From 4eb8a5b9beaaa636481c885a49a932c92eec384e Mon Sep 17 00:00:00 2001 From: Jamil Date: Thu, 9 Jan 2025 15:24:25 -0800 Subject: [PATCH] ci: Notarize disk image instead of .zip (#7718) Rather than notarizing the embedded app, the `notarytool` supports notarizing the entire disk image instead which will recursively notarize relevant binaries inside. --- scripts/build/macos-standalone.sh | 48 ++++++++++++++++--------------- 1 file changed, 25 insertions(+), 23 deletions(-) diff --git a/scripts/build/macos-standalone.sh b/scripts/build/macos-standalone.sh index b245d0844..d4ece0ff7 100755 --- a/scripts/build/macos-standalone.sh +++ b/scripts/build/macos-standalone.sh @@ -49,29 +49,6 @@ xcodebuild build \ -sdk macosx \ -destination 'platform=macOS' -# Notarize app before embedding within disk image -if [ "$notarize" = "true" ]; then - # Notary service expects a single file, not app bundle - ditto -c -k "$temp_dir/Firezone.app" "$temp_dir/Firezone.zip" - - private_key_path="$temp_dir/firezone-api-key.p8" - base64_decode "$API_KEY" "$private_key_path" - - # Submit app bundle to be notarized. Can take a few minutes. - # Notarizes embedded app bundle as well. - xcrun notarytool submit "$temp_dir/Firezone.zip" \ - --key "$private_key_path" \ - --key-id "$API_KEY_ID" \ - --issuer "$ISSUER_ID" \ - --wait - - # Clean up private key - rm "$private_key_path" - - # Staple notarization ticket to app bundle - xcrun stapler staple "$temp_dir/Firezone.app" -fi - # Create disk image mkdir -p "$dmg_dir/.background" mv "$temp_dir/Firezone.app" "$dmg_dir/Firezone.app" @@ -121,6 +98,31 @@ codesign --force --sign "$codesign_identity" "$dmg_path" echo "Disk image created at $dmg_path" +# Notarize disk image; notarizes embedded app bundle as well +if [ "$notarize" = "true" ]; then + private_key_path="$temp_dir/firezone-api-key.p8" + base64_decode "$API_KEY" "$private_key_path" + + # Submit app bundle to be notarized. Can take a few minutes. + # Notarizes embedded app bundle as well. + xcrun notarytool submit "$dmg_path" \ + --key "$private_key_path" \ + --key-id "$API_KEY_ID" \ + --issuer "$ISSUER_ID" \ + --wait + + # Clean up private key + rm "$private_key_path" + + # Staple notarization ticket to app bundle + xcrun stapler staple "$dmg_path" + + # Verify notarization + xcrun stapler validate "$dmg_path" + + echo "Disk image notarized!" +fi + # Move to final location the uploader expects if [[ -n "${ARTIFACT_PATH:-}" ]]; then mv "$dmg_path" "$ARTIFACT_PATH"