Home Explore Help
Register Sign In
Apq
/
CMake
mirror of https://github.com/Kitware/CMake.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: ef23e81544
Branches Tags
CMake
/
Utilities
/
Release
/
macos
/
sign-notarize.bash

sign-notarize.bash 3.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117 
  1. #!/usr/bin/env bash
    2. 

  2. set -e
    3. 

  3. readonly usage='usage: sign-notarize.bash -i <id> -d <dev-acct> -k <key-item> [-p <provider>] [--] <package>.dmg
    4. 

  4. 

  5. Sign and notarize the "CMake.app" bundle inside the given "<package>.dmg" disk image.
    6. 

  6. Also produce a "<package>.tar.gz" tarball containing the same "CMake.app".
    7. 

  7. 

  8. Options:
    9. 

  9. 

  10.     -i <id>                Signing Identity
    11. 

  11.     -d <dev-acct>          Developer account name
    12. 

  12.     -k <key-item>          Keychain item containing account credentials
    13. 

  13.     -p <provider>          Provider short name
    14. 

  14. '
    15. 

  15. 

  16. cleanup() {
    17. 

  17.     if test -d "$tmpdir"; then
    18. 

  18.         rm -rf "$tmpdir"
    19. 

  19.     fi
    20. 

  20.     if test -d "$vol_path"; then
    21. 

  21.         hdiutil detach "$vol_path"
    22. 

  22.     fi
    23. 

  23. }
    24. 

  24. 

  25. trap "cleanup" EXIT
    26. 

  26. 

  27. die() {
    28. 

  28.     echo "$@" 1>&2; exit 1
    29. 

  29. }
    30. 

  30. 

  31. id=''
    32. 

  32. dev_acct=''
    33. 

  33. key_item=''
    34. 

  34. provider=''
    35. 

  35. while test "$#" != 0; do
    36. 

  36.     case "$1" in
    37. 

  37.     -i) shift; id="$1" ;;
    38. 

  38.     -d) shift; dev_acct="$1" ;;
    39. 

  39.     -k) shift; key_item="$1" ;;
    40. 

  40.     -p) shift; provider="$1" ;;
    41. 

  41.     --) shift ; break ;;
    42. 

  42.     -*) die "$usage" ;;
    43. 

  43.     *) break ;;
    44. 

  44.     esac
    45. 

  45.     shift
    46. 

  46. done
    47. 

  47. case "$1" in
    48. 

  48. *.dmg) readonly dmg="$1"; shift ;;
    49. 

  49. *) die "$usage" ;;
    50. 

  50. esac
    51. 

  51. test "$#" = 0 || die "$usage"
    52. 

  52. 

  53. # Verify arguments.
    54. 

  54. if test -z "$id" -o -z "$dev_acct" -o -z "$key_item"; then
    55. 

  55.     die "$usage"
    56. 

  56. fi
    57. 

  57. if test -n "$provider"; then
    58. 

  58.     provider="--provider $provider"
    59. 

  59. fi
    60. 

  60. 

  61. # Verify environment.
    62. 

  62. if ! xcnotary="$(type -p xcnotary)"; then
    63. 

  63.     die "'xcnotary' not found in PATH"
    64. 

  64. fi
    65. 

  65. readonly xcnotary
    66. 

  66. 

  67. readonly tmpdir="$(mktemp -d)"
    68. 

  68. 

  69. # Prepare entitlements.
    70. 

  70. readonly entitlements_xml="$tmpdir/entitlements.xml"
    71. 

  71. echo '<?xml version="1.0" encoding="UTF-8"?>
    72. 

  72. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    73. 

  73. <plist version="1.0">
    74. 

  74. <dict>
    75. 

  75.   <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    76. 

  76.   <true/>
    77. 

  77. </dict>
    78. 

  78. </plist>' > "$entitlements_xml"
    79. 

  79. 

  80. # Extract SLA
    81. 

  81. readonly sla_xml="$tmpdir/sla.xml"
    82. 

  82. hdiutil udifderez -xml "$dmg" > "$sla_xml"
    83. 

  83. plutil -remove 'blkx' "$sla_xml"
    84. 

  84. plutil -remove 'plst' "$sla_xml"
    85. 

  85. 

  86. # Convert from read-only original image to read-write.
    87. 

  87. readonly udrw_dmg="$tmpdir/udrw.dmg"
    88. 

  88. hdiutil convert "$dmg" -format UDRW -o "${udrw_dmg}"
    89. 

  89. 

  90. # Mount the temporary udrw image.
    91. 

  91. readonly vol_name="$(basename "${dmg%.dmg}")"
    92. 

  92. readonly vol_path="/Volumes/$vol_name"
    93. 

  93. hdiutil attach "${udrw_dmg}"
    94. 

  94. 

  95. codesign --verify --timestamp --options=runtime --verbose --deep \
    96. 

  96.   -s "$id" \
    97. 

  97.   --entitlements "$entitlements_xml" \
    98. 

  98.   "$vol_path/CMake.app/Contents/bin/cmake" \
    99. 

  99.   "$vol_path/CMake.app/Contents/bin/ccmake" \
    100. 

  100.   "$vol_path/CMake.app/Contents/bin/ctest" \
    101. 

  101.   "$vol_path/CMake.app/Contents/bin/cpack" \
    102. 

  102.   "$vol_path/CMake.app"
    103. 

  103. 

  104. xcnotary notarize "$vol_path/CMake.app" -d "$dev_acct" -k "$key_item" $provider
    105. 

  105. 

  106. # Create a tarball of the volume next to the original disk image.
    107. 

  107. readonly tar_gz="${dmg/%.dmg/.tar.gz}"
    108. 

  108. tar cvzf "$tar_gz" -C /Volumes "$vol_name/CMake.app"
    109. 

  109. 

  110. # Unmount the modified udrw image.
    111. 

  111. hdiutil detach "$vol_path"
    112. 

  112. 

  113. # Convert back to read-only, compressed image.
    114. 

  114. hdiutil convert "${udrw_dmg}" -format UDZO -imagekey zlib-level=9 -ov -o "$dmg"
    115. 

  115. 

  116. # Re-insert SLA.
    117. 

  117. hdiutil udifrez -xml "${sla_xml}" 'FIXME_WHY_IS_THIS_ARGUMENT_NEEDED' "$dmg"
    118.