improved code signing & implemented notarization for macOS

fixes #50

Author: pinhead84

release/.env.example

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+#
+# Environment variables for build scripts.
+# Copy this file to ".env" and enter your environment variables.
+#
+
+# In order to sign the application for yourself, you need to obtain a Developer ID from Apple and set the
+# name of your signature key in the APPLE_CODESIGN_KEY variable.
+APPLE_CODESIGN_KEY=""
+
+# In order to notarize the application, you need to obtain a Developer ID from Apple and set its email address in the
+# APPLE_DEVELOPER_MAIL variable.
+APPLE_DEVELOPER_MAIL=""
+
+# In order to notarize the application, you need to obtain a Developer ID from Apple and set its password in the
+# APPLE_DEVELOPER_PASSWORD variable. If no password is provided, you need to enter it manually during the notification
+# process.
+#
+# Notice: You can't use the global password. Instead you need to login at https://appleid.apple.com/ with your account
+# and create an application specific password.
+APPLE_DEVELOPER_PASSWORD=""

release/.gitignore

@@ -1,3 +1,5 @@
-signed
-target
-website
+/.env
+/signed
+/notarized
+/target
+/website

release/codesign-macos.sh

@@ -19,59 +19,99 @@
 # ----------------------------------------------------------------------------
 # NOTICE: This script has to be executed on a macOS system with the
 # required certificate available. In order to sign the application for
-# yourself, you need to obtain a Developer ID from Apple and set the
-# KEY variable accordingly.
+# yourself, you need to obtain a Developer ID from Apple and set some
+# environment variables in the ".env" file. If it is not available, create a
+# copy from ".env.example".
 # ----------------------------------------------------------------------------
 
-KEY="Developer ID Application: Andreas Rudolph (H48THMS543)"
-DIR=$( cd $( dirname ${BASH_SOURCE[0]} ) && pwd )
-TARGET_DIR="$DIR/target"
-SIGNED_DIR="$DIR/signed"
-TEMP_DIR="$TARGET_DIR/codesign"
+DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+TARGET_DIR="${DIR}/target"
+SIGNED_DIR="${DIR}/signed"
 FOUND="0"
 set -e
 
-mkdir -p "$SIGNED_DIR"
-export LANG="en_US.UTF-8"
+APPLE_CODESIGN_KEY=""
+if [[ -f "${DIR}/.env" ]]; then
+ source "${DIR}/.env"
+fi
 
-for f in ${TARGET_DIR}/*.macos-*.tar.gz; do
+if [[ -z "${APPLE_CODESIGN_KEY}" ]]; then
+ echo "ERROR: No signature key was specified!"
+ exit 1
+fi
+
+mkdir -p "${SIGNED_DIR}"
+export LANG="en_US.UTF-8"
 
- if [[ "$FOUND" == "0" ]]; then
- echo ""
- printf "\e[1m\e[92m=======================================================================\e[0m\n"
- printf "\e[1m\e[92m Unlocking keychain...\e[0m\n"
- printf "\e[1m\e[92m=======================================================================\e[0m\n"
- echo ""
- security unlock-keychain
- fi
+for f in "${TARGET_DIR}"/*.macos-*.tar.gz; do
 
-  FOUND="1"
+ if [[ "${FOUND}" == "0" ]]; then
  echo ""
  printf "\e[1m\e[92m=======================================================================\e[0m\n"
- printf "\e[1m\e[92m Processing $(basename "$f")...\e[0m\n"
+ printf "\e[1m\e[92m Unlocking keychain...\e[0m\n"
  printf "\e[1m\e[92m=======================================================================\e[0m\n"
  echo ""
- rm -Rf "$TEMP_DIR"
- mkdir -p "$TEMP_DIR"
- tar xfz "$f" -C "$TEMP_DIR"
- pkg="$(ls -1 "$TEMP_DIR")"
- codesign --deep -s "$KEY" "$TEMP_DIR/$pkg"
- echo "Verifying signature:"
- codesign -d --verbose=4 "$TEMP_DIR/$pkg"
- echo ""
- echo "Verifying access for Gatekeeper:"
- spctl --assess --verbose=4 --type execute "$TEMP_DIR/$pkg"
- echo ""
- echo "Storing signed application bundle at:"
- echo "$SIGNED_DIR/$(basename "$f")"
- rm -f "$SIGNED_DIR/$(basename "$f")"
- cd "$TEMP_DIR"
- tar cfz "$SIGNED_DIR/$(basename "$f")" "$pkg"
+ security unlock-keychain
+ fi
+
+ FOUND="1"
+ archive="$(basename "${f}")"
+ archive_name="$(basename "${archive}" ".tar.gz")"
+ signed_dir="${SIGNED_DIR}/${archive_name}"
+ rm -Rf "${signed_dir}"
+ mkdir -p "${signed_dir}"
+
+ echo ""
+ printf "\e[1m\e[92m=======================================================================\e[0m\n"
+ printf "\e[1m\e[92m Processing %s...\e[0m\n" "${archive}"
+ printf "\e[1m\e[92m=======================================================================\e[0m\n"
+
+ echo ""
+ echo "Extracting application bundle."
+ tar xfz "${f}" -C "${signed_dir}"
+ pkg="$(ls -1 "${signed_dir}")"
+ signed_bundle="${signed_dir}/${pkg}"
+
+ echo ""
+ echo "Signing application bundle at:"
+ echo ""
+ echo "${signed_bundle}"
+ codesign --deep --force --verify --sign "${APPLE_CODESIGN_KEY}" --options runtime "${signed_bundle}"
+
+ echo ""
+ echo "Verifying signature:"
+ codesign --verify --verbose=4 "${signed_bundle}"
+ #codesign --display --verbose=4 "${signed_bundle}"
+
+ echo ""
+ echo "Verifying access for Gatekeeper:"
+ spctl --assess --verbose=4 --type execute "${signed_dir}/${pkg}"
+
+ echo ""
+ echo "Compressing application bundle to:"
+ signed_tar="${signed_dir}/${archive_name}.tar.gz"
+ echo "${signed_tar}"
+ cd "${signed_dir}"
+ rm -f "${signed_tar}"
+ tar cfz "${signed_tar}" "$(basename "${signed_bundle}")"
+
+ echo ""
+ echo "Compressing application bundle to:"
+ signed_zip="${signed_dir}/${archive_name}.zip"
+ echo "${signed_zip}"
+ cd "${signed_dir}"
+ rm -f "${signed_zip}"
+ # According to Apples documentation "Customizing the Notarization Workflow" at
+ # https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow
+ # we can't use the ZIP command, as it leads to problems in the notarization process.
+ # Therefore we're using ditto instead.
+ #zip -r -q "${signed_zip}" "$(basename "${signed_bundle}")"
+ ditto -c -k --keepParent "$(basename "${signed_bundle}")" "${signed_zip}"
+
 done
 
