Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign MacOS Binaries with JFrog Certificate #2563

Open
wants to merge 197 commits into
base: dev
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 190 commits
Commits
Show all changes
197 commits
Select commit Hold shift + click to select a range
c55e8a6
Test sign
EyalDelarea Jun 3, 2024
75b2099
Test sign
EyalDelarea Jun 3, 2024
47d17ec
Test
EyalDelarea Jun 3, 2024
719a144
permissons
EyalDelarea Jun 3, 2024
0f2a042
Test
EyalDelarea Jun 3, 2024
d69ea64
Test
EyalDelarea Jun 3, 2024
18cf657
Test
EyalDelarea Jun 3, 2024
a14f1b7
Test
EyalDelarea Jun 3, 2024
bd27d32
Test
EyalDelarea Jun 3, 2024
63c076f
Test
EyalDelarea Jun 3, 2024
780fba2
Test
EyalDelarea Jun 3, 2024
bdd0b11
Test
EyalDelarea Jun 3, 2024
69c3d24
Test
EyalDelarea Jun 3, 2024
a07db27
Test
EyalDelarea Jun 3, 2024
0d1d6fb
Test
EyalDelarea Jun 3, 2024
450eead
Test
EyalDelarea Jun 3, 2024
5913396
Test
EyalDelarea Jun 3, 2024
677133f
Test
EyalDelarea Jun 3, 2024
161e1d6
Test
EyalDelarea Jun 3, 2024
10952e8
Add comments
EyalDelarea Jun 3, 2024
cc97c00
TEST
EyalDelarea Jun 3, 2024
ca25bef
TEST
EyalDelarea Jun 3, 2024
b6415a3
Update script
EyalDelarea Jun 3, 2024
0a9a365
Merge branch 'dev' of https://github.com/jfrog/jfrog-cli into sign_ap…
EyalDelarea Jun 3, 2024
4d3e17d
Update script path
EyalDelarea Jun 3, 2024
cc5d979
Update
EyalDelarea Jun 3, 2024
7a41d74
Update
EyalDelarea Jun 3, 2024
6c0d359
Update
EyalDelarea Jun 3, 2024
8fee265
Refactor
EyalDelarea Jun 3, 2024
ed30c5d
Change to manual trigger
EyalDelarea Jun 3, 2024
f4f78e1
Upload artifact
EyalDelarea Jun 3, 2024
8e3c73b
Fix syntax
EyalDelarea Jun 3, 2024
52700fa
Use build script
EyalDelarea Jun 3, 2024
8b091d8
Update builders
EyalDelarea Jun 3, 2024
456d5d3
Add commit constraint
EyalDelarea Jun 3, 2024
235cf3c
Add commit constraint
EyalDelarea Jun 3, 2024
94ad9cd
Fix
EyalDelarea Jun 3, 2024
f3b46d6
update github script
EyalDelarea Jun 3, 2024
14dac7e
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jun 3, 2024
eb7e99b
Debug
EyalDelarea Jun 3, 2024
4165736
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jun 3, 2024
f3d3d9c
Bump version 1.0.0 to 2.0.0
EyalDelarea Jun 3, 2024
1fec8ad
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jun 3, 2024
d7a965a
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jun 3, 2024
df84972
test commit
EyalDelarea Jun 3, 2024
d4c1bf3
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jun 3, 2024
f57d392
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jun 3, 2024
bdf0e3c
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jun 3, 2024
819e49c
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jun 3, 2024
81bc53a
Test
EyalDelarea Jun 3, 2024
f6165e6
Test vars
EyalDelarea Jun 3, 2024
e1fe670
Simplify
EyalDelarea Jun 3, 2024
2d14065
Update signMacOsBinaries.yml
EyalDelarea Jun 4, 2024
c874f15
Export env
EyalDelarea Jun 4, 2024
089e03a
Test Delete old artifacts
EyalDelarea Jun 4, 2024
85cb329
