Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SNOW-1694005: MacOS binary signing #1640

Merged
merged 37 commits into from
Oct 3, 2024
Merged

SNOW-1694005: MacOS binary signing #1640

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
e08ea67
SNOW-1694005: fix executable path
sfc-gh-mraba Sep 30, 2024
764611a
SNOW-1694005: fix executable path
sfc-gh-mraba Sep 30, 2024
e02a366
SNOW-1694005: organize signign funcs
sfc-gh-mraba Sep 30, 2024
1fb17ff
SNOW-1694005: organize signign funcs fix typo
sfc-gh-mraba Sep 30, 2024
16a753e
SNOW-1694005: organize signign funcs fix typo 2
sfc-gh-mraba Sep 30, 2024
4ddb7e8
SNOW-1694005: organize signign funcs fix typo 3
sfc-gh-mraba Sep 30, 2024
4b80857
SNOW-1694005: organize signign funcs fix typo 4
sfc-gh-mraba Sep 30, 2024
8faebca
SNOW-1694005: organize signign funcs fix typo 5
sfc-gh-mraba Sep 30, 2024
89771d0
SNOW-1694005: organize signign funcs fix typo 6
sfc-gh-mraba Sep 30, 2024
e7c3189
SNOW-1694005: organize signign funcs fix typo 7
sfc-gh-mraba Sep 30, 2024
132b2f2
SNOW-1694005: organize signign funcs fix typo 8
sfc-gh-mraba Sep 30, 2024
2b86d33
SNOW-1694005: organize signign funcs fix typo 9
sfc-gh-mraba Sep 30, 2024
0f5bb99
SNOW-1694005: organize signign funcs fix typo 10
sfc-gh-mraba Sep 30, 2024
20104e6
SNOW-1694005: organize signign funcs fix typo 11
sfc-gh-mraba Sep 30, 2024
2ba40bd
SNOW-1694005: organize signign funcs fix typo 12
sfc-gh-mraba Oct 1, 2024
ea5e46d
SNOW-1694005: organize signign funcs fix typo 13
sfc-gh-mraba Oct 1, 2024
0ac6156
SNOW-1694005: organize signign funcs fix typo 14
sfc-gh-mraba Oct 1, 2024
81a15d0
SNOW-1694005: organize signign funcs fix typo 15
sfc-gh-mraba Oct 1, 2024
6f514bb
SNOW-1694005: organize signign funcs fix typo 16
sfc-gh-mraba Oct 1, 2024
d6ae21d
SNOW-1694005: organize signign funcs fix typo 17
sfc-gh-mraba Oct 1, 2024
13dfabb
SNOW-1694005: organize signign funcs fix typo 18
sfc-gh-mraba Oct 1, 2024
6e8623d
SNOW-1694005: organize signign funcs fix typo 19
sfc-gh-mraba Oct 1, 2024
321ca02
SNOW-1694005: organize signign funcs fix typo 20
sfc-gh-mraba Oct 1, 2024
dcf282c
SNOW-1694005: organize signign funcs fix typo 21
sfc-gh-mraba Oct 1, 2024
025a585
SNOW-1694005: organize signign funcs fix typo 22
sfc-gh-mraba Oct 1, 2024
21a3f33
SNOW-1694005: organize signign funcs fix typo 23
sfc-gh-mraba Oct 1, 2024
a8f5191
SNOW-1694005: organize signign funcs fix typo 24
sfc-gh-mraba Oct 1, 2024
eb09c9c
SNOW-1694005: organize signign funcs fix typo 25
sfc-gh-mraba Oct 1, 2024
df0a1a3
SNOW-1694005: organize signign funcs fix typo 26
sfc-gh-mraba Oct 1, 2024
f5ffa70
SNOW-1694005: organize signign funcs fix typo 27
sfc-gh-mraba Oct 1, 2024
6d7b337
SNOW-1694005: organize signign funcs fix typo 28
sfc-gh-mraba Oct 1, 2024
80d379a
SNOW-1694005: organize signign funcs fix typo 29
sfc-gh-mraba Oct 1, 2024
32d2f79
SNOW-1694005: organize signign funcs fix typo 30
sfc-gh-mraba Oct 1, 2024
163d075
SNOW-1694005: organize signign funcs fix typo 31
sfc-gh-mraba Oct 1, 2024
9c052e4
SNOW-1694005: organize signign funcs fix typo 32
sfc-gh-mraba Oct 1, 2024
758e609
SNOW-1694005: organize signign funcs fix typo 33
sfc-gh-mraba Oct 1, 2024
c888e09
SNOW-1694005: organize signign funcs fix typo 34
sfc-gh-mraba Oct 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 33 additions & 10 deletions scripts/packaging/build_binaries.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,47 @@ set -oeux pipefail
git config --global --add safe.directory /snowflake-cli

