Skip to content

release: Dont look for signing keys if not needed #23636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
camscale merged 1 commit into from
Mar 27, 2023
Merged

release: Dont look for signing keys if not needed #23636

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 1 addition & 11 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -436,19 +436,9 @@ release-darwin-unsigned: RELEASE:=$(RELEASE)-unsigned
release-darwin-unsigned: clean full build-archive

.PHONY: release-darwin
# Only run signing/notarization if Apple username/pass are provided.
# Export DEVELOPER_ID_APPLICATION so it can be used by e/Makefile.
release-darwin: ABSOLUTE_BINARY_PATHS:=$(addprefix $(CURDIR)/,$(BINARIES))
release-darwin: release-darwin-unsigned
if [ -n "$$APPLE_USERNAME" -a -n "$$APPLE_PASSWORD" ]; then \
$(eval export DEVELOPER_ID_APPLICATION) \
cd ./build.assets/tooling/ && \
go run ./cmd/notarize-apple-binaries/*.go \
--developer-id=$(DEVELOPER_ID_APPLICATION) \
--bundle-id=$(TELEPORT_BUNDLEID) \
--log-level=debug \
$(ABSOLUTE_BINARY_PATHS); \
fi
$(NOTARIZE_BINARIES)
$(MAKE) build-archive
@if [ -f e/Makefile ]; then $(MAKE) -C e release; fi

Expand Down
30 changes: 30 additions & 0 deletions darwin-signing.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,3 +74,33 @@ missing_key_error = $(error Could not find key named "$(1)" in keychain)

# Dont export missing_key_error or get_key_id as it evaluates them
unexport missing_key_error get_key_id

# SHOULD_NOTARIZE evalutes to "true" if we should sign and notarize binaries,
# and the empty string if not. We only notarize if APPLE_USERNAME and
# APPLE_PASSWORD are set in the environment.
SHOULD_NOTARIZE = $(if $(and $(APPLE_USERNAME),$(APPLE_PASSWORD)),true)

# NOTARIZE_BINARIES runs the notarize-apple-binaries tool. It is expected that
# the current working directory is the root of the OSS Teleport repo, so to call
# from the enterprise repo, invoke it as:
# cd .. && $(NOTARIZE_BINARIES)
# It will not run the command if $APPLE_USERNAME or $APPLE_PASSWORD are empty.
# It uses the make $(if ...) construct instead of doing it in the shell so as
# to not evaluate its arguments (DEVELOPER_ID_APPLICATION) if we are not
# goint to use them, preventing a missing key error defined above.
NOTARIZE_BINARIES = $(if $(SHOULD_NOTARIZE),$(notarize_binaries_cmd),$(not_notarizing_cmd))

define notarize_binaries_cmd
cd build.assets/tooling && \
go run ./cmd/notarize-apple-binaries \
--developer-id=$(DEVELOPER_ID_APPLICATION) \
--bundle-id=$(TELEPORT_BUNDLEID) \
--log-level=debug \
$(ABSOLUTE_BINARY_PATHS)
endef

not_notarizing_cmd = @echo Not notarizing binaries. APPLE_USERNAME or APPLE_PASSWORD not set.

# Dont export not_notarizing_cmd since it contains DEVELOPER_ID_APPLICATION
# and we do not want that evaluated.
unexport notarize_binaries_cmd