Test Delete old artifacts
EyalDelarea Jun 4, 2024
9f3b55c
Fix syntax
EyalDelarea Jun 4, 2024
42a3494
Fix syntax
EyalDelarea Jun 4, 2024
a219287
Refactor
EyalDelarea Jun 4, 2024
852b7bf
Refactor
EyalDelarea Jun 4, 2024
0ba3e2d
Refactor
EyalDelarea Jun 4, 2024
4c40e2e
Test
EyalDelarea Jun 4, 2024
7cc9cfd
Test
EyalDelarea Jun 4, 2024
6ab6ffd
bump version from 1.2.3 to 4.5.6
EyalDelarea Jun 4, 2024
d9772f8
bump version from 1.2.3 to 4.5.7
EyalDelarea Jun 4, 2024
0f42530
Bump version from 0.0.0 to 1.2.2
EyalDelarea Jun 4, 2024
6c0cb07
Bump version from 0.0.0 to 1.2.3
EyalDelarea Jun 4, 2024
d3bbcf7
Bump version from 0.0.0 to 1.5.3
EyalDelarea Jun 4, 2024
efabc1c
Bump version from 0.0.0 to 1.5.3
EyalDelarea Jun 4, 2024
56f11a3
Bump version from 1.0.0 to 1.5.3
EyalDelarea Jun 4, 2024
e9b1163
Bump version from 1.4.0 to 1.5.3
EyalDelarea Jun 4, 2024
ce65eb8
Bump version from 1.4.0 to 1.5.3
EyalDelarea Jun 4, 2024
7df4d90
Bump version from 1.4.0 to 1.5.3
EyalDelarea Jun 4, 2024
42664c0
Bump version from 1.4.0 to 1.5.3
EyalDelarea Jun 4, 2024
cb8e65f
Bump version from 0.0.0 to 5.5.5
EyalDelarea Jun 4, 2024
01e882a
Bump version from 0.0.0 to 5.5.5
EyalDelarea Jun 4, 2024
7c9650f
Bump version from 0.0.0 to 5.54.5
EyalDelarea Jun 4, 2024
51bcf47
Bump version from 0.0.0 to 5.54.5
EyalDelarea Jun 4, 2024
de619ff
Add jenkinsfile
EyalDelarea Jun 4, 2024
6c57c90
Add comments
EyalDelarea Jun 4, 2024
a96e5e1
Add a warning message
EyalDelarea Jun 4, 2024
bc5c49e
filter on v2 branch
EyalDelarea Jun 4, 2024
905937c
add v2 ref
EyalDelarea Jun 4, 2024
669f447
Merge branch 'dev' of https://github.com/jfrog/jfrog-cli into sign_ap…
EyalDelarea Jun 5, 2024
af07521
Merge branch 'dev' of https://github.com/jfrog/jfrog-cli into sign_ap…
EyalDelarea Jul 2, 2024
dbdd2e6
Extract signed binary to var
EyalDelarea Jul 2, 2024
8377e15
Extract binary name
EyalDelarea Jul 2, 2024
d4a00d0
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jul 2, 2024
3f136c7
Enable debugging workflow
EyalDelarea Jul 2, 2024
37946da
Enable debugging workflow
EyalDelarea Jul 2, 2024
f4cb601
Test
EyalDelarea Jul 2, 2024
66182f2
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jul 2, 2024
ccb6dbf
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jul 2, 2024
29706fb
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jul 2, 2024
d6955c1
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jul 2, 2024
feb77c5
Bump version from 1.0.0 to 2.1.2
EyalDelarea Jul 2, 2024
b213b8e
Bump version from 1.0.0 to 2.1.3
EyalDelarea Jul 2, 2024
e48ede3
Bump version from 1.0.0 to 3.1.3
EyalDelarea Jul 4, 2024
eaf0878
add bundle template
EyalDelarea Jul 4, 2024
0721add
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jul 4, 2024
e81dd61
Bump version from 1.0.0 to 5.1.3
EyalDelarea Jul 4, 2024
25151e0
Bump version from 1.0.0 to 4.1.3
EyalDelarea Jul 4, 2024
7ba8d63
Bump version from 1.0.0 to 3.1.3
EyalDelarea Jul 4, 2024
ff3aad1
Bump version from 1.0.0 to 1.1.3
EyalDelarea Jul 4, 2024
