release: Update build for product signing

Makefile

@@ -1141,14 +1141,14 @@ pkg:
 	chmod +x $(BUILDDIR)/build-package.sh
 	# arch and runtime are currently ignored on OS X
 	# we pass them through for consistency - they will be dropped by the build script
-	cd $(BUILDDIR) && ./build-package.sh -t oss -v $(VERSION) -p pkg -a $(ARCH) $(RUNTIME_SECTION) $(TARBALL_PATH_SECTION)
+	cd $(BUILDDIR) && ./build-package.sh -t oss -v $(VERSION) -p pkg -b $(TELEPORT_BUNDLEID) -a $(ARCH) $(RUNTIME_SECTION) $(TARBALL_PATH_SECTION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e pkg; fi
 
 # build tsh client-only .pkg
 .PHONY: pkg-tsh
 pkg-tsh:
 	$(eval export DEVELOPER_ID_APPLICATION DEVELOPER_ID_INSTALLER)
-	./build.assets/build-pkg-tsh.sh -t oss -v $(VERSION) $(TARBALL_PATH_SECTION)
+	./build.assets/build-pkg-tsh.sh -t oss -v $(VERSION) -b $(TSH_BUNDLEID) $(TARBALL_PATH_SECTION)
 	mkdir -p $(BUILDDIR)/
 	mv tsh*.pkg* $(BUILDDIR)/
 

build.assets/build-package.sh

@@ -2,7 +2,7 @@
 set -e
 
 usage() {
-  echo "Usage: $(basename $0) [-t <oss/ent>] [-v <version>] [-p <package type>] <-a [amd64/x86_64]|[386/i386]|arm|arm64> <-r fips> <-s tarball source dir>" 1>&2
+  echo "Usage: $(basename $0) [-t <oss/ent>] [-v <version>] [-p <package type>] [-b <bundle id>] <-a [amd64/x86_64]|[386/i386]|arm|arm64> <-r fips> <-s tarball source dir>" 1>&2
   exit 1
 }
 
@@ -11,7 +11,7 @@ usage() {
 #shellcheck disable=SC1091
 . "$(dirname "$0")/build-common.sh"
 
-while getopts ":t:v:p:a:r:s:n" o; do
+while getopts ":t:v:p:a:r:s:b:n" o; do
     case "${o}" in
         t)
             t=${OPTARG}
@@ -35,6 +35,9 @@ while getopts ":t:v:p:a:r:s:n" o; do
         s)
             s=${OPTARG}
             ;;
+	b)
+	    b=${OPTARG}
+	    ;;
         n)
             # Dry-run mode.
             # Only affects parts of the script, use at your own peril!
@@ -120,6 +123,11 @@ else
         usage
     fi
 
+    if [[ -n "${b:-}" ]]; then
+        echo "bundle ID parameter can only be used for OS X packages"
+        exit 6
+    fi
+
     # set docker image appropriately
     if [[ "${PACKAGE_TYPE}" == "deb" ]]; then
         DOCKER_IMAGE="public.ecr.aws/gravitational/fpm:debian8"
@@ -197,7 +205,7 @@ fi
 if [[ "${PACKAGE_TYPE}" == "pkg" ]]; then
     SIGN_PKG="true"
     FILE_LIST="${TAR_PATH}/tsh ${TAR_PATH}/tctl ${TAR_PATH}/teleport ${TAR_PATH}/tbot"
-    BUNDLE_ID="com.gravitational.teleport"
+    BUNDLE_ID="${b:-com.gravitational.teleport}"
     if [[ "${TELEPORT_TYPE}" == "ent" ]]; then
         PKG_FILENAME="teleport-ent-${TELEPORT_VERSION}.${PACKAGE_TYPE}"
     else

build.assets/build-pkg-tsh.sh

@@ -5,9 +5,10 @@ set -eu
 TELEPORT_TYPE=''     # -t, oss or ent
 TELEPORT_VERSION=''  # -v, version, without leading 'v'
 TARBALL_DIRECTORY='' # -s
+BUNDLEID="${TSH_BUNDLEID}"
 
 usage() {
-  log "Usage: $0 -t oss|eng -v version [-s tarball_directory] [-n]"
+  log "Usage: $0 -t oss|eng -v version [-s tarball_directory] [-b bundle_id] [-n]"
 }
 