MACHINE=$(uname -m | tr '[:upper:]' '[:lower:]')
SYSTEM=$(uname -s | tr '[:upper:]' '[:lower:]')
ROOT_DIR="$(git rev-parse --show-toplevel)"
BUILD_DIR="${ROOT_DIR}/build"
DIST_DIR="${ROOT_DIR}/dist"

VERSION=$(hatch version)
ENTRY_POINT="src/snowflake/cli/_app/__main__.py"

hatch -e packaging run pyinstaller \
--name=snow \
--target-architecture=$MACHINE \
--onedir \
--clean \
--noconfirm \
--contents-directory=snowflake-cli-${VERSION} \
${ENTRY_POINT}
clean_build_workspace() {
rm -rf $DIST_DIR $BUILD_DIR || true
}

build_binaries() {
if [[ ${SYSTEM} == "darwin" ]]; then
echo "Building for Darwin moved to build_darwin_package.sh"
exit 0
elif [[ ${SYSTEM} == "linux" ]]; then
hatch -e packaging run pyinstaller \
--name=snow \
--target-architecture=$MACHINE \
--onedir \
--clean \
--noconfirm \
--contents-directory=snowflake-cli-${VERSION} \
${ENTRY_POINT}
else
echo "Unsupported platform: ${SYSTEM}"
exit 1
fi
}

execute_build() {
cd $DIST_DIR/snow && ./snow
cd -
echo "Executing build"
if [[ ${SYSTEM} == "linux" ]]; then
$DIST_DIR/snow/snow --help
else
echo "Unsupported platform: ${SYSTEM}"
exit 1
fi
}

clean_build_workspace
build_binaries
execute_build
162 changes: 66 additions & 96 deletions scripts/packaging/build_darwin_package.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,32 +9,55 @@ PACKAGING_DIR=$ROOT_DIR/scripts/packaging

SYSTEM=$(uname -s | tr '[:upper:]' '[:lower:]')
MACHINE=$(uname -m | tr '[:upper:]' '[:lower:]')
PLATFORM="${SYSTEM}-${MACHINE}"

CLI_VERSION=$(hatch version)

ENTRY_POINT="src/snowflake/cli/_app/__main__.py"
BUILD_DIR="${ROOT_DIR}/build"
DIST_DIR=$ROOT_DIR/dist
APP_NAME=SnowflakeCLI.app
BINARY_NAME="snow"
APP_NAME="SnowflakeCLI.app"
APP_DIR=$DIST_DIR/app
APP_SCRIPTS=$DIST_DIR/scripts
APP_SCRIPTS=$APP_DIR/scripts
CODESIGN_IDENTITY="Developer ID Application: Snowflake Computing INC. (W4NT6CRQ7U)"
PRODUCTSIGN_IDENTITY="Developer ID Installer: Snowflake Computing INC. (W4NT6CRQ7U)"

loginfo() {
logger -s -p INFO -- $1
}

$DIST_DIR/snow/snow --help
clean_build_workspace() {
rm -rf $DIST_DIR $BUILD_DIR || true
}