97bd158
Bump version from 1.0.0 to 1.1.5
EyalDelarea Jul 4, 2024
61e31bf
Bump version from 1.0.0 to 1.1.8
EyalDelarea Jul 4, 2024
1862e9d
Bump version from 1.0.0 to 2.60.0
EyalDelarea Jul 4, 2024
9f727c1
Bump version from 1.0.0 to 2.61.0
EyalDelarea Jul 4, 2024
6389c2a
Bump version from 1.0.0 to 2.63.0
EyalDelarea Jul 4, 2024
3ca8070
Bump version from 1.0.0 to 2.64.0
EyalDelarea Jul 4, 2024
083d6a1
Bump version from 1.0.0 to 2.64.0
EyalDelarea Jul 4, 2024
49f92a1
Bump version from 1.0.0 to 2.64.0
EyalDelarea Jul 4, 2024
11f1765
Bump version from 1.0.0 to 2.64.0
EyalDelarea Jul 4, 2024
a498b9a
Bump version from 1.0.0 to 2.64.0
EyalDelarea Jul 4, 2024
b100e98
Add comments
EyalDelarea Jul 4, 2024
70d3801
Bump version from 1.0.0 to 1.0.1
EyalDelarea Jul 4, 2024
8ce0d2e
Bump version from 1.0.0 to 1.0.2
EyalDelarea Jul 4, 2024
ead16c0
Bump version from 1.0.0 to 1.0.3
EyalDelarea Jul 4, 2024
706cd5f
Bump version from 1.0.0 to 1.0.3
EyalDelarea Jul 4, 2024
3f5cec0
Bump version from 1.0.0 to 1.0.3
EyalDelarea Jul 4, 2024
8d56246
Bump version from 1.0.0 to 1.0.3
EyalDelarea Jul 4, 2024
1484404
Bump version from 1.0.0 to 1.0.3
EyalDelarea Jul 4, 2024
52e3b20
Remove deletion of old artifacts
EyalDelarea Jul 7, 2024
83284ea
Bump version from 1.0.0 to 2.0.0
EyalDelarea Jul 7, 2024
d5a6101
Change to workflow dispatch
EyalDelarea Jul 7, 2024
24bc798
Change name
EyalDelarea Jul 7, 2024
bd3bc8f
Validate Script
EyalDelarea Jul 7, 2024
51318d4
Test init
EyalDelarea Jul 7, 2024
9334e4d
fix workflow
EyalDelarea Jul 7, 2024
5a3bef3
fix workflow
EyalDelarea Jul 7, 2024
92d878b
fix workflow
EyalDelarea Jul 7, 2024
4fd11a9
fix workflow
EyalDelarea Jul 7, 2024
3723ab7
fix workflow
EyalDelarea Jul 7, 2024
bb743b2
Fix binary file name
EyalDelarea Jul 7, 2024
ad98ce0
Fix jenkins file
EyalDelarea Jul 7, 2024
cfbe901
Split by binary name
EyalDelarea Jul 7, 2024
e5ab4ba
Add binary name to build
EyalDelarea Jul 7, 2024
27fac9e
Add binary name to build
EyalDelarea Jul 7, 2024
182c4b1
Fail if no artifacts were uploaded
EyalDelarea Jul 7, 2024
91c4c20
Merge remote-tracking branch 'origin/dev' into dev
EyalDelarea Jul 7, 2024
688b696
Fix name
EyalDelarea Jul 7, 2024
887d372
Test
EyalDelarea Jul 7, 2024
ace821f
Fix app name
EyalDelarea Jul 7, 2024
1c50c2f
add sign macos binaries to Jenkinsfile
EyalDelarea Jul 7, 2024
22a7aca
Fix upload path
EyalDelarea Jul 7, 2024
0874203
Move the stage to start of release
EyalDelarea Jul 7, 2024
a941b6f
Fix executable name
EyalDelarea Jul 7, 2024
a7c9bff
Download by executable name as well
EyalDelarea Jul 7, 2024
546c44a
Rename
EyalDelarea Jul 8, 2024
e3667a0
Fix var name
EyalDelarea Jul 8, 2024
adfef6e
Don't modify app_template path & remove binary_name var
EyalDelarea Jul 9, 2024
fd39bdb
Move binary to template
EyalDelarea Jul 9, 2024
063ef54
Remove Binary file name input
EyalDelarea Jul 10, 2024
b4f52ca
Make use of temp dir
EyalDelarea Jul 10, 2024
bbf165a
Move binary to template
EyalDelarea Jul 10, 2024
