++++++++-------
 packaging/macosx/notarize-dmg.sh |  4 ++++
 packaging/macosx/osx-dmg.sh.in   |  1 -
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c332d0ffc9..dd10357287 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -407,10 +407,9 @@ Win32 Package:
 # - Notarization
 macOS Arm Package:
   stage: build
-  # Production builds
   rules: !reference [.if-w-w-only-merged]
-  # Testing builds
-  # rules: !reference [.if-w-w-only-merge-request]
+  variables:
+    CODE_SIGN_IDENTITY: "Wireshark Foundation, Inc."
   tags:
     - wireshark-macos-arm-package
   retry: 1
@@ -432,15 +431,18 @@ macOS Arm Package:
     - arch -arch arm64 cmake -DENABLE_CCACHE=ON -DCMAKE_APPLE_SILICON_PROCESSOR=arm64 -DCMAKE_OSX_DEPLOYMENT_TARGET=11.0 -DCMAKE_OSX_SYSROOT=macosx11.3 -DCMAKE_OSX_ARCHITECTURES=arm64 -DTEST_EXTRA_ARGS=--enable-release -G Ninja ..
     - printf "\e[0Ksection_end:%s:cmake_section\r\e[0K" "$( date +%s)"
     - arch -arch arm64 ninja
-    # - package-prep
+    - package-prep
     - arch -arch arm64 ninja dmg_package
-    # - notarize-build
+    - cd run
+    - notarize-build
     - |
-      if [ -n "$AWS_ACCESS_KEY_ID" ] && [ -n "$AWS_SECRET_ACCESS_KEY" ] && [ -n "$S3_DESTINATION_MACOS" ] ; then
-        aws s3 cp run/Wireshark-*.dmg "$S3_DESTINATION_MACOS/"
+      if [ -n "$AWS_ACCESS_KEY_ID" ] && [ -n "$AWS_SECRET_ACCESS_KEY" ] && [ -n "$S3_DESTINATION_MACOS_ARM64" ] ; then
+        aws s3 cp run/Wireshark-*.dmg "$S3_DESTINATION_MACOS_ARM64/"
       fi
+    - cd ..
     - arch -arch arm64 ninja test-programs
     - arch -arch arm64 ctest --parallel 4 --output-on-failure
+  needs: []
 
 # Build the User's Guide and Developer's Guide
 Documentation:
diff --git a/packaging/macosx/notarize-dmg.sh b/packaging/macosx/notarize-dmg.sh
index 0c9b2074d4..683ea29862 100755
--- a/packaging/macosx/notarize-dmg.sh
+++ b/packaging/macosx/notarize-dmg.sh
@@ -116,3 +116,7 @@ echo -e "\\nStapling $dmg_file"
 "${staple_cmd[@]}"
 
 echo -e "\\nSHA256 post: $(shasum -a 256 "$dmg_file" | awk '{print $1}' )"
+
+# macOS 10.14.5+ requires notarization in order for this to pass?
+# https://wiki.lazarus.freepascal.org/Notarization_for_macOS_10.14.5%2B
+spctl --assess --type open --context context:primary-signature --verbose=2 "$dmg_file" || exit 1
diff --git a/packaging/macosx/osx-dmg.sh.in b/packaging/macosx/osx-dmg.sh.in
index 8f8627dc63..a922e8a680 100755
--- a/packaging/macosx/osx-dmg.sh.in
+++ b/packaging/macosx/osx-dmg.sh.in
@@ -79,7 +79,6 @@ if [ -n "$CODE_SIGN_IDENTITY" ] ; then
 		--timestamp \
 		--verbose \
 		"$img_name"
-	spctl --assess --type open --context context:primary-signature --verbose=2 "$img_name" || exit 1
 fi
 
 exit 0