[v12] Backport Mac build GitHub Actions support

Makefile

@@ -429,19 +429,16 @@ build-archive:
 release-unix: clean full build-archive
 	@if [ -f e/Makefile ]; then $(MAKE) -C e release; fi
 
+include darwin-signing.mk
+
 .PHONY: release-darwin-unsigned
 release-darwin-unsigned: RELEASE:=$(RELEASE)-unsigned
 release-darwin-unsigned: clean full build-archive
 
 .PHONY: release-darwin
 release-darwin: ABSOLUTE_BINARY_PATHS:=$(addprefix $(CURDIR)/,$(BINARIES))
 release-darwin: release-darwin-unsigned
-	# Only run if Apple username/pass for notarization are provided
-	if [ -n "$$APPLE_USERNAME" -a -n "$$APPLE_PASSWORD" ]; then \
-		cd ./build.assets/tooling/ && \
-		go run ./cmd/notarize-apple-binaries/*.go \
-			--log-level=debug $(ABSOLUTE_BINARY_PATHS); \
-	fi
+	$(NOTARIZE_BINARIES)
 	$(MAKE) build-archive
 	@if [ -f e/Makefile ]; then $(MAKE) -C e release; fi
 
@@ -505,6 +502,28 @@ release-windows: release-windows-unsigned
 	rm -rf teleport/
 	@echo "---> Created $(RELEASE).zip."
 
+#
+# make release-connect produces a release package of Teleport Connect.
+# It is used only for MacOS releases. Windows releases do not use this
+# Makefile. Linux uses the `teleterm` target in build.assets/Makefile.
+#
+# Only export the CSC_NAME (developer key ID) when the recipe is run, so
+# that we do not shell out and run the `security` command if not necessary.
+#
+# Either CONNECT_TSH_BIN_PATH or CONNECT_TSH_APP_PATH environment variable
+# should be defined for the `yarn package-term` command to succeed. CI sets
+# this appropriately depending on whether a push build is running, or a
+# proper release (a proper release needs the APP_PATH as that points to
+# the complete signed package). See web/packages/teleterm/README.md for
+# details.
+#
+.PHONY: release-connect
+release-connect:
+	$(eval export CSC_NAME)
+	yarn install --frozen-lockfile
+	yarn build-term
+	yarn package-term -c.extraMetadata.version=$(VERSION)
+
 #
 # Remove trailing whitespace in all markdown files under docs/.
 #
@@ -1068,18 +1087,20 @@ endif
 # build .pkg
 .PHONY: pkg
 pkg:
+	$(eval export DEVELOPER_ID_APPLICATION DEVELOPER_ID_INSTALLER)
 	mkdir -p $(BUILDDIR)/
 	cp ./build.assets/build-package.sh ./build.assets/build-common.sh $(BUILDDIR)/
 	chmod +x $(BUILDDIR)/build-package.sh
 	# arch and runtime are currently ignored on OS X
 	# we pass them through for consistency - they will be dropped by the build script
-	cd $(BUILDDIR) && ./build-package.sh -t oss -v $(VERSION) -p pkg -a $(ARCH) $(RUNTIME_SECTION) $(TARBALL_PATH_SECTION)
+	cd $(BUILDDIR) && ./build-package.sh -t oss -v $(VERSION) -p pkg -b $(TELEPORT_BUNDLEID) -a $(ARCH) $(RUNTIME_SECTION) $(TARBALL_PATH_SECTION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e pkg; fi
 
 # build tsh client-only .pkg
 .PHONY: pkg-tsh
 pkg-tsh:
-	./build.assets/build-pkg-tsh.sh -t oss -v $(VERSION) $(TARBALL_PATH_SECTION)
+	$(eval export DEVELOPER_ID_APPLICATION DEVELOPER_ID_INSTALLER)
+	./build.assets/build-pkg-tsh.sh -t oss -v $(VERSION) -b $(TSH_BUNDLEID) $(TARBALL_PATH_SECTION)
 	mkdir -p $(BUILDDIR)/
 	mv tsh*.pkg* $(BUILDDIR)/
 

build.assets/build-common.sh

@@ -6,25 +6,6 @@
 # Toggle this via flags in your main script.
 DRY_RUN_PREFIX=''
 
-# Teleport / tsh certificates/info.
-# Used by other scripts.
-#shellcheck disable=SC2034
-readonly DEVELOPER_ID_APPLICATION='0FFD3E3413AB4C599C53FBB1D8CA690915E33D83'
-#shellcheck disable=SC2034
-readonly DEVELOPER_ID_INSTALLER='82B625AD327C241B378A54B4B254BB08CE71B5DF'
-readonly TEAMID='QH8AA5B8UP'
-#shellcheck disable=SC2034
-readonly TSH_BUNDLEID="$TEAMID.com.gravitational.teleport.tsh"
-#shellcheck disable=SC2034
-readonly TSH_SKELETON='tsh' # relative to build.assets/macos/
-
-# tshdev certs/info.
-#readonly DEVELOPER_ID_APPLICATION='A5604F285B0957134EA099AC515BD9E0787228AC'
-#readonly DEVELOPER_ID_INSTALLER='C1A831A974DF69563432C87A4979F7982DD91FBE'
-#readonly TEAMID='K497G57PDJ'
-#readonly TSH_BUNDLEID="$TEAMID.com.goteleport.tshdev"
-#readonly TSH_SKELETON='tshdev' # relative to build.assets/macos/
-
 # TARBALL_CACHE is used by find_or_fetch_tarball.
 readonly TARBALL_CACHE=/tmp/teleport-tarballs
 

build.assets/build-package.sh

@@ -2,7 +2,7 @@
 set -e
 
 usage() {
-  echo "Usage: $(basename $0) [-t <oss/ent>] [-v <version>] [-p <package type>] <-a [amd64/x86_64]|[386/i386]|arm|arm64> <-r fips> <-s tarball source dir>" 1>&2
+  echo "Usage: $(basename $0) [-t <oss/ent>] [-v <version>] [-p <package type>] [-b <bundle id>] <-a [amd64/x86_64]|[386/i386]|arm|arm64> <-r fips> <-s tarball source dir>" 1>&2
   exit 1
 }
 