9ec0abc
Remove echos
EyalDelarea Jul 10, 2024
91965ba
Setup
EyalDelarea Jul 10, 2024
303d604
Fix copy signed binary
EyalDelarea Jul 10, 2024
9805f64
prepare
EyalDelarea Jul 10, 2024
090016a
extract binary
EyalDelarea Jul 10, 2024
27df1cf
Update prepareDarwinBinariesForRelease.yml
EyalDelarea Jul 10, 2024
c83b416
logs
EyalDelarea Jul 10, 2024
350894d
Merge remote-tracking branch 'origin/dev' into dev
EyalDelarea Jul 10, 2024
e0c15c1
test
EyalDelarea Jul 10, 2024
bafd3b8
test
EyalDelarea Jul 10, 2024
13fdd11
Refactor
EyalDelarea Jul 10, 2024
9917c58
Refactor
EyalDelarea Jul 10, 2024
5d092cb
Checkout branch
EyalDelarea Jul 10, 2024
313c288
Checkout branch
EyalDelarea Jul 10, 2024
628cb1e
Remove git ignores
EyalDelarea Jul 10, 2024
fb7aaa1
Fix function call
EyalDelarea Jul 10, 2024
bb98ee6
Add README.md files
EyalDelarea Jul 10, 2024
72376ce
Refactor
EyalDelarea Jul 10, 2024
92c9431
Matrix
EyalDelarea Jul 10, 2024
c34f055
Move script
EyalDelarea Jul 10, 2024
e8c32ad
Extract scripts and refactor
EyalDelarea Jul 10, 2024
ab4231c
Fix script path calling
EyalDelarea Jul 10, 2024
727a8c6
Refactor
EyalDelarea Jul 11, 2024
3557968
CR
EyalDelarea Jul 14, 2024
48f1f0c
Renames
EyalDelarea Jul 14, 2024
dbed479
Refactor script
EyalDelarea Jul 14, 2024
24f4838
Rename folder
EyalDelarea Jul 14, 2024
b16d2ec
Refactor script
EyalDelarea Jul 14, 2024
c4cb494
CR
EyalDelarea Jul 14, 2024
b0d4ea1
test script
EyalDelarea Jul 14, 2024
b50bef1
test script
EyalDelarea Jul 14, 2024
d616c5f
Refactor functions
EyalDelarea Jul 14, 2024
4342c49
Remove token unused
EyalDelarea Jul 14, 2024
4ae3ad3
Test script
EyalDelarea Jul 14, 2024
f108e00
test
EyalDelarea Jul 14, 2024
1c9a20d
Update Jenkinsfile
EyalDelarea Jul 14, 2024
3316d00
Update Jenkinsfile
EyalDelarea Jul 14, 2024
e431c4e
Merge branch 'dev' of https://github.com/jfrog/jfrog-cli into sign_ap…
EyalDelarea Jul 21, 2024
58dca07
Merge branch 'dev' of https://github.com/jfrog/jfrog-cli into sign_ap…
EyalDelarea Nov 6, 2024
5af95fe
CR
EyalDelarea Nov 20, 2024
680420e
Merge branch 'dev' of https://github.com/jfrog/jfrog-cli into sign_ap…
EyalDelarea Nov 20, 2024
fae2078
CR
EyalDelarea Nov 20, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions .github/workflows/prepareDarwinBinariesForRelease.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
name: Sign Dawrin Binaries for Release
on:
workflow_dispatch:
inputs:
releaseVersion:
description: "Release version"
required: true
binaryFileName:
description: 'Binary file name'
required: true
env:
binaryFileName: ${{ github.event.inputs.binaryFileName }}
releaseVersion: ${{ github.event.inputs.releaseVersion }}
jobs:
# Builds, signs, notarize and uploads the macOS binaries
prepareBinary:
name: Prepare-Binary
runs-on: macos-latest
strategy:
matrix:
goarch: [ arm64, amd64 ]
steps:
# Setup
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: 1.22.x
EyalDelarea marked this conversation as resolved.
Show resolved Hide resolved
cache: false

