diff --git a/darwin-signing.mk b/darwin-signing.mk index face602bfd746..b68fc8783256c 100644 --- a/darwin-signing.mk +++ b/darwin-signing.mk @@ -41,7 +41,8 @@ CSC_NAME = $(DEVELOPER_ID_APPLICATION) # Don't export DEVELOPER_ID_APPLICATION, DEVELOPER_ID_INSTALLER or CSC_NAME as # it causes them to be evaluated, which shells out to the `security` command. -# They should only be evaluated if used. +# They should only be evaluated if used. Any variables below that reference +# these are also unexported for the same reason. unexport CSC_NAME DEVELOPER_ID_APPLICATION DEVELOPER_ID_INSTALLER # Bundle IDs identify packages/images. We use different bundle IDs for @@ -94,18 +95,33 @@ SHOULD_NOTARIZE = $(if $(and $(APPLE_USERNAME),$(APPLE_PASSWORD)),true) # to not evaluate its arguments (DEVELOPER_ID_APPLICATION) if we are not # goint to use them, preventing a missing key error defined above. NOTARIZE_BINARIES = $(if $(SHOULD_NOTARIZE),$(notarize_binaries_cmd),$(not_notarizing_cmd)) - -define notarize_binaries_cmd - cd build.assets/tooling && \ - go run ./cmd/notarize-apple-binaries \ - --developer-id=$(DEVELOPER_ID_APPLICATION) \ - --bundle-id=$(TELEPORT_BUNDLEID) \ - --log-level=debug \ - $(ABSOLUTE_BINARY_PATHS) -endef +unexport NOTARIZE_BINARIES not_notarizing_cmd = echo Not notarizing binaries. APPLE_USERNAME or APPLE_PASSWORD not set. -# Dont export not_notarizing_cmd since it contains DEVELOPER_ID_APPLICATION -# and we do not want that evaluated. +notary_dir = $(BUILDDIR)/notarize +notary_file = $(BUILDDIR)/notarize.zip + +# notarize_binaries_cmd must be a single command - multiple commands must be +# joined with "&& \". This is so the command can be prefixed with "cd .. &&" +# for the enterprise invocation. +define notarize_binaries_cmd + codesign \ + --sign $(DEVELOPER_ID_APPLICATION) \ + --force \ + --verbose \ + --timestamp \ + --options runtime \ + $(ABSOLUTE_BINARY_PATHS) && \ + rm -rf $(notary_dir) && \ + mkdir $(notary_dir) && \ + ditto $(ABSOLUTE_BINARY_PATHS) $(notary_dir) && \ + ditto -c -k $(notary_dir) $(notary_file) && \ + xcrun notarytool submit $(notary_file) \ + --team-id="$(TEAMID)" \ + --apple-id="$(APPLE_USERNAME)" \ + --password="$(APPLE_PASSWORD)" \ + --wait && \ + rm -rf $(notary_dir) $(notary_file) +endef unexport notarize_binaries_cmd diff --git a/web/packages/teleterm/README.md b/web/packages/teleterm/README.md index a36700e887bdd..0649aa3f44999 100644 --- a/web/packages/teleterm/README.md +++ b/web/packages/teleterm/README.md @@ -115,6 +115,7 @@ When running `yarn package-term`, you need to provide these environment variable - `APPLE_PASSWORD` - `CONNECT_TSH_APP_PATH` - `CSC_NAME` (optional, developer certificate ID) +- `TEAMID` The details behind those vars are described below. @@ -151,6 +152,11 @@ On top of that, you must provide env vars that will be used for notarization. `A be set to the account email address associated with the developer ID. `APPLE_PASSWORD` must be [an app-specific password](https://support.apple.com/en-us/HT204397), not the account password. +The Team ID needed as an input for notarization must be provided via the `TEAMID` environment +variable. The top-level `Makefile` exports this when `yarm package-term` is called from `make +release-connect` with either the developer or production Team ID depending on the `ENVIRONMENT_NAME` +environment variable. See the top-level `darwin-signing.mk` for details. + ## Architecture ### Resource lifecycle diff --git a/web/packages/teleterm/notarize.js b/web/packages/teleterm/notarize.js index 8296f4da6b394..2c0bd10e53fd9 100644 --- a/web/packages/teleterm/notarize.js +++ b/web/packages/teleterm/notarize.js @@ -13,6 +13,13 @@ exports.default = async function notarizing(context) { return; } + if (!process.env.TEAMID) { + console.warn( + 'missing $TEAMID: notarization will be skipped. Run `make release-connect` instead' + ); + return; + } + const appName = context.packager.appInfo.productFilename; const appBundleId = context.packager.appInfo.macBundleIdentifier; @@ -21,5 +28,7 @@ exports.default = async function notarizing(context) { appPath: `${appOutDir}/${appName}.app`, appleId: process.env.APPLE_USERNAME, appleIdPassword: process.env.APPLE_PASSWORD, + tool: 'notarytool', + teamId: process.env.TEAMID, }); };