summaryrefslogtreecommitdiffstats
path: root/Utilities/Release/macos/sign-notarize.bash
diff options
context:
space:
mode:
Diffstat (limited to 'Utilities/Release/macos/sign-notarize.bash')
-rwxr-xr-xUtilities/Release/macos/sign-notarize.bash43
1 files changed, 25 insertions, 18 deletions
diff --git a/Utilities/Release/macos/sign-notarize.bash b/Utilities/Release/macos/sign-notarize.bash
index fe27afe..55ed591 100755
--- a/Utilities/Release/macos/sign-notarize.bash
+++ b/Utilities/Release/macos/sign-notarize.bash
@@ -1,6 +1,6 @@
#!/usr/bin/env bash
set -e
-readonly usage='usage: sign-notarize.bash -i <id> -d <dev-acct> -k <key-item> [-p <provider>] [--] <package>.dmg
+readonly usage='usage: sign-notarize.bash -i <id> -k <keychain-profile> [--] <package>.dmg
Sign and notarize the "CMake.app" bundle inside the given "<package>.dmg" disk image.
Also produce a "<package>.tar.gz" tarball containing the same "CMake.app".
@@ -8,9 +8,22 @@ Also produce a "<package>.tar.gz" tarball containing the same "CMake.app".
Options:
-i <id> Signing Identity
- -d <dev-acct> Developer account name
- -k <key-item> Keychain item containing account credentials
- -p <provider> Provider short name
+ -k <keychain-profile> Keychain profile containing stored credentials
+
+Create the keychain profile ahead of time using
+
+ xcrun notarytool store-credentials <keychain-profile> \
+ --apple-id <dev-acct> --team-id <team-id> [--password <app-specific-password>]
+
+where:
+
+ <dev-acct> is an Apple ID of a developer account
+ <team-id> is from https://developer.apple.com/account/#!/membership
+ <app-specific-password> is generated via https://support.apple.com/en-us/HT204397
+ If --password is omitted, notarytool will prompt for it.
+
+This creates a keychain item called "com.apple.gke.notary.tool" with an
+account name "com.apple.gke.notary.tool.saved-creds.<keychain-profile>".
'
cleanup() {
@@ -29,15 +42,11 @@ die() {
}
id=''
-dev_acct=''
-key_item=''
-provider=''
+keychain_profile=''
while test "$#" != 0; do
case "$1" in
-i) shift; id="$1" ;;
- -d) shift; dev_acct="$1" ;;
- -k) shift; key_item="$1" ;;
- -p) shift; provider="$1" ;;
+ -k) shift; keychain_profile="$1" ;;
--) shift ; break ;;
-*) die "$usage" ;;
*) break ;;
@@ -51,18 +60,14 @@ esac
test "$#" = 0 || die "$usage"
# Verify arguments.
-if test -z "$id" -o -z "$dev_acct" -o -z "$key_item"; then
+if test -z "$id" -o -z "$keychain_profile"; then
die "$usage"
fi
-if test -n "$provider"; then
- provider="--provider $provider"
-fi
# Verify environment.
-if ! xcnotary="$(type -p xcnotary)"; then
- die "'xcnotary' not found in PATH"
+if ! xcrun --find notarytool 2>/dev/null; then
+ die "'xcrun notarytool' not found"
fi
-readonly xcnotary
readonly tmpdir="$(mktemp -d)"
@@ -95,7 +100,9 @@ codesign --verify --timestamp --options=runtime --verbose --deep \
"$vol_path/CMake.app/Contents/bin/cpack" \
"$vol_path/CMake.app"
-xcnotary notarize "$vol_path/CMake.app" -d "$dev_acct" -k "$key_item" $provider
+ditto -c -k --keepParent "$vol_path/CMake.app" "$tmpdir/CMake.app.zip"
+xcrun notarytool submit "$tmpdir/CMake.app.zip" --keychain-profile "$keychain_profile" --wait
+xcrun stapler staple "$vol_path/CMake.app"
# Create a tarball of the volume next to the original disk image.
readonly tar_gz="${dmg/%.dmg/.tar.gz}"