- name: Checkout Source
uses: actions/checkout@v4
with:
ref: sign_apple_binary
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ref: sign_apple_binary
ref: dev

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is listed under the TODO before merge as it can't run on dev branch as it missing the apple_release folder


# Builds the executable and moves it inside the app template
- name: Build and Move Executable
run: |
./build/build.sh ${{ env.binaryFileName }}
mv ${{ env.binaryFileName }} ./build/apple_release/${{ env.binaryFileName }}.app/Contents/MacOS

- name: Sign & Notarize
env:
APPLE_CERT_DATA: ${{ secrets.APPLE_CERT_DATA }}
APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_ACCOUNT_ID: ${{ secrets.APPLE_ACCOUNT_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
APP_TEMPLATE_PATH: ./build/apple_release/${{ env.binaryFileName }}.app
run: ./build/apple_release/scripts/darwin-sign-and-notarize.sh

- name: Upload Artifact
uses: actions/upload-artifact@v4
with:
name: ${{ env.binaryFileName }}-darwin-v${{ env.releaseVersion }}-${{ matrix.goarch }}
path: ./${{ env.binaryFileName }}
retention-days: 1
if-no-files-found: error
42 changes: 41 additions & 1 deletion Jenkinsfile
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,14 @@ def runRelease(architectures) {
version = getCliVersion(builderPath)
print "CLI version: $version"
}
/**
EyalDelarea marked this conversation as resolved.
Show resolved Hide resolved
* Prepare Signed MacOS binaries
* This happens at the start of the release process, so the binaries will be ready
* for the release process later on.
*/
stage('Sign MacOS binaries') {
triggerDarwinBinariesSigningWorkflow()
}
configRepo21()

try {
Expand Down Expand Up @@ -314,7 +322,12 @@ def uploadCli(architectures) {
for (int i = 0; i < architectures.size(); i++) {
def currentBuild = architectures[i]
stage("Build and upload ${currentBuild.pkg}") {
buildAndUpload(currentBuild.goos, currentBuild.goarch, currentBuild.pkg, currentBuild.fileExtension)
// MacOS binaries should be downloaded from GitHub packages, as they are signed there.
EyalDelarea marked this conversation as resolved.
Show resolved Hide resolved
if (currentBuild.goos == 'darwin') {
downloadDarwinSignedBinaries(currentBuild.goarch,currentBuild.fileExtension)()
} else {
buildAndUpload(currentBuild.goos, currentBuild.goarch, currentBuild.pkg, currentBuild.fileExtension)
}
}
}
}
Expand Down Expand Up @@ -511,3 +524,30 @@ def dockerLogin(){
sh "echo $REPO21_PASSWORD | docker login $REPO_NAME_21 -u=$REPO21_USER --password-stdin"
}
}

/**
* This will trigger the Github action that will sign and notarize the MacOS binaries.
* The artifacts will be uploaded to Github artifacts
*/
def triggerDarwinBinariesSigningWorkflow(){
withCredentials([string(credentialsId: 'github-access-token',variable: "GITHUB_ACCESS_TOKEN")]) {
stage("Sign MacOS binaries"){
sh """
./build/apple_release/scripts/trigger-sign-mac-OS-workflow.sh $cliExecutableName $releaseVersion $GITHUB_ACCESS_TOKEN
"""
}
}
}

