diff --git a/Makefile b/Makefile index 3c9500ba15df2..e9abe2e5105de 100644 --- a/Makefile +++ b/Makefile @@ -1141,14 +1141,14 @@ pkg: chmod +x $(BUILDDIR)/build-package.sh # arch and runtime are currently ignored on OS X # we pass them through for consistency - they will be dropped by the build script - cd $(BUILDDIR) && ./build-package.sh -t oss -v $(VERSION) -p pkg -a $(ARCH) $(RUNTIME_SECTION) $(TARBALL_PATH_SECTION) + cd $(BUILDDIR) && ./build-package.sh -t oss -v $(VERSION) -p pkg -b $(TELEPORT_BUNDLEID) -a $(ARCH) $(RUNTIME_SECTION) $(TARBALL_PATH_SECTION) if [ -f e/Makefile ]; then $(MAKE) -C e pkg; fi # build tsh client-only .pkg .PHONY: pkg-tsh pkg-tsh: $(eval export DEVELOPER_ID_APPLICATION DEVELOPER_ID_INSTALLER) - ./build.assets/build-pkg-tsh.sh -t oss -v $(VERSION) $(TARBALL_PATH_SECTION) + ./build.assets/build-pkg-tsh.sh -t oss -v $(VERSION) -b $(TSH_BUNDLEID) $(TARBALL_PATH_SECTION) mkdir -p $(BUILDDIR)/ mv tsh*.pkg* $(BUILDDIR)/ diff --git a/build.assets/build-package.sh b/build.assets/build-package.sh index 5e89ce80dc9ce..77d347b9518b3 100755 --- a/build.assets/build-package.sh +++ b/build.assets/build-package.sh @@ -2,7 +2,7 @@ set -e usage() { - echo "Usage: $(basename $0) [-t ] [-v ] [-p ] <-a [amd64/x86_64]|[386/i386]|arm|arm64> <-r fips> <-s tarball source dir>" 1>&2 + echo "Usage: $(basename $0) [-t ] [-v ] [-p ] [-b ] <-a [amd64/x86_64]|[386/i386]|arm|arm64> <-r fips> <-s tarball source dir>" 1>&2 exit 1 } @@ -11,7 +11,7 @@ usage() { #shellcheck disable=SC1091 . "$(dirname "$0")/build-common.sh" -while getopts ":t:v:p:a:r:s:n" o; do +while getopts ":t:v:p:a:r:s:b:n" o; do case "${o}" in t) t=${OPTARG} @@ -35,6 +35,9 @@ while getopts ":t:v:p:a:r:s:n" o; do s) s=${OPTARG} ;; + b) + b=${OPTARG} + ;; n) # Dry-run mode. # Only affects parts of the script, use at your own peril! @@ -120,6 +123,11 @@ else usage fi + if [[ -n "${b:-}" ]]; then + echo "bundle ID parameter can only be used for OS X packages" + exit 6 + fi + # set docker image appropriately if [[ "${PACKAGE_TYPE}" == "deb" ]]; then DOCKER_IMAGE="public.ecr.aws/gravitational/fpm:debian8" @@ -197,7 +205,7 @@ fi if [[ "${PACKAGE_TYPE}" == "pkg" ]]; then SIGN_PKG="true" FILE_LIST="${TAR_PATH}/tsh ${TAR_PATH}/tctl ${TAR_PATH}/teleport ${TAR_PATH}/tbot" - BUNDLE_ID="com.gravitational.teleport" + BUNDLE_ID="${b:-com.gravitational.teleport}" if [[ "${TELEPORT_TYPE}" == "ent" ]]; then PKG_FILENAME="teleport-ent-${TELEPORT_VERSION}.${PACKAGE_TYPE}" else diff --git a/build.assets/build-pkg-tsh.sh b/build.assets/build-pkg-tsh.sh index 3704a276980f3..125ca4080ebd0 100755 --- a/build.assets/build-pkg-tsh.sh +++ b/build.assets/build-pkg-tsh.sh @@ -5,9 +5,10 @@ set -eu TELEPORT_TYPE='' # -t, oss or ent TELEPORT_VERSION='' # -v, version, without leading 'v' TARBALL_DIRECTORY='' # -s +BUNDLEID="${TSH_BUNDLEID}" usage() { - log "Usage: $0 -t oss|eng -v version [-s tarball_directory] [-n]" + log "Usage: $0 -t oss|eng -v version [-s tarball_directory] [-b bundle_id] [-n]" } # make_non_relocatable_plist changes the default component plist of the $root @@ -34,7 +35,7 @@ main() { . "$buildassets/build-common.sh" local