loginfo "Building darwin package for version ${CLI_VERSION}"
clean_build_workspace

setup_app_dir() {
rm -rf $APP_DIR || true
mkdir -p $APP_DIR/$APP_NAME/Contents/{MacOS,Resources} || true
tree $APP_DIR
}
security -v unlock-keychain -p $MAC_USERNAME_PASSWORD login.keychain-db

loginfo "---------------------------------"
security find-identity -v -p codesigning
loginfo "---------------------------------"

setup_app_dir
cd $APP_DIR
hatch -e packaging run pyinstaller \
--name=${BINARY_NAME} \
--target-architecture=$MACHINE \
--onedir \
--clean \
--noconfirm \
--windowed \
--osx-bundle-identifier=com.snowflake.snowflake-cli \
--osx-entitlements-file=scripts/packaging/macos/SnowflakeCLI_entitlements.plist \
--codesign-identity="${CODESIGN_IDENTITY}" \
--icon=scripts/packaging/macos/snowflake_darwin.icns \
${ENTRY_POINT}

cat >$APP_NAME/Contents/Info.plist <<INFO_PLIST
ls -l $DIST_DIR
mkdir $APP_DIR || true
mv $DIST_DIR/${BINARY_NAME}.app ${APP_DIR}/${APP_NAME}
${APP_DIR}/${APP_NAME}/Contents/MacOS/snow --help

cat >${APP_DIR}/${APP_NAME}/Contents/Info.plist <<INFO_PLIST
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
Expand Down Expand Up @@ -69,71 +92,9 @@ cat >$APP_NAME/Contents/Info.plist <<INFO_PLIST
</plist>
INFO_PLIST

cp -r $DIST_DIR/snow $APP_NAME/Contents/MacOS/
cp -r $PACKAGING_DIR/macos/snowflake_darwin.icns $APP_NAME/Contents/Resources/SnowflakeCLI.icns
cp -r $PACKAGING_DIR/macos/SnowflakeCLI.bash $APP_NAME/Contents/MacOS/SnowflakeCLI.bash
chmod +x $APP_NAME/Contents/MacOS/SnowflakeCLI.bash

tree -d $DIST_DIR

security -v unlock-keychain -p $MAC_USERNAME_PASSWORD login.keychain-db

loginfo "---------------------------------"
security find-identity -v -p codesigning
loginfo "---------------------------------"

code_sign() {
ENTITLEMENTS=$PACKAGING_DIR/macos/SnowflakeCLI_entitlements.plist
loginfo "---------------------------------"
loginfo "Code signing $1"
loginfo "---------------------------------"
ls -l $1
codesign \
--timestamp \
--deep \
--force \
--entitlements $ENTITLEMENTS \
--options=runtime \
--sign "Developer ID Application: Snowflake Computing INC. (W4NT6CRQ7U)" \
$1
}

code_sign_no_runtime() {
ENTITLEMENTS=$PACKAGING_DIR/macos/SnowflakeCLI_entitlements.plist
loginfo "---------------------------------"
loginfo "Code signing $1 no runtime"
loginfo "---------------------------------"
codesign \
--timestamp \
--deep \
--force \
--entitlements $ENTITLEMENTS \
--sign "Developer ID Application: Snowflake Computing INC. (W4NT6CRQ7U)" \
$1
}

code_sign_validate() {
loginfo "---------------------------------"
loginfo "Validating code signing for $1"
loginfo "---------------------------------"
codesign -dvvv --force $1
}