/**
* The Darwin binaries are signed in GitHub actions.
* This function will make sure to download the specific artifact according to
* executable name and release version.
* As the GitHub action may take some time, we will retry to download the artifact with timeout.
*/
def downloadDarwinSignedBinaries(goarch) {
EyalDelarea marked this conversation as resolved.
Show resolved Hide resolved
sh """#!/bin/bash
./build/apple_release/scripts/download-signed-mac-OS-binaries.sh $cliExecutableName $releaseVersion $goarch
"""
uploadBinaryToJfrogRepo21(currentBuild.pkg, $cliExecutableName)
}
14 changes: 14 additions & 0 deletions build/apple_release/jf.app/Contents/Info.plist
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>en-US</string>
<key>CFBundleName</key>
<string>JFrog-CLI</string>
<key>CFBundleDisplayName</key>
<string>JFrog-CLI</string>
<key>CFBundleIdentifier</key>
<string>com.jfrog.jfrog-cli</string>
</dict>
</plist>
32 changes: 32 additions & 0 deletions build/apple_release/jf.app/Contents/MacOs/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Apple Bundle Structure README

This README file serves as a guide to maintaining the integrity of the Apple bundle structure required for macOS applications. It is crucial to keep this file and adhere to the outlined structure to ensure the application functions correctly on macOS.

## Structure Overview

The Apple bundle for a macOS application typically has the following directory structure:### Key Components
```
YOUR_APP.app
├── Contents
├── MacOS
│ └── YOUR_APP (executable file)
└── Info.plist

```
- **YOUR_APP.app**: This is the root directory of your application bundle. Replace `YOUR_APP` with the name of your application.

- **Contents**: A mandatory directory that contains all the files needed by the application.

- **MacOS**: This directory should contain the executable file for your application. The name of the executable should match the `YOUR_APP` part of your application bundle's name.

- **Info.plist**: A required file that contains configuration and permissions for your application. It informs the macOS about how your app should be treated and what capabilities it has.

### Important Notes

- **Do Not Delete**: This README file and the structure it describes are essential for the application's deployment and functionality on macOS. Removing or altering the structure may result in application failures.

- **Executable File**: Ensure your application's executable file is placed inside the `MacOS` directory. The executable's name must match the `YOUR_APP` portion of your application bundle's name for macOS to recognize and launch it correctly.

- **Info.plist Configuration**: Properly configure the `Info.plist` file according to your application's needs. This file includes critical information such as the app version, display name, permissions, and more.

By adhering to this structure and guidelines, you ensure that your macOS application is packaged correctly for distribution and use.
14 changes: 14 additions & 0 deletions build/apple_release/jfrog.app/Contents/Info.plist
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>en-US</string>
<key>CFBundleName</key>
<string>JFrog-CLI</string>
<key>CFBundleDisplayName</key>
<string>JFrog-CLI</string>
<key>CFBundleIdentifier</key>
<string>com.jfrog.jfrog-cli</string>
</dict>
</plist>
32 changes: 32 additions & 0 deletions build/apple_release/jfrog.app/Contents/MacOs/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Apple Bundle Structure README

This README file serves as a guide to maintaining the integrity of the Apple bundle structure required for macOS applications. It is crucial to keep this file and adhere to the outlined structure to ensure the application functions correctly on macOS.

## Structure Overview

The Apple bundle for a macOS application typically has the following directory structure:### Key Components
```
YOUR_APP.app
├── Contents
├── MacOS
│ └── YOUR_APP (executable file)
└── Info.plist

```
- **YOUR_APP.app**: This is the root directory of your application bundle. Replace `YOUR_APP` with the name of your application.

- **Contents**: A mandatory directory that contains all the files needed by the application.

- **MacOS**: This directory should contain the executable file for your application. The name of the executable should match the `YOUR_APP` part of your application bundle's name.

- **Info.plist**: A required file that contains configuration and permissions for your application. It informs the macOS about how your app should be treated and what capabilities it has.

### Important Notes

- **Do Not Delete**: This README file and the structure it describes are essential for the application's deployment and functionality on macOS. Removing or altering the structure may result in application failures.

