macOS: Add a notarization script.
According to https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution notarization will be required in a future release of macOS. Add a script for doing so. The process requires submitting our .dmg to Apple, waiting for it to finish, and stapling a ticket to our .dmg. Change-Id: I5b9c0c36cc2182fdd0baeada823aaacba7730a88 Reviewed-on: https://code.wireshark.org/review/32906 Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
parent
93b9388676
commit
c9ca78fc2b
|
@ -0,0 +1,99 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# USAGE
|
||||
# notarize-dmg -u <developer id> "/path/to/Wireshark x.y.z arch.dmg"
|
||||
|
||||
# https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
|
||||
# https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow
|
||||
|
||||
bundle_id="org.wireshark.dmg.$( printf "%x" $RANDOM )"
|
||||
|
||||
# Parse command line arguments
|
||||
while getopts u: OPTCHAR
|
||||
do
|
||||
case $OPTCHAR in
|
||||
u)
|
||||
username="$OPTARG"
|
||||
shift 2
|
||||
;;
|
||||
*)
|
||||
echo "Invalid command line option"
|
||||
exit 2 ;;
|
||||
esac
|
||||
done
|
||||
|
||||
dmg_file="$1"
|
||||
|
||||
if [[ "$username" != *?@*? ]] ; then
|
||||
echo "Username doesn't appear to be a valid Apple developer ID."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -r "$dmg_file" ] ; then
|
||||
echo "Can't find file: ${dmg_file:-No file specified}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# XXX Set account to $username instead?
|
||||
generic_pw_service="WS_DMG_NOTARIZE"
|
||||
|
||||
if ! security find-generic-password -a "$username" -s "$generic_pw_service" > /dev/null 2>&1 ; then
|
||||
echo -e "No keychain credentials found. You can add them by running\\n"
|
||||
echo -e " security add-generic-password -a $username -s $generic_pw_service -T altool -w\\n"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
echo -e "Notarizing $dmg_file\\n"
|
||||
echo -e "SHA256 pre: $(shasum -a 256 "$dmg_file" | awk '{print $1}' )\\n"
|
||||
|
||||
if ! altool_out=$( mktemp /tmp/notarize-dmg.out.XXXXX ) ; then
|
||||
echo "Unable to create temp file"
|
||||
exit 1
|
||||
fi
|
||||
# trap 'rm -f "$altool_out"' EXIT
|
||||
|
||||
xcrun altool \
|
||||
--notarize-app \
|
||||
--type osx \
|
||||
--username "$username" \
|
||||
--password "@keychain:${generic_pw_service}" \
|
||||
--primary-bundle-id "$bundle_id" \
|
||||
--file "$dmg_file" \
|
||||
2>&1 | tee "$altool_out"
|
||||
|
||||
request_uuid=$( awk '/^RequestUUID/ { print $3 }' < "$altool_out")
|
||||
if [[ "$request_uuid" != *-*-*-*-* ]] ; then
|
||||
echo "Unable to fetch request UUID"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
eval_info_cmd=(xcrun altool \
|
||||
--eval-info "$request_uuid" \
|
||||
--user "$username" \
|
||||
--password "@keychain:${generic_pw_service}" \
|
||||
)
|
||||
|
||||
for try in {1..40} ; do
|
||||
printf "\\nWaiting 15s \xe2\x80\xa6 "
|
||||
sleep 15
|
||||
echo "done. Checking status ($try of 40)"
|
||||
"${eval_info_cmd[@]}" 2>&1 | tee "$altool_out"
|
||||
grep "Status: in progress" "$altool_out" > /dev/null 2>&1 || break
|
||||
done
|
||||
|
||||
staple_cmd=(xcrun stapler staple "$dmg_file")
|
||||
|
||||
if ! grep "Status: success" "$altool_out" > /dev/null 2>&1 ; then
|
||||
echo "Notarization failed or timed out:"
|
||||
cat "$altool_out"
|
||||
echo -e "\\nInfo command:"
|
||||
echo "${eval_info_cmd[@]}"
|
||||
echo -e "\\nStaple command:"
|
||||
echo "${staple_cmd[@]}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo -e "\\nStapling $dmg_file"
|
||||
"${staple_cmd[@]}"
|
||||
|
||||
echo -e "\\nSHA256 post: $(shasum -a 256 "$dmg_file" | awk '{print $1}' )"
|
Loading…
Reference in New Issue