Move the macOS notarization into the build system and out of Jenkins.

2025-02-25 18:55:31 -06:00 · 2021-02-02 11:20:18 +00:00 · 2021-02-02 11:20:18 +00:00 · 0ca4426dd0
commit 0ca4426dd0
parent bc3c857b35
4 changed files with 96 additions and 4 deletions
--- a/pkg/mac/.gitignore
+++ b/pkg/mac/.gitignore
@ -1,2 +1,3 @@
-# Global excludes across all subdirectories
+# Ignore config files
 codesign.conf
+notarization.conf
--- a/pkg/mac/build-functions.sh
+++ b/pkg/mac/build-functions.sh
@ -9,6 +9,7 @@ _setup_env() {
        APP_LONG_VERSION=${APP_LONG_VERSION}-${APP_SUFFIX}
    fi
    BUNDLE_DIR="${BUILD_ROOT}/${APP_NAME}.app"
+    DMG_NAME="${DIST_ROOT}/$(echo ${APP_NAME} | sed 's/ //g' | awk '{print tolower($0)}')-${APP_LONG_VERSION}.dmg"
 }

 _cleanup() {
@ -317,7 +318,7 @@ _create_dmg() {
        --format UDBZ \
        --skip-jenkins \
        --no-internet-enable \
-        "${DIST_ROOT}/$(echo ${APP_NAME} | sed 's/ //g' | awk '{print tolower($0)}')-${APP_LONG_VERSION}.dmg" \
+        "${DMG_NAME}" \
        "${BUNDLE_DIR}"
 }

@ -328,5 +329,69 @@ _codesign_dmg() {

    # Sign the .app
    echo Signing disk image...
-    codesign --force --verify --verbose --timestamp --options runtime -i org.pgadmin.pgadmin4 --sign "${DEVELOPER_ID}" "${DIST_ROOT}/$(echo ${APP_NAME} | sed 's/ //g' | awk '{print tolower($0)}')-${APP_LONG_VERSION}.dmg"
+    codesign --force --verify --verbose --timestamp --options runtime -i org.pgadmin.pgadmin4 --sign "${DEVELOPER_ID}" "${DMG_NAME}"
 }
+
+
+_notarize_pkg() {
+    if [ ${CODESIGN} -eq 0 ]; then
+        return
+    fi
+
+    # Notarize the package. Try three times, to allow for upload issues
+    cmd_status=0
+    for i in {1..3}; do
+        echo "Uploading DMG for notarisation (attempt ${i} of 3)..."
+        STATUS=$(xcrun altool --notarize-app -f "${DMG_NAME}" --asc-provider ${DEVELOPER_NAME} --primary-bundle-id org.pgadmin.pgadmin4 -u ${DEVELOPER_USER} -p ${DEVELOPER_ASP} 2>&1)
+        RETVAL=$?
+
+        if [ ${RETVAL} != 0 ]; then
+            echo "Attempt ${i} failure: ${STATUS}"
+        else
+            # Success!
+            break;
+        fi
+    done
+
+    # print error if above command fails
+    if [ ${RETVAL} != 0 ]; then
+        echo "Notarization failed."
+        exit 1
+    fi
+
+    # Get the request ID
+    REQUEST_UUID=$(echo ${STATUS} | awk '/RequestUUID/ { print $NF; }')
+    echo "Notarization request ID: ${REQUEST_UUID}"
+
+    # Now we need to wait for the results. Try 10 times.
+    for i in {1..10}; do
+        echo "Waiting 30 seconds..."
+        sleep 30
+
+        echo "Requesting notarisation result (attempt ${i} of 10)..."
+        REQUEST_STATUS=$(xcrun altool --notarization-info ${REQUEST_UUID} --username ${DEVELOPER_USER} --password ${DEVELOPER_ASP} 2>&1 | awk -F ': ' '/Status:/ { print $2; }' )
+
+        if [[ "${REQUEST_STATUS}" == "success" ]]; then
+            break
+        fi
+    done
+
+    # Print status information
+    xcrun altool --notarization-info ${REQUEST_UUID} --username ${DEVELOPER_USER} --password ${DEVELOPER_ASP}
+
+    if [[ "${REQUEST_STATUS}" != "success" ]]; then
+	      echo "Notarization failed."
+	      exit 1
+    fi
+
+    # Staple the notarization
+    echo "Stapling the notarization to the pgAdmin DMG..."
+    xcrun stapler staple "${DMG_NAME}"
+
+    if [ $? != 0 ]; then
+	      echo "Stapling failed."
+        exit 1
+    fi
+
+    echo "Notarization completed successfully."
+}
--- a/pkg/mac/build.sh
+++ b/pkg/mac/build.sh
@ -23,11 +23,24 @@ if [ ! -f ${SCRIPT_DIR}/codesign.conf ]; then
    echo "******************************************************************"
    echo
    CODESIGN=0
-    sleep 5
+    sleep 2
 else
    source ${SCRIPT_DIR}/codesign.conf
 fi

+NOTARIZE=1
+if [ ! -f ${SCRIPT_DIR}/notarization.conf ]; then
+    echo
+    echo "******************************************************************"
+    echo "* pkg/mac/notarization.conf not found. NOT notarizing the package."
+    echo "******************************************************************"
+    echo
+    NOTARIZE=0
+    sleep 2
+else
+    source ${SCRIPT_DIR}/notarization.conf
+fi
+
 if [ "x${PGADMIN_POSTGRES_DIR}" == "x" ]; then
    echo "PGADMIN_POSTGRES_DIR not set. Setting it to the default: /usr/local/pgsql"
    export PGADMIN_POSTGRES_DIR=/usr/local/pgsql
@ -50,3 +63,4 @@ _codesign_binaries
 _codesign_bundle
 _create_dmg
 _codesign_dmg
+_notarize_pkg
--- a/pkg/mac/notarization.conf.in
+++ b/pkg/mac/notarization.conf.in
@ -0,0 +1,12 @@
+# In order to enable notarization of the Mac Appbundle, copy this file to
+# notarization.conf, and edit the values below to reflect your Apple
+# Developer User ID, app-specific password and Provider Shortname.
+#
+# You can use the following command to see the available shortnames for your
+# Apple Developer ID (substituting the appropriate username/password):
+#
+# xcrun altool --list-providers -u "APPLE_DEVELOPER_USERNAME" -p "APP_SPECIFIC_PASSWORD"
+
+DEVELOPER_USER=user@example.com
+DEVELOPER_ASP=1234-abcd-5678-efgh
+DEVELOPER_NAME=MyCompany