- **Executable File**: Ensure your application's executable file is placed inside the `MacOS` directory. The executable's name must match the `YOUR_APP` portion of your application bundle's name for macOS to recognize and launch it correctly.

- **Info.plist Configuration**: Properly configure the `Info.plist` file according to your application's needs. This file includes critical information such as the app version, display name, permissions, and more.

By adhering to this structure and guidelines, you ensure that your macOS application is packaged correctly for distribution and use.
99 changes: 99 additions & 0 deletions build/apple_release/scripts/darwin-sign-and-notarize.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
#!/bin/bash

# Script Purpose: Automate the process of signing and notarizing a macOS binary.

# Input:
# - APPLE_CERT_DATA: Base64 encoded data of the Apple Developer certificate.
# - APPLE_CERT_PASSWORD: Password for the Apple Developer certificate.
# - APPLE_TEAM_ID: Identifier for the Apple Developer Team.
# - APPLE_ACCOUNT_ID: Apple Developer Account ID.
# - APPLE_APP_SPECIFIC_PASSWORD: Password for app-specific services on the Apple Developer Account.
# - APP_TEMPLATE_PATH: Path to the .app bundle template.

# Output:
# A signed and notarized binary file in the current directory, ready for distribution.

validate_app_template_structure() {
[ ! -d "$APP_TEMPLATE_PATH" ] && { echo "Error: $APP_TEMPLATE_PATH directory does not exist."; exit 1; }
[ ! -d "$APP_TEMPLATE_PATH/Contents" ] && { echo "Error: Contents directory does not exist in $APP_TEMPLATE_PATH."; exit 1; }
[ ! -d "$APP_TEMPLATE_PATH/Contents/MacOS" ] && { echo "Error: MacOS directory does not exist in $APP_TEMPLATE_PATH/Contents."; exit 1; }
[ ! -f "$APP_TEMPLATE_PATH/Contents/Info.plist" ] && { echo "Error: Info.plist file does not exist in $APP_TEMPLATE_PATH/Contents."; exit 1; }

local app_name_without_extension
app_name_without_extension=$(basename "$APP_TEMPLATE_PATH" .app)
export BINARY_FILE_NAME=$app_name_without_extension

[ ! -f "$APP_TEMPLATE_PATH/Contents/MacOS/$BINARY_FILE_NAME" ] && { echo "Error: $BINARY_FILE_NAME executable not found inside the MacOS folder."; exit 1; }
}

validate_inputs() {
[ -z "$APPLE_CERT_DATA" ] && { echo "Error: Missing APPLE_CERT_DATA environment variable."; exit 1; }
[ -z "$APPLE_CERT_PASSWORD" ] && { echo "Error: Missing APPLE_CERT_PASSWORD environment variable."; exit 1; }
[ -z "$APPLE_TEAM_ID" ] && { echo "Error: Missing APPLE_TEAM_ID environment variable."; exit 1; }

validate_app_template_structure
}

prepare_keychain_and_certificate() {
local temp_dir
temp_dir=$(mktemp -d)
local keychain_name="macos-build.keychain"

echo "$APPLE_CERT_DATA" | base64 --decode > "$temp_dir/certs.p12"

security create-keychain -p "$APPLE_CERT_PASSWORD" $keychain_name
security default-keychain -s $keychain_name
security unlock-keychain -p "$APPLE_CERT_PASSWORD" $keychain_name
security set-keychain-settings -t 3600 -u $keychain_name

security import "$temp_dir/certs.p12" -k ~/Library/Keychains/$keychain_name -P "$APPLE_CERT_PASSWORD" -T /usr/bin/codesign || { echo "Error: Failed to import certificate into keychain."; exit 1; }

security set-key-partition-list -S apple-tool:,apple: -s -k "$APPLE_CERT_PASSWORD" -D "$APPLE_TEAM_ID" -t private $keychain_name
}

sign_binary() {
codesign -s "$APPLE_TEAM_ID" --timestamp --deep --options runtime --force "$APP_TEMPLATE_PATH/Contents/MacOS/$BINARY_FILE_NAME" || { echo "Error: Failed to sign the binary."; exit 1; }
echo "Successfully signed the binary."
}