APP_CONTENTS=$APP_NAME/Contents/MacOS/snow
ENTITLEMENTS=$PACKAGING_DIR/macos/SnowflakeCLI_entitlements.plist

code_sign $APP_CONTENTS/snow
code_sign_validate $APP_CONTENTS/snow

for l in $(find . -name '*.so'); do
code_sign_no_runtime $l
code_sign_validate $l
done

for l in $(find . -name '*.dylib'); do
code_sign_no_runtime $l
code_sign_validate $l
done
cp -r $PACKAGING_DIR/macos/snowflake_darwin.icns ${APP_DIR}/${APP_NAME}/Contents/Resources/SnowflakeCLI.icns
cp -r $PACKAGING_DIR/macos/SnowflakeCLI.bash ${APP_DIR}/${APP_NAME}/Contents/MacOS/SnowflakeCLI.bash
chmod +x $APP_DIR/${APP_NAME}/Contents/MacOS/SnowflakeCLI.bash

# POSTINSTALL SCRIPT
prepare_postinstall_script() {
Expand All @@ -145,55 +106,64 @@ prepare_postinstall_script() {
prepare_postinstall_script

ls -l $DIST_DIR
tree -d $DIST_DIR

chmod +x $APP_SCRIPTS/postinstall

# codesign after changes
codesign --timestamp --deep --force --verify --verbose --sign "${CODESIGN_IDENTITY}" ${APP_DIR}/${APP_NAME}

PKG_UNSIGNED_NAME="snowflake-cli-${SYSTEM}.unsigned.pkg"
loginfo "---------------------------------"
loginfo "Package build $DIST_DIR/snowflake-cli-${SYSTEM}.unsigned.pkg "
loginfo "Package build ${DIST_DIR}/${PKG_UNSIGNED_NAME}"
loginfo "---------------------------------"
pkgbuild \
--identifier com.snowflake.snowflake-cli \
--install-location '/Applications' \
--version $CLI_VERSION \
--scripts $APP_SCRIPTS \
--root $APP_DIR \
--component-plist $PACKAGING_DIR/macos/SnowflakeCLI.plist \
$DIST_DIR/snowflake-cli-${SYSTEM}.unsigned.pkg
--component-plist ${PACKAGING_DIR}/macos/SnowflakeCLI.plist \
${DIST_DIR}/${PKG_UNSIGNED_NAME}

ls -l $DIST_DIR

PRODUCT_UNSIGNED_NAME="snowflake-cli-${SYSTEM}.unsigned.pkg"
PRODUCT_SIGNED_NAME="snowflake-cli-${SYSTEM}.pkg"
loginfo "---------------------------------"
loginfo "Procuct sign $DIST_DIR/snowflake-cli-${SYSTEM}.unsigned.pkg -> $DIST_DIR/snowflake-cli-${SYSTEM}.pkg"
loginfo "Procuct sign ${DIST_DIR}/${PRODUCT_UNSIGNED_NAME} -> ${DIST_DIR}/${PRODUCT_SIGNED_NAME}"
loginfo "---------------------------------"
productsign \
--sign "Developer ID Installer: Snowflake Computing INC. (W4NT6CRQ7U)" \
$DIST_DIR/snowflake-cli-${SYSTEM}.unsigned.pkg \
$DIST_DIR/snowflake-cli-${SYSTEM}.pkg
--sign "${PRODUCTSIGN_IDENTITY}" \
${DIST_DIR}/${PRODUCT_UNSIGNED_NAME} \
${DIST_DIR}/${PRODUCT_SIGNED_NAME}

ls -l $DIST_DIR

PRODUCT_BUILD_UNSIGNED_NAME="snowflake-cli-${PLATFORM}.unsigned.pkg"
loginfo "---------------------------------"
loginfo "Procuct build $DIST_DIR/snowflake-cli-${SYSTEM}-${MACHINE}.unsigned.pkg <- $DIST_DIR/snowflake-cli-${SYSTEM}.pkg"
loginfo "Procuct build ${DIST_DIR}/${PRODUCT_BUILD_UNSIGNED_NAME} <- ${DIST_DIR}/${PRODUCT_SIGNED_NAME}"
loginfo "---------------------------------"
productbuild \
--distribution $PACKAGING_DIR/macos/Distribution.xml \
--version $CLI_VERSION \
--resources $PACKAGING_DIR/macos/Resources \
--package-path $DIST_DIR \
$DIST_DIR/snowflake-cli-${SYSTEM}-${MACHINE}.unsigned.pkg
${DIST_DIR}/${PRODUCT_BUILD_UNSIGNED_NAME}

