2022-09-07 18:56:46 +00:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
|
|
|
# This script notarizes the provided zip file using an Apple Developer account.
|
|
|
|
#
|
|
|
|
# Usage: ./notarize_darwin.sh path/to/zipfile.zip
|
|
|
|
#
|
|
|
|
# The provided zip file must contain a coder binary that has already been signed
|
|
|
|
# using ./sign_darwin.sh.
|
|
|
|
#
|
|
|
|
# On success, all of the contained binaries inside the input zip file will
|
|
|
|
# notarized. This does not make any changes to the zip or contained files
|
|
|
|
# itself, but GateKeeper checks will pass for the binaries inside the zip file
|
|
|
|
# as long as the device is connected to the internet to download the
|
|
|
|
# notarization ticket from Apple.
|
|
|
|
#
|
|
|
|
# You can check if a binary is notarized by running the following command on a
|
|
|
|
# Mac:
|
|
|
|
# spctl --assess -vvv -t install path/to/binary
|
|
|
|
#
|
|
|
|
# Depends on the rcodesign utility. Requires the following environment variables
|
|
|
|
# to be set:
|
|
|
|
# - $AC_APIKEY_ISSUER_ID: The issuer UUID of the Apple App Store Connect API
|
|
|
|
# key.
|
|
|
|
# - $AC_APIKEY_ID: The key ID of the Apple App Store Connect API key.
|
|
|
|
# - $AC_APIKEY_FILE: The path to the private key P8 file of the Apple App Store
|
|
|
|
# Connect API key.
|
|
|
|
|
|
|
|
set -euo pipefail
|
|
|
|
# shellcheck source=scripts/lib.sh
|
|
|
|
source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
|
|
|
|
|
|
|
|
# Check dependencies
|
|
|
|
dependencies rcodesign
|
|
|
|
requiredenvs AC_APIKEY_ISSUER_ID AC_APIKEY_ID AC_APIKEY_FILE
|
|
|
|
|
|
|
|
# Encode the notarization key components into a JSON file for easily calling
|
|
|
|
# `rcodesign notary-submit`.
|
|
|
|
key_file="$(mktemp)"
|
|
|
|
chmod 600 "$key_file"
|
|
|
|
trap 'rm -f "$key_file"' EXIT
|
|
|
|
rcodesign encode-app-store-connect-api-key \
|
|
|
|
"$AC_APIKEY_ISSUER_ID" \
|
|
|
|
"$AC_APIKEY_ID" \
|
|
|
|
"$AC_APIKEY_FILE" \
|
|
|
|
>"$key_file"
|
|
|
|
|
|
|
|
# The notarization process is very fragile and heavily dependent on Apple's
|
|
|
|
# notarization server not returning server errors, so we retry this step twice
|
|
|
|
# with a delay of 30 seconds between attempts.
|
2023-02-06 16:30:35 +00:00
|
|
|
NOTARY_SUBMIT_ATTEMPTS=2
|
2022-09-07 18:56:46 +00:00
|
|
|
rc=0
|
2023-02-06 16:30:35 +00:00
|
|
|
for i in $(seq 1 $NOTARY_SUBMIT_ATTEMPTS); do
|
2022-09-07 18:56:46 +00:00
|
|
|
# -v is quite verbose, the default output is pretty good on it's own. Adding
|
|
|
|
# -v makes it dump the credentials used for uploading to Apple's S3 bucket.
|
|
|
|
rcodesign notary-submit \
|
|
|
|
--api-key-path "$key_file" \
|
|
|
|
--wait \
|
|
|
|
"$@" \
|
|
|
|
1>&2 && rc=0 && break || rc=$?
|
|
|
|
|
|
|
|
log "rcodesign exit code: $rc"
|
2023-02-06 16:30:35 +00:00
|
|
|
if [[ $i -lt $NOTARY_SUBMIT_ATTEMPTS ]]; then
|
2022-09-07 18:56:46 +00:00
|
|
|
log
|
|
|
|
log "Retrying notarization in 30 seconds"
|
|
|
|
log
|
|
|
|
sleep 30
|
|
|
|
else
|
|
|
|
log
|
|
|
|
log "Giving up :("
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
|
|
|
exit $rc
|