@@ -11,7 +11,7 @@ usage() {
 #shellcheck disable=SC1091
 . "$(dirname "$0")/build-common.sh"
 
-while getopts ":t:v:p:a:r:s:n" o; do
+while getopts ":t:v:p:a:r:s:b:n" o; do
     case "${o}" in
         t)
             t=${OPTARG}
@@ -35,6 +35,9 @@ while getopts ":t:v:p:a:r:s:n" o; do
         s)
             s=${OPTARG}
             ;;
+	b)
+	    b=${OPTARG}
+	    ;;
         n)
             # Dry-run mode.
             # Only affects parts of the script, use at your own peril!
@@ -120,6 +123,11 @@ else
         usage
     fi
 
+    if [[ -n "${b:-}" ]]; then
+        echo "bundle ID parameter can only be used for OS X packages"
+        exit 6
+    fi
+
     # set docker image appropriately
     if [[ "${PACKAGE_TYPE}" == "deb" ]]; then
         DOCKER_IMAGE="public.ecr.aws/gravitational/fpm:debian8"
@@ -197,7 +205,7 @@ fi
 if [[ "${PACKAGE_TYPE}" == "pkg" ]]; then
     SIGN_PKG="true"
     FILE_LIST="${TAR_PATH}/tsh ${TAR_PATH}/tctl ${TAR_PATH}/teleport ${TAR_PATH}/tbot"
-    BUNDLE_ID="com.gravitational.teleport"
+    BUNDLE_ID="${b:-com.gravitational.teleport}"
     if [[ "${TELEPORT_TYPE}" == "ent" ]]; then
         PKG_FILENAME="teleport-ent-${TELEPORT_VERSION}.${PACKAGE_TYPE}"
     else

build.assets/build-pkg-tsh.sh

@@ -5,9 +5,10 @@ set -eu
 TELEPORT_TYPE=''     # -t, oss or ent
 TELEPORT_VERSION=''  # -v, version, without leading 'v'
 TARBALL_DIRECTORY='' # -s
+BUNDLEID="${TSH_BUNDLEID}"
 
 usage() {
-  log "Usage: $0 -t oss|eng -v version [-s tarball_directory] [-n]"
+  log "Usage: $0 -t oss|eng -v version [-s tarball_directory] [-b bundle_id] [-n]"
 }
 
 # make_non_relocatable_plist changes the default component plist of the $root
@@ -34,7 +35,7 @@ main() {
   . "$buildassets/build-common.sh"
 
   local opt=''
-  while getopts "t:v:s:n" opt; do
+  while getopts "t:v:s:b:n" opt; do
     case "$opt" in
       t)
         if [[ "$OPTARG" != "oss" && "$OPTARG" != "ent" ]]; then
@@ -54,6 +55,9 @@ main() {
         fi
         TARBALL_DIRECTORY="$OPTARG"
         ;;
+      b)
+        BUNDLEID="$OPTARG"
+        ;;
       n)
         DRY_RUN_PREFIX='echo + '  # declared by build-common.sh
         ;;
@@ -75,6 +79,12 @@ main() {
     exit 1
   fi
 
+  if [[ -z "${BUNDLEID}" ]]; then
+    echo "No bundle ID specified. Either set TSH_BUNDLEID or use -b bundle_id"
+    usage
+    exit 1
+  fi
+
   # Verify environment varibles.
   if [[ "${APPLE_USERNAME:-}" == "" ]]; then
     echo "\
@@ -89,6 +99,20 @@ password created by APPLE_USERNAME"
     exit 1
   fi
 
+  if [[ -z "${DEVELOPER_ID_APPLICATION}" ]]; then
+    echo "\
+The DEVELOPER_ID_APPLICATION environment variable needs to be set to the hash\
+of the key to sign applications"
+    exit 1
+  fi
+
+  if [[ -z "${DEVELOPER_ID_INSTALLER}" ]]; then
+    echo "\
+The DEVELOPER_ID_INSTALLER environment variable needs to be set to the hash\
+of the key to sign packages"
+    exit 1
+  fi
+
   # Use similar find-or-download logic as build-package.sh for compatibility
   # purposes.
   local ent=''
@@ -134,7 +158,7 @@ password created by APPLE_USERNAME"
   $DRY_RUN_PREFIX codesign -f \
     -o kill,hard,runtime \
     -s "$DEVELOPER_ID_APPLICATION" \
-    -i "$TSH_BUNDLEID" \
+    -i "$BUNDLEID" \
     --entitlements "$skel"/tsh*.entitlements \
     --timestamp \
     "$target"
@@ -149,7 +173,7 @@ password created by APPLE_USERNAME"
   pkgbuild \
     --root "$pkg_root" \
     --component-plist "$pkg_component_plist" \
-    --identifier "$TSH_BUNDLEID" \
+    --identifier "$BUNDLEID" \
     --version "v$TELEPORT_VERSION" \
     --install-location /Applications \
     --scripts "$pkg_scripts" \
@@ -166,7 +190,7 @@ password created by APPLE_USERNAME"
   fi
 
   # Notarize.
-  notarize "$target" "$TEAMID" "$TSH_BUNDLEID"
+  notarize "$target" "$TEAMID" "$BUNDLEID"
 
   # Copy resulting package to $PWD, generate hashes.
   mv "$target" .