Makefile: add notarization step for MacOS

Add a 'notarize.sh' script to notarize the generated package with the
environment-specified credential profile. The script is only run if the
signing build variables and 'APPLE_KEYCHAIN_PROFILE' are set, since Apple
notarization can only succeed if the package contents *and* the resulting
package are properly signed.

Signed-off-by: Victoria Dye <[email protected]>

Author: vdye

Makefile

@@ -25,6 +25,7 @@ PACKAGE_ARCH := $(GOARCH)
 # Guard against environment variables
 APPLE_APP_IDENTITY =
 APPLE_INST_IDENTITY =
+APPLE_KEYCHAIN_PROFILE =
 
 # Build targets
 .PHONY: build
@@ -135,6 +136,22 @@ $(PKG_FILENAME): check-version $(PKGDIR)/payload
 				   --identity="$(APPLE_INST_IDENTITY)" \
 				   --output="$(PKG_FILENAME)"
 
+# Notarization can only happen if the package is fully signed
+ifdef APPLE_APP_IDENTITY
+ifdef APPLE_INST_IDENTITY
+ifdef APPLE_KEYCHAIN_PROFILE
+.PHONY: notarize
+notarize: $(PKG_FILENAME)
+	@echo
+	@echo "======== Notarizing package ========"
+	@build/package/pkg/notarize.sh --package="$(PKG_FILENAME)" \
+				       --keychain-profile="$(APPLE_KEYCHAIN_PROFILE)"
+
+package: notarize
+endif
+endif
+endif
+
 .PHONY: package
 package: $(PKG_FILENAME)
 

build/package/pkg/notarize.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+for i in "$@"
+do
+case "$i" in
+	--package=*)
+	PACKAGE="${i#*=}"
+	shift # past argument=value
+	;;
+	--keychain-profile=*)
+	KEYCHAIN_PROFILE="${i#*=}"
+	shift # past argument=value
+	;;
+	*)
+	die "unknown option '$i'"
+	;;
+esac
+done
+
+if [ -z "$PACKAGE" ]; then
+    echo "error: missing package argument"
+    exit 1
+elif [ -z "$KEYCHAIN_PROFILE" ]; then
+    echo "error: missing keychain profile argument"
+    exit 1
+fi
+
+# Exit as soon as any line fails
+set -e
+
+# Send the notarization request
+xcrun notarytool submit -v "$PACKAGE" -p "$KEYCHAIN_PROFILE" --wait
+
+# Staple the notarization ticket (to allow offline installation)
+xcrun stapler staple -v "$PACKAGE"