Mac Packaging / Notarization (influxdata#8878)

* initial commit * Updated config.yml * Update mac-signing.sh * Updated config.yml * Updated config.yml * Keep the .tar.gz artifact along with the signed and notarized DMG * change to test temporarily * for testing * Updated config.yml * Update config.yml * Update config.yml
arstercz · Mar 5, 2021 · b6f043c · b6f043c
1 parent 74d4836
commit b6f043c
Show file tree

Hide file tree

Showing 5 changed files with 133 additions and 1 deletion.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -179,9 +179,31 @@ jobs:
           shell: powershell.exe
           command: |
             ./scripts/windows-signing.ps1
+      - persist_to_workspace:
+          root: './build'
+          paths:
+            - 'dist'
       - store_artifacts:
           path: './build/dist'
           destination: 'build/dist'
+  package-sign-mac:
+    macos:
+      xcode: "11.3"
+    working_directory: /Users/distiller/project
+    environment:
+      FL_OUTPUT_DIR: output
+      FASTLANE_LANE: test
+    shell: /bin/bash --login -o pipefail
+    steps:
+      - checkout
+      - attach_workspace:
+          at: '.'
+      - run:
+          command: |
+            sh ./scripts/mac-signing.sh
+      - store_artifacts:
+          path: './dist'
+          destination: 'build/dist'
 workflows:
   version: 2
   check:
@@ -253,6 +275,15 @@ workflows:
       - 'package-sign-windows':
           requires:
             - 'release'
+          filters:
+              tags:
+                only: /.*/
+      - 'package-sign-mac':
+           requires:
+             - 'package-sign-windows' 
+           filters:
+              tags:
+                only: /.*/
   nightly:
     jobs:
       - 'linter'
@@ -288,4 +319,4 @@ workflows:
           filters:
             branches:
               only:
-                - master
+                - master
diff --git a/assets/icon.icns b/assets/icon.icns
diff --git a/info.plist b/info.plist
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleExecutable</key>
+	<string>telegraf_entry_mac</string>
+	<key>CFBundleIconFile</key>
+	<string>icon.icns</string>
+	<key>CFBundleIdentifier</key>
+	<string>com.influxdata.telegraf</string>
+	<key>NSHighResolutionCapable</key>
+	<true/>
+	<key>LSUIElement</key>
+	<true/>
+</dict>
+</plist>
diff --git a/scripts/mac-signing.sh b/scripts/mac-signing.sh
@@ -0,0 +1,72 @@
+# Acquire the necessary certificates.
+base64 -D -o MacCertificate.p12 <<< $MacCertificate
+sudo security import MacCertificate.p12 -k /Library/Keychains/System.keychain -P $MacCertificatePassword -A
+base64 -D -o AppleSigningAuthorityCertificate.cer <<< $AppleSigningAuthorityCertificate
+sudo security import AppleSigningAuthorityCertificate.cer -k '/Library/Keychains/System.keychain' -A
+
+# Extract the built mac binary and sign it.
+cd dist
+tarFile=$(find . -name "*darwin_amd64.tar*")
+tar -xzvf $tarFile
+baseName=$(basename $tarFile .tar.gz)
+cd $(find . -name "*telegraf-*" -type d)
+cd usr/bin
+codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime telegraf
+codesign -v telegraf
+
+# Reset back out to the main directory.
+cd
+cd project/dist
+extractedFolder=$(find . -name "*telegraf-*" -type d)
+
+# Sign the 'telegraf entry' script, which is required to open Telegraf upon opening the .app bundle.
+codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime ../scripts/telegraf_entry_mac
+codesign -v ../scripts/telegraf_entry_mac
+
+# Create the .app bundle.
+mkdir Telegraf
+cd Telegraf
+mkdir Contents
+cd Contents
+mkdir MacOS
+mkdir Resources
+cd ../..
+cp ../info.plist Telegraf/Contents
+cp -R "$extractedFolder"/ Telegraf/Contents/Resources
+cp ../scripts/telegraf_entry_mac Telegraf/Contents/MacOS
+cp ../assets/icon.icns Telegraf/Contents/Resources
+chmod +x Telegraf/Contents/MacOS/telegraf_entry_mac
+mv Telegraf Telegraf.app
+
+# Sign the entire .app bundle, and wrap it in a DMG.
+codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime --deep --force Telegraf.app
+hdiutil create -size 500m -volname Telegraf -srcfolder Telegraf.app "$baseName".dmg
+codesign -s "Developer ID Application: InfluxData Inc. (M7DN9H35QT)" --timestamp --options=runtime "$baseName".dmg
+
+# Send the DMG to be notarized.
+uuid=$(xcrun altool --notarize-app --primary-bundle-id "com.influxdata.telegraf" --username "$AppleUsername" --password "$ApplePassword" --file "$baseName".dmg | awk '/RequestUUID/ { print $NF; }')
+echo $uuid
+if [[ $uuid == "" ]]; then 
+  echo "Could not upload for notarization."
+  exit 1
+fi
+
+# Wait until the status returns something other than 'in progress'.
+request_status="in progress"
+while [[ "$request_status" == "in progress" ]]; do
+  sleep 10
+  request_status=$(xcrun altool --notarization-info $uuid --username "$AppleUsername" --password "$ApplePassword" 2>&1 | awk -F ': ' '/Status:/ { print $2; }' )
+done
+
+if [[ $request_status != "success" ]]; then
+  echo "Failed to notarize."
+  exit 1
+fi
+
+# Attach the notarization to the DMG.
+xcrun stapler staple "$baseName".dmg
+rm -rf Telegraf.app
+rm -rf $extractedFolder
+ls
+
+echo "Signed and notarized!"
diff --git a/scripts/telegraf_entry_mac b/scripts/telegraf_entry_mac
@@ -0,0 +1,13 @@
+#!/bin/bash
+currentDir="$( cd "$(dirname "$0")" ; pwd -P )"
+
+if [[ $currentDir == *"AppTranslocation"* || $currentDir == *"Volumes"* ]]; then
+  osascript -e "display alert \"Please copy Telegraf to somewhere on your machine. It can't be run from the image.\" as critical"
+else
+  cd $currentDir
+  osascript<<EOF
+  tell application "Terminal"
+      do script "$currentDir/../Resources/usr/bin/telegraf $@"
+  end tell
+EOF
+fi