Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tools: added support for notarytool for osx notarization #48701

Closed
wants to merge 15 commits into from
Closed
87 changes: 68 additions & 19 deletions tools/osx-notarize.sh
Original file line number Diff line number Diff line change
@@ -1,34 +1,83 @@
#!/bin/sh

# Uses gon, from https://github.com/mitchellh/gon, to notarize a generated node-<version>.pkg file
# with Apple for installation on macOS Catalina and later as validated by Gatekeeper.
# Notarize a generated node-<version>.pkg file as an Apple requirement for installation on macOS Catalina and later, as validated by Gatekeeper.
# Uses gon (Xcode version < 13.0) or notarytool (Xcode >= 13.0).

set -e

gon_version="0.2.2"
gon_exe="${HOME}/.gon/gon_${gon_version}"
version() {
echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }' || echo "0"
}

xcode_version=$(xcodebuild -version | awk '/Xcode/ {print $2}')
xcode_version_result=$(version "$xcode_version")
xcode_version_threshold=$(version "13.0")
pkgid="$1"

[ -z "$pkgid" ] && \
echo "Usage: $0 <pkgid>" \
if [ -z "$pkgid" ]; then
echo "Usage: $0 <pkgid>"
exit 1
fi

# shellcheck disable=SC2154
[ -z "$NOTARIZATION_ID" ] && \
echo "No NOTARIZATION_ID environment var. Skipping notarization." \
if [ -z "$NOTARIZATION_ID" ]; then
echo "No NOTARIZATION_ID environment variable. Skipping notarization."
exit 0
fi

set -x

mkdir -p "${HOME}/.gon/"
if [ -z "$NOTARIZATION_PASSWORD" ]; then
echo "No NOTARIZATION_PASSWORD environment variable. Skipping notarization."
exit 0
fi

if [ ! -f "${gon_exe}" ]; then
curl -sL "https://github.com/mitchellh/gon/releases/download/v${gon_version}/gon_${gon_version}_macos.zip" -o "${gon_exe}.zip"
(cd "${HOME}/.gon/" && rm -f gon && unzip "${gon_exe}.zip" && mv gon "${gon_exe}")
if [ -z "$NOTARIZATION_TEAM_ID" ]; then
echo "No NOTARIZATION_TEAM_ID environment variable. Skipping notarization."
exit 0
fi

sed -e "s/{{appleid}}/${NOTARIZATION_ID}/" -e "s/{{pkgid}}/${pkgid}/" tools/osx-gon-config.json.tmpl \
> gon-config.json
if [ "$xcode_version_result" -lt "$xcode_version_threshold" ]; then
echo "Notarization process is done with gon."
set -x

gon_version="0.2.2"
gon_exe="${HOME}/.gon/gon_${gon_version}"

"${gon_exe}" -log-level=info gon-config.json
mkdir -p "${HOME}/.gon/"

if [ ! -f "${gon_exe}" ]; then
curl -sL "https://github.com/mitchellh/gon/releases/download/v${gon_version}/gon_${gon_version}_macos.zip" -o "${gon_exe}.zip"
(cd "${HOME}/.gon/" && rm -f gon && unzip "${gon_exe}.zip" && mv gon "${gon_exe}")
fi

sed -e "s/{{appleid}}/${NOTARIZATION_ID}/" -e "s/{{pkgid}}/${pkgid}/" tools/osx-gon-config.json.tmpl \
> gon-config.json

"${gon_exe}" -log-level=info gon-config.json

else
echo "Notarization process is done with Notarytool."

if ! command -v xcrun notarytool > /dev/null
then
echo "Notarytool is not present in the system. Notarization has failed."
exit 1
fi

# Submit the package for notarization
notarization_output=$(
xcrun notarytool submit \
--apple-id "$NOTARIZATION_ID" \
--password "$NOTARIZATION_PASSWORD" \
--team-id "$NOTARIZATION_TEAM_ID" \
UlisesGascon marked this conversation as resolved.
Show resolved Hide resolved
--wait \
"node-$pkgid.pkg" 2>&1
)

if [ $? -eq 0 ]; then
# Extract the operation ID from the output
operation_id=$(echo "$notarization_output" | awk '/RequestUUID/ {print $NF}')
echo "Notarization submitted. Operation ID: $operation_id"
exit 0
else
echo "Notarization failed. Error: $notarization_output"
exit 1
fi
fi