Adds support for client-only builds for Mac, plus signing/notarization/stapling

[webvictim]

Updates package build script to support tsh-only builds on Mac. Also adds support for signing, notarization and stapling.

For now, we will only sign/notarize client-only builds. There is an issue currently which means that we can't sign the teleport binary on MacOS (#3158). Once this is fixed, signing/notarization can be expanded to all Teleport packages on Mac.

Requirements for the build host to support signing and notarization:

• Xcode 11 must be installed, which has a minimum requirement of MacOS 10.14.3
• gon (https://github.com/mitchellh/gon) must be installed
• codesign/productsign commands must be available (these are installed by xcode-select --install)
• The two certificates for signing need to be present in the system keychain (get them from 1Password)
  • "Developer ID Application: Gravitational Inc."
  • "Developer ID Installer: Gravitational Inc."
  • You can check that these are present using security find-identity -v
• The environment variables APPLE_USERNAME and APPLE_PASSWORD must be set to an Apple ID email and password for a developer account that has permission to notarize files
  • I recommend the use of an app-specific password

Other notes:

• You need to run this script interactively once on the host (with something like ./build-package.sh -t oss -v 4.1.4 -p pkg -m tsh) - this is because it will pop up password input dialogs on the screen which will make you enter the system password on first run.
  • Alternatively, you can open the Keychain Access app and allow permissions for codesign and productsign to always use both private keys. This part can be tricky to get right.
• This is what gets the keychain to allow codesign/productsign access to the signing certificates
  • For each dialog, enter the system password and then click "Always Allow" in the dialog box. This will mean that future signings don't need the password to be entered
  • This is a hard requirement for now as Apple doesn't allow this step to be automated
  • (you can actually work around this entirely by allowing everyone access to the private keys via Keychain Access, but this is insecure)

To make a client-only build, add -m tsh to the command line. Omitting this parameter will fall back to the standard behaviour of creating an unsigned full Teleport package.

This script should still work for creating unsigned packages on older versions of MacOS/Xcode without errors. Attempting to sign/notarize packages on older versions will fail.

[webvictim]

Don't merge.

[webvictim]

There are some extra steps involved with this:

• You must also import the private keys associated with each signing certficate
• The keychain needs to be unlocked inside an SSH session to allow signing to work (security unlock-keychain -p <password> login.keychain)

[benarent]

I was trying out our 'unsigned' Mac builds this week and Catalina makes it pretty horrible. I wonder if as a stop gap and to not have to worry for the upstream GoLang packaging issue, if we could just sign and release tsh and label it MacOS ( tsh client only ) as most team members who have to adopt Teleport will end out usingtsh`

[webvictim]

Yeah - I might see if I can backport this stuff to work with our current release process rather than needing to wait for Force.