-if [[ "$FOUND" == "0" ]]; then
- echo "ERROR: No macOS packages were found at:"
- echo "$TARGET_DIR"
+if [[ "${FOUND}" == "0" ]]; then
+ echo "ERROR: No macOS packages were found at:"
+ echo "${TARGET_DIR}"
+ exit 1
 fi
-
-rm -Rf "$TEMP_DIR"

release/notarize-macos-finish.sh

@@ -0,0 +1,114 @@
+#!/usr/bin/env bash
+#
+# Creates a notarized application bundle after upload and approval.
+# Copyright 2015-2021 OpenIndex.de
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# ----------------------------------------------------------------------------
+# NOTICE: This script has to be executed on a macOS system with the
+# required certificate available. In order to sign the application for
+# yourself, you need to obtain a Developer ID from Apple and set some
+# environment variables in the ".env" file. If it is not available, create a
+# copy from ".env.example".
+# ----------------------------------------------------------------------------
+
+# ----------------------------------------------------------------------------
+# Further information about notarization:
+# https://successfulsoftware.net/2018/11/16/how-to-notarize-your-software-on-macos/
+# https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow
+# ----------------------------------------------------------------------------
+
+DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+SIGNED_DIR="${DIR}/signed"
+NOTARIZED_DIR="${DIR}/notarized"
+FOUND="0"
+set -e
+
+if [[ -n "${1}" ]]; then
+ # Using application bundle, provided as first command line argument.
+ PKG_DIR="${SIGNED_DIR}/$(basename "$1")"
+else
+ # Otherwise, showing available application bundles and let the user select.
+ for f in "${SIGNED_DIR}"/*; do
+ if [[ -d "${f}" ]]; then
+ n=$(basename "${f}")
+ if [[ -f "${f}/${n}.zip" ]]; then
+ if [[ "${FOUND}" == "0" ]]; then
+ echo ""
+ printf "\e[1m\e[92m=======================================================================\e[0m\n"
+ printf "\e[1m\e[92m Available signed macOS application bundles:\e[0m\n"
+ printf "\e[1m\e[92m=======================================================================\e[0m\n"
+ echo ""
+ fi
+ FOUND="1"
+ echo "${n}"
+ fi
+ fi
+ done
+
+ if [[ "${FOUND}" == "0" ]]; then
+ echo "ERROR: No signed macOS packages were found at:"
+ echo "${SIGNED_DIR}"
+ exit 1
+ fi
+
+ echo ""
+ echo "Which of these bundles were successfully notarized and are ready for release?"
+ read -r -p "Enter one of the packages names listed above: " pkg
+
+ PKG_DIR="${SIGNED_DIR}/${pkg}"
+fi
+
+if [[ ! -d "${PKG_DIR}" ]]; then
+ echo ""
+ echo "ERROR: The application bundle does not exist in \"${SIGNED_DIR}\"!"
+ exit 1
+fi
+
+PKG_NAME="$(basename "${PKG_DIR}")"
+
+PKG_BUNDLE=$(find "${PKG_DIR}" -maxdepth 1 -type d -name "*.app" | head -1)
+if [[ ! -d "${PKG_BUNDLE}" ]]; then
+ echo ""
+ echo "ERROR: Na application bundle found within \"${SIGNED_DIR}\"!"
+ exit 1
+fi
+
+echo ""
+printf "\e[1m\e[92m=======================================================================\e[0m\n"
+printf "\e[1m\e[92m Finishing notarization for %s...\e[0m\n" "${PKG_NAME}"
+printf "\e[1m\e[92m=======================================================================\e[0m\n"
+echo ""
+
+xcrun stapler staple -v "${PKG_BUNDLE}"
+
+mkdir -p "${NOTARIZED_DIR}"
+NOTARIZED_ARCHIVE="${NOTARIZED_DIR}/${PKG_NAME}.tar.gz"
+
+echo ""
+printf "\e[1m\e[92m=======================================================================\e[0m\n"
+printf "\e[1m\e[92m Archiving notarized application bundle...\e[0m\n"
+printf "\e[1m\e[92m=======================================================================\e[0m\n"
+echo ""
+echo "Archiving notarized application bundle to:"
+echo "${NOTARIZED_ARCHIVE}"
+cd "${PKG_DIR}"
+tar cfz "${NOTARIZED_ARCHIVE}" "$(basename "${PKG_BUNDLE}")"
+
+echo ""
+echo "It seems, that the notarization process finished successfully!"
+echo "Please check the output above for the message:"
+echo " \"The staple and validate action worked!\""
+echo ""