Mac Packaging / Notarization (#8878)

* initial commit * Updated config.yml * Update mac-signing.sh * Updated config.yml * Updated config.yml * Keep the .tar.gz artifact along with the signed and notarized DMG * change to test temporarily * for testing * Updated config.yml * Update config.yml * Update config.yml
2021-03-05 10:14:01 -05:00 · 2021-03-05 10:14:01 -05:00 · b6f043c0ee
parent 74d4836c25
commit b6f043c0ee
5 changed files with 133 additions and 1 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -179,9 +179,31 @@ jobs:
          shell: powershell.exe
          command: |
            ./scripts/windows-signing.ps1
      - persist_to_workspace:
          root: './build'
          paths:
            - 'dist'
      - store_artifacts:
          path: './build/dist'
          destination: 'build/dist'
  package-sign-mac:
    macos:
      xcode: "11.3"
    working_directory: /Users/distiller/project
    environment:
      FL_OUTPUT_DIR: output
      FASTLANE_LANE: test
    shell: /bin/bash --login -o pipefail
    steps:
      - checkout
      - attach_workspace:
          at: '.'
      - run:
          command: |
            sh ./scripts/mac-signing.sh
      - store_artifacts:
          path: './dist'
          destination: 'build/dist'
 workflows:
  version: 2
  check:
@ -253,6 +275,15 @@ workflows:
      - 'package-sign-windows':
          requires:
            - 'release'
          filters:
              tags:
                only: /.*/
      - 'package-sign-mac':
           requires:
             - 'package-sign-windows' 
           filters:
              tags:
                only: /.*/
  nightly:
    jobs:
      - 'linter'
--- a/assets/icon.icns
+++ b/assets/icon.icns
--- a/info.plist
+++ b/info.plist
@ -0,0 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>CFBundleExecutable</key>
 	<string>telegraf_entry_mac</string>
 	<key>CFBundleIconFile</key>
 	<string>icon.icns</string>
 	<key>CFBundleIdentifier</key>
 	<string>com.influxdata.telegraf</string>
 	<key>NSHighResolutionCapable</key>
 	<true/>
 	<key>LSUIElement</key>
 	<true/>
 </dict>
 </plist>
--- a/scripts/mac-signing.sh
+++ b/scripts/mac-signing.sh
@ -0,0 +1,72 @@
 # Acquire the necessary certificates.
 base64 -D -o MacCertificate.p12 <<< $MacCertificate
 sudo security import MacCertificate.p12 -k /Library/Keychains/System.keychain -P $MacCertificatePassword -A
 base64 -D -o AppleSigningAuthorityCertificate.cer <<< $AppleSigningAuthorityCertificate
 sudo security import AppleSigningAuthorityCertificate.cer -k '/Library/Keychains/System.keychain' -A
 # Extract the built mac binary and sign it.
 cd dist
 tarFile=$(find . -name "*darwin_amd64.tar*")
 tar -xzvf $tarFile
 baseName=$(basename $tarFile .tar.gz)
 cd $(find . -name "*telegraf-*" -type d)
 cd usr/bin
 codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime telegraf
 codesign -v telegraf
 # Reset back out to the main directory.
 cd
 cd project/dist
 extractedFolder=$(find . -name "*telegraf-*" -type d)
 # Sign the 'telegraf entry' script, which is required to open Telegraf upon opening the .app bundle.
 codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime ../scripts/telegraf_entry_mac
 codesign -v ../scripts/telegraf_entry_mac
 # Create the .app bundle.
 mkdir Telegraf
 cd Telegraf
 mkdir Contents
 cd Contents
 mkdir MacOS
 mkdir Resources
 cd ../..
 cp ../info.plist Telegraf/Contents
 cp -R "$extractedFolder"/ Telegraf/Contents/Resources
 cp ../scripts/telegraf_entry_mac Telegraf/Contents/MacOS
 cp ../assets/icon.icns Telegraf/Contents/Resources
 chmod +x Telegraf/Contents/MacOS/telegraf_entry_mac
 mv Telegraf Telegraf.app
 # Sign the entire .app bundle, and wrap it in a DMG.
 codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime --deep --force Telegraf.app
 hdiutil create -size 500m -volname Telegraf -srcfolder Telegraf.app "$baseName".dmg
 codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime "$baseName".dmg
 # Send the DMG to be notarized.
 uuid=$(xcrun altool --notarize-app --primary-bundle-id "com.influxdata.telegraf" --username "$AppleUsername" --password "$ApplePassword" --file "$baseName".dmg | awk '/RequestUUID/ { print $NF; }')
 echo $uuid
 if [[ $uuid == "" ]]; then 
  echo "Could not upload for notarization."
  exit 1
 fi
 # Wait until the status returns something other than 'in progress'.
 request_status="in progress"
 while [[ "$request_status" == "in progress" ]]; do
  sleep 10
  request_status=$(xcrun altool --notarization-info $uuid --username "$AppleUsername" --password "$ApplePassword" 2>&1 | awk -F ': ' '/Status:/ { print $2; }' )
 done
 if [[ $request_status != "success" ]]; then
  echo "Failed to notarize."
  exit 1
 fi
 # Attach the notarization to the DMG.
 xcrun stapler staple "$baseName".dmg
 rm -rf Telegraf.app
 rm -rf $extractedFolder
 ls
 echo "Signed and notarized!"
--- a/scripts/telegraf_entry_mac
+++ b/scripts/telegraf_entry_mac
@ -0,0 +1,13 @@
 #!/bin/bash
 currentDir="$( cd "$(dirname "$0")" ; pwd -P )"
 if [[ $currentDir == *"AppTranslocation"* || $currentDir == *"Volumes"* ]]; then
  osascript -e "display alert \"Please copy Telegraf to somewhere on your machine. It can't be run from the image.\" as critical"
 else
  cd $currentDir
  osascript<<EOF
  tell application "Terminal"
      do script "$currentDir/../Resources/usr/bin/telegraf $@"
  end tell
 EOF
 fi