 # make_non_relocatable_plist changes the default component plist of the $root
@@ -34,7 +35,7 @@ main() {
   . "$buildassets/build-common.sh"
 
   local opt=''
-  while getopts "t:v:s:n" opt; do
+  while getopts "t:v:s:b:n" opt; do
     case "$opt" in
       t)
         if [[ "$OPTARG" != "oss" && "$OPTARG" != "ent" ]]; then
@@ -54,6 +55,9 @@ main() {
         fi
         TARBALL_DIRECTORY="$OPTARG"
         ;;
+      b)
+        BUNDLEID="$OPTARG"
+        ;;
       n)
         DRY_RUN_PREFIX='echo + '  # declared by build-common.sh
         ;;
@@ -75,6 +79,12 @@ main() {
     exit 1
   fi
 
+  if [[ -z "${BUNDLEID}" ]]; then
+    echo "No bundle ID specified. Either set TSH_BUNDLEID or use -b bundle_id"
+    usage
+    exit 1
+  fi
+
   # Verify environment varibles.
   if [[ "${APPLE_USERNAME:-}" == "" ]]; then
     echo "\
@@ -89,6 +99,20 @@ password created by APPLE_USERNAME"
     exit 1
   fi
 
+  if [[ -z "${DEVELOPER_ID_APPLICATION}" ]]; then
+    echo "\
+The DEVELOPER_ID_APPLICATION environment variable needs to be set to the hash\
+of the key to sign applications"
+    exit 1
+  fi
+
+  if [[ -z "${DEVELOPER_ID_INSTALLER}" ]]; then
+    echo "\
+The DEVELOPER_ID_INSTALLER environment variable needs to be set to the hash\
+of the key to sign packages"
+    exit 1
+  fi
+
   # Use similar find-or-download logic as build-package.sh for compatibility
   # purposes.
   local ent=''
@@ -134,7 +158,7 @@ password created by APPLE_USERNAME"
   $DRY_RUN_PREFIX codesign -f \
     -o kill,hard,runtime \
     -s "$DEVELOPER_ID_APPLICATION" \
-    -i "$TSH_BUNDLEID" \
+    -i "$BUNDLEID" \
     --entitlements "$skel"/tsh*.entitlements \
     --timestamp \
     "$target"
@@ -149,7 +173,7 @@ password created by APPLE_USERNAME"
   pkgbuild \
     --root "$pkg_root" \
     --component-plist "$pkg_component_plist" \
-    --identifier "$TSH_BUNDLEID" \
+    --identifier "$BUNDLEID" \
     --version "v$TELEPORT_VERSION" \
     --install-location /Applications \
     --scripts "$pkg_scripts" \
@@ -166,7 +190,7 @@ password created by APPLE_USERNAME"
   fi
 
   # Notarize.
-  notarize "$target" "$TEAMID" "$TSH_BUNDLEID"
+  notarize "$target" "$TEAMID" "$BUNDLEID"
 
   # Copy resulting package to $PWD, generate hashes.
   mv "$target" .

build.assets/keychain-setup.sh

@@ -75,14 +75,18 @@ create_keychain() {
 }
 
 # Add a key from a file ($1) protected with a passphrase ($2) to a keychain ($3)
-# protected with a password ($4). This is to allow `/usr/bin/codesign` to access
-# the key. If the key file name is empty, add_key returns without doing anything.
+# protected with a password ($4). This is to allow `/usr/bin/codesign` and
+# `/usr/bin/productsign` to access the key.
+# If the key file name is empty, add_key returns without doing anything.
 add_key() {
 	local keyfile="$1" passphrase="$2" keychain="$3" keychain_password="$4"
 	if [[ -z "${keyfile}" ]]; then
 		return 0
 	fi
-	run security import "${keyfile}" -k "${keychain}" -P "${passphrase}" -T /usr/bin/codesign
+	run security import "${keyfile}" \
+		-k "${keychain}" -P "${passphrase}" \
+		-T /usr/bin/codesign \
+		-T /usr/bin/productsign
 	# Set ACLs so the key can be used for code signing.
 	# Note: This selects all the signing keys (-s) in the keychain to be usable
 	# for code signing. Not a problem because the keychain is just for that only