opt='' - while getopts "t:v:s:n" opt; do + while getopts "t:v:s:b:n" opt; do case "$opt" in t) if [[ "$OPTARG" != "oss" && "$OPTARG" != "ent" ]]; then @@ -54,6 +55,9 @@ main() { fi TARBALL_DIRECTORY="$OPTARG" ;; + b) + BUNDLEID="$OPTARG" + ;; n) DRY_RUN_PREFIX='echo + ' # declared by build-common.sh ;; @@ -75,6 +79,12 @@ main() { exit 1 fi + if [[ -z "${BUNDLEID}" ]]; then + echo "No bundle ID specified. Either set TSH_BUNDLEID or use -b bundle_id" + usage + exit 1 + fi + # Verify environment varibles. if [[ "${APPLE_USERNAME:-}" == "" ]]; then echo "\ @@ -89,6 +99,20 @@ password created by APPLE_USERNAME" exit 1 fi + if [[ -z "${DEVELOPER_ID_APPLICATION}" ]]; then + echo "\ +The DEVELOPER_ID_APPLICATION environment variable needs to be set to the hash\ +of the key to sign applications" + exit 1 + fi + + if [[ -z "${DEVELOPER_ID_INSTALLER}" ]]; then + echo "\ +The DEVELOPER_ID_INSTALLER environment variable needs to be set to the hash\ +of the key to sign packages" + exit 1 + fi + # Use similar find-or-download logic as build-package.sh for compatibility # purposes. local ent='' @@ -134,7 +158,7 @@ password created by APPLE_USERNAME" $DRY_RUN_PREFIX codesign -f \ -o kill,hard,runtime \ -s "$DEVELOPER_ID_APPLICATION" \ - -i "$TSH_BUNDLEID" \ + -i "$BUNDLEID" \ --entitlements "$skel"/tsh*.entitlements \ --timestamp \ "$target" @@ -149,7 +173,7 @@ password created by APPLE_USERNAME" pkgbuild \ --root "$pkg_root" \ --component-plist "$pkg_component_plist" \ - --identifier "$TSH_BUNDLEID" \ + --identifier "$BUNDLEID" \ --version "v$TELEPORT_VERSION" \ --install-location /Applications \ --scripts "$pkg_scripts" \ @@ -166,7 +190,7 @@ password created by APPLE_USERNAME" fi # Notarize. - notarize "$target" "$TEAMID" "$TSH_BUNDLEID" + notarize "$target" "$TEAMID" "$BUNDLEID" # Copy resulting package to $PWD, generate hashes. mv "$target" . diff --git a/build.assets/keychain-setup.sh b/build.assets/keychain-setup.sh index d3f0ae440f67a..6e7962d9799dd 100755 --- a/build.assets/keychain-setup.sh +++ b/build.assets/keychain-setup.sh @@ -75,14 +75,18 @@ create_keychain() { } # Add a key from a file ($1) protected with a passphrase ($2) to a keychain ($3) -# protected with a password ($4). This is to allow `/usr/bin/codesign` to access -# the key. If the key file name is empty, add_key returns without doing anything. +# protected with a password ($4). This is to allow `/usr/bin/codesign` and +# `/usr/bin/productsign` to access the key. +# If the key file name is empty, add_key returns without doing anything. add_key() { local keyfile="$1" passphrase="$2" keychain="$3" keychain_password="$4" if [[ -z "${keyfile}" ]]; then return 0 fi - run security import "${keyfile}" -k "${keychain}" -P "${passphrase}" -T /usr/bin/codesign + run security import "${keyfile}" \ + -k "${keychain}" -P "${passphrase}" \ + -T /usr/bin/codesign \ + -T /usr/bin/productsign # Set ACLs so the key can be used for code signing. # Note: This selects all the signing keys (-s) in the keychain to be usable # for code signing. Not a problem because the keychain is just for that only