Skip to content

Commit d627d34

Browse files
committed
Makefile: add notarization step for MacOS
Add a 'notarize.sh' script to notarize the generated package with the environment-specified credential profile. The script is only run if the signing build variables and 'APPLE_KEYCHAIN_PROFILE' are set, since Apple notarization can only succeed if the package contents *and* the resulting package are properly signed. Signed-off-by: Victoria Dye <[email protected]>
1 parent f779fea commit d627d34

File tree

2 files changed

+52
-0
lines changed

2 files changed

+52
-0
lines changed

Makefile

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ PACKAGE_ARCH := $(GOARCH)
2525
# Guard against environment variables
2626
APPLE_APP_IDENTITY =
2727
APPLE_INST_IDENTITY =
28+
APPLE_KEYCHAIN_PROFILE =
2829

2930
# Build targets
3031
.PHONY: build
@@ -135,6 +136,22 @@ $(PKG_FILENAME): check-version $(PKGDIR)/payload
135136
--identity="$(APPLE_INST_IDENTITY)" \
136137
--output="$(PKG_FILENAME)"
137138

139+
# Notarization can only happen if the package is fully signed
140+
ifdef APPLE_APP_IDENTITY
141+
ifdef APPLE_INST_IDENTITY
142+
ifdef APPLE_KEYCHAIN_PROFILE
143+
.PHONY: notarize
144+
notarize: $(PKG_FILENAME)
145+
@echo
146+
@echo "======== Notarizing package ========"
147+
@build/package/pkg/notarize.sh --package="$(PKG_FILENAME)" \
148+
--keychain-profile="$(APPLE_KEYCHAIN_PROFILE)"
149+
150+
package: notarize
151+
endif
152+
endif
153+
endif
154+
138155
.PHONY: package
139156
package: $(PKG_FILENAME)
140157

build/package/pkg/notarize.sh

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
#!/bin/bash
2+
3+
for i in "$@"
4+
do
5+
case "$i" in
6+
--package=*)
7+
PACKAGE="${i#*=}"
8+
shift # past argument=value
9+
;;
10+
--keychain-profile=*)
11+
KEYCHAIN_PROFILE="${i#*=}"
12+
shift # past argument=value
13+
;;
14+
*)
15+
die "unknown option '$i'"
16+
;;
17+
esac
18+
done
19+
20+
if [ -z "$PACKAGE" ]; then
21+
echo "error: missing package argument"
22+
exit 1
23+
elif [ -z "$KEYCHAIN_PROFILE" ]; then
24+
echo "error: missing keychain profile argument"
25+
exit 1
26+
fi
27+
28+
# Exit as soon as any line fails
29+
set -e
30+
31+
# Send the notarization request
32+
xcrun notarytool submit -v "$PACKAGE" -p "$KEYCHAIN_PROFILE" --wait
33+
34+
# Staple the notarization ticket (to allow offline installation)
35+
xcrun stapler staple -v "$PACKAGE"

0 commit comments

Comments
 (0)