fix: mac signing issue with arm64 (#10293)

Co-authored-by: Joshua Powers <powersj@influxdata.com>

scripts/mac-signing.sh

@@ -1,79 +1,101 @@
+#!/bin/bash
+
+function cleanup () {
+  echo "Cleaning up any existing Telegraf or Telegraf.app"
+  printf "\n"
+  rm -rf Telegraf
+  rm -rf Telegraf.app
+}
+
 # Acquire the necessary certificates.
-base64 -D -o MacCertificate.p12 <<< $MacCertificate
+# MacCertificate, MacCertificatePassword, AppleSigningAuthorityCertificate are environment variables, to follow convention they should have been all caps.
-sudo security import MacCertificate.p12 -k /Library/Keychains/System.keychain -P $MacCertificatePassword -A
+# shellcheck disable=SC2154
-base64 -D -o AppleSigningAuthorityCertificate.cer <<< $AppleSigningAuthorityCertificate
+base64 -D -o MacCertificate.p12 <<< "$MacCertificate"
+# shellcheck disable=SC2154
+sudo security import MacCertificate.p12 -k /Library/Keychains/System.keychain -P "$MacCertificatePassword" -A
+# shellcheck disable=SC2154
+base64 -D -o AppleSigningAuthorityCertificate.cer <<< "$AppleSigningAuthorityCertificate"
 sudo security import AppleSigningAuthorityCertificate.cer -k '/Library/Keychains/System.keychain' -A
 
-cd dist
+amdFile=$(find "$HOME/project/dist" -name "*darwin_amd64.tar*")
-amdFile=$(find . -name "*darwin_amd64.tar*")
+armFile=$(find "$HOME/project/dist" -name "*darwin_arm64.tar*")
-armFile=$(find . -name "*darwin_arm64.tar*")
+macFiles=("${amdFile}" "${armFile}")
-macFiles=(${amdFile} ${armFile})
 
+for tarFile in "${macFiles[@]}";
+do
+  cleanup
 
-for tarFile in ${macFiles[@]};
+  # Create the .app bundle directory structure
-do 
+  RootAppDir="Telegraf.app/Contents"
-  # Extract the built mac binary and sign it.
+  mkdir -p "$RootAppDir"
-  tar -xzvf $tarFile
+  mkdir -p "$RootAppDir/MacOS"
-  baseName=$(basename $tarFile .tar.gz)
+  mkdir -p "$RootAppDir/Resources"
-  cd $(find . -name "*telegraf-*" -type d)
-  cd usr/bin
-  codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime telegraf
-  codesign -v telegraf
 
-  # Reset back out to the main directory.
+  DeveloperID="Developer ID Application: InfluxData Inc. (M7DN9H35QT)"
-  cd
-  cd project/dist
-  extractedFolder=$(find . -name "*telegraf-*" -type d)
 
-  # Sign the 'telegraf entry' script, which is required to open Telegraf upon opening the .app bundle.
+  # Sign telegraf binary and the telegraf_entry_mac script
-  codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime ../scripts/telegraf_entry_mac
+  echo "Extract $tarFile to $RootAppDir/Resources"
-  codesign -v ../scripts/telegraf_entry_mac
+  tar -xzvf "$tarFile" --strip-components=2 -C "$RootAppDir/Resources"
+  printf "\n"
+  TelegrafBinPath="$RootAppDir/Resources/usr/bin/telegraf"
+  codesign --force -s "$DeveloperID" --timestamp --options=runtime "$TelegrafBinPath"
+  echo "Verify if $TelegrafBinPath was signed"
+  codesign -dvv "$TelegrafBinPath"
 
-  # Create the .app bundle.
+  printf "\n"
-  mkdir Telegraf
+
-  cd Telegraf
+  cp ~/project/scripts/telegraf_entry_mac "$RootAppDir"/MacOS
-  mkdir Contents
+  EntryMacPath="$RootAppDir/MacOS/telegraf_entry_mac"
-  cd Contents
+  codesign -s "$DeveloperID" --timestamp --options=runtime "$EntryMacPath"
-  mkdir MacOS
+  echo "Verify if $EntryMacPath was signed"
-  mkdir Resources
+  codesign -dvv "$EntryMacPath"
-  cd ../..
+
-  cp ../info.plist Telegraf/Contents
+  printf "\n"
-  cp -R "$extractedFolder"/ Telegraf/Contents/Resources
+
-  cp ../scripts/telegraf_entry_mac Telegraf/Contents/MacOS
+  cp ~/project/info.plist "$RootAppDir"
-  cp ../assets/icon.icns Telegraf/Contents/Resources
+  cp  ~/project/assets/icon.icns "$RootAppDir/Resources"
-  chmod +x Telegraf/Contents/MacOS/telegraf_entry_mac
+
-  mv Telegraf Telegraf.app
+  chmod +x "$RootAppDir/MacOS/telegraf_entry_mac"
 
   # Sign the entire .app bundle, and wrap it in a DMG.
-  codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime --deep --force Telegraf.app
+  codesign -s "$DeveloperID" --timestamp --options=runtime --deep --force Telegraf.app
+  baseName=$(basename "$tarFile" .tar.gz)
+  echo "$baseName"
   hdiutil create -size 500m -volname Telegraf -srcfolder Telegraf.app "$baseName".dmg
-  codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime "$baseName".dmg
+  codesign -s "$DeveloperID" --timestamp --options=runtime "$baseName".dmg
 
   # Send the DMG to be notarized.
+  # AppleUsername and ApplePassword are environment variables, to follow convention they should have been all caps.
+  # shellcheck disable=SC2154
   uuid=$(xcrun altool --notarize-app --primary-bundle-id "com.influxdata.telegraf" --username "$AppleUsername" --password "$ApplePassword" --file "$baseName".dmg | awk '/RequestUUID/ { print $NF; }')
-  echo $uuid
+  echo "UUID: $uuid"
-  if [[ $uuid == "" ]]; then 
+  if [[ $uuid == "" ]]; then
     echo "Could not upload for notarization."
     exit 1
   fi
 
+  printf "\n"
+
   # Wait until the status returns something other than 'in progress'.
   request_status="in progress"
   while [[ "$request_status" == "in progress" ]]; do
     sleep 10
-    request_status=$(xcrun altool --notarization-info $uuid --username "$AppleUsername" --password "$ApplePassword" 2>&1 | awk -F ': ' '/Status:/ { print $2; }' )
+    request_response=$(xcrun altool --notarization-info "$uuid" --username "$AppleUsername" --password "$ApplePassword" 2>&1)
+    request_status=$(echo "$request_response" | awk -F ': ' '/Status:/ { print $2; }' )
   done
 
   if [[ $request_status != "success" ]]; then
     echo "Failed to notarize."
+    echo "$request_response"
+    cleanup
     exit 1
   fi
 
   # Attach the notarization to the DMG.
   xcrun stapler staple "$baseName".dmg
-  rm -rf Telegraf.app
+  cleanup
-  rm -rf $extractedFolder
-  ls
 
-  echo "$tarFile Signed and notarized!"
+  mv "$baseName".dmg ~/project/dist
-done
+
+  echo "$baseName.dmg signed and notarized!"
+done