ls -l $DIST_DIR

PRODUCT_BUILD_SIGNED_NAME="snowflake-cli-${PLATFORM}.pkg"
loginfo "---------------------------------"
loginfo "Procuct sign $DIST_DIR/snowflake-cli-${SYSTEM}-${MACHINE}.unsigned.pkg -> $DIST_DIR/snowflake-cli-${SYSTEM}-${MACHINE}.pkg"
loginfo "Procuct sign ${DIST_DIR}${PRODUCT_BUILD_UNSIGNED_NAME} -> ${DIST_DIR}/${PRODUCT_BUILD_SIGNED_NAME}"
loginfo "---------------------------------"
productsign \
--sign "Developer ID Installer: Snowflake Computing INC. (W4NT6CRQ7U)" \
$DIST_DIR/snowflake-cli-${SYSTEM}-${MACHINE}.unsigned.pkg \
$DIST_DIR/snowflake-cli-${SYSTEM}-${MACHINE}.pkg
--sign "${PRODUCTSIGN_IDENTITY}" \
${DIST_DIR}/${PRODUCT_BUILD_UNSIGNED_NAME} \
${DIST_DIR}/${PRODUCT_BUILD_SIGNED_NAME}

cp -p \
$DIST_DIR/snowflake-cli-${SYSTEM}-${MACHINE}.pkg \
$DIST_DIR/snowflake-cli-${CLI_VERSION}-${SYSTEM}-${MACHINE}.pkg
FINAL_PKG_NAME="snowflake-cli-${CLI_VERSION}-${PLATFORM}.pkg"
cp -p ${DIST_DIR}/${PRODUCT_BUILD_SIGNED_NAME} ${DIST_DIR}/${FINAL_PKG_NAME}

ls -l $DIST_DIR

Expand All @@ -208,10 +178,10 @@ validate_installation() {

export SUDO_ASKPASS=./asker.sh
sudo -A installer -pkg $pkg_name -target /
[ -f /Applications/SnowflakeCLI.app/Contents/MacOS/snow/snow ]
PATH=/Applications/SnowflakeCLI.app/Contents/MacOS/snow:$PATH snow
[ -f /Applications/${APP_NAME}/Contents/MacOS/snow ]
PATH=/Applications/${APP_NAME}/Contents/MacOS:$PATH snow

sudo rm -rf /Applications/SnowflakeCLI.app || true
sudo rm -rf /Applications/${APP_NAME} || true
}

validate_installation $DIST_DIR/snowflake-cli-${CLI_VERSION}-${SYSTEM}-${MACHINE}.pkg
2 changes: 1 addition & 1 deletion scripts/packaging/macos/SnowflakeCLI.bash
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ BASEDIR=$(dirname $0)
osascript <<APPL_SCRIPT
tell application "Terminal"
if not (exists window 1) then reopen
do script "$BASEDIR/snow/snow" in the last window
do script "$BASEDIR/snow" in the last window
set the bounds of the last window to {0, 0, 1400, 800}
activate
end tell
Expand Down
2 changes: 1 addition & 1 deletion scripts/packaging/macos/postinstall
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ export PATH=$dest:\$PATH" >>$profile
}

echo "[DEBUG] Parameters: $1 $2"
SNOWFLAKE_CLI_DEST=$2/SnowflakeCLI.app/Contents/MacOS/snow/
SNOWFLAKE_CLI_DEST=$2/SnowflakeCLI.app/Contents/MacOS/

SNOWFLAKE_CLI_LOGIN_SHELL=~/.profile
if [[ -e ~/.zprofile ]]; then
Expand Down
Loading