notarize_app() {
local temp_dir
temp_dir=$(mktemp -d)
local current_dir
current_dir=$(pwd)

cp -r "$APP_TEMPLATE_PATH" "$temp_dir"
cd "$temp_dir" || exit

local temp_zipped_name="${BINARY_FILE_NAME}-zipped.zip"
ditto -c -k --keepParent "$BINARY_FILE_NAME.app" "./$temp_zipped_name" || { echo "Error: Failed to zip the app."; exit 1; }

xcrun notarytool submit "$temp_zipped_name" --apple-id "$APPLE_ACCOUNT_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --wait || { echo "Error: Failed to notarize the app."; exit 1; }
echo "Notarization successful."

unzip -o "$temp_zipped_name"
xcrun stapler staple "$BINARY_FILE_NAME.app" || { echo "Error: Failed to staple the ticket to the app."; exit 1; }
echo "Stapling successful."

cp "./$BINARY_FILE_NAME.app/Contents/MacOS/$BINARY_FILE_NAME" "$current_dir"
cd "$current_dir" || exit
rm -rf "$temp_dir"
}

# Cleans up resources used during the process.
cleanup() {
echo "Deleting keychain..."
security delete-keychain "macos-build.keychain"
echo "Deleting temporary certificate files..."
rm -rf "$temp_dir/certs.p12"
}

main() {
validate_inputs
prepare_keychain_and_certificate
sign_binary
notarize_app
cleanup
}

main
75 changes: 75 additions & 0 deletions build/apple_release/scripts/download-signed-mac-OS-binaries.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
#!/bin/bash

cliExecutableName=$1
releaseVersion=$2
goarch=$3
GITHUB_ACCESS_TOKEN=$4

# This script downloads signed macOS binaries for a specific version and architecture.
EyalDelarea marked this conversation as resolved.
Show resolved Hide resolved

# Function to retrieve the specific artifact URL with retries
get_specific_artifact_url_with_retries() {
local max_retries=4
local cooldown=15 # Cooldown in seconds between retries
EyalDelarea marked this conversation as resolved.
Show resolved Hide resolved
local retry_count=0

while [ $retry_count -lt $max_retries ]; do
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yahavi,
In here we can't use curl --retry, because the curl execution will be okay as it queries all the artifacts from the repo.
The retry is when the query doesn't return the specific version and release version executable, which we try to filter from the response.

# Fetch the list of artifacts from GitHub
response=$(curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $GITHUB_ACCESS_TOKEN" \
-H "X-GitHub-Api-Version: 2022-11-28" \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the documentation:

When a new REST API version is released, the previous API version will be supported for at least 24 more months following the release of the new API version.

Let's use the latest API

-s https://api.github.com/repos/eyaldelarea/jfrog-cli/actions/artifacts)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
-s https://api.github.com/repos/eyaldelarea/jfrog-cli/actions/artifacts)
-s https://api.github.com/repos/jfrog/jfrog-cli/actions/artifacts)


# Parse the response to find the URL of the desired artifact
artifactUrl=$(echo "$response" | jq -r ".artifacts[] | select(.name | contains(\"$cliExecutableName-darwin-v$releaseVersion-$goarch\")) | .archive_download_url")

# If a valid URL is found, return it
if [[ "$artifactUrl" =~ ^https?://.+ ]]; then
echo "$artifactUrl"
return 0
else
# If not found, retry after a cooldown period
retry_count=$((retry_count+1))
sleep $cooldown
fi
done

# If the maximum number of retries is exceeded, report failure
echo "Curl request failed after $max_retries attempts."
return 1
}

# Function to download and extract the signed macOS binaries
downloadSignedMacOSBinaries() {
echo "Downloading Signed macOS Binaries for goarch: $goarch, release version: $releaseVersion"

# Attempt to get the specific artifact URL
artifactUrl=$(get_specific_artifact_url_with_retries)

# Validate the URL
if [[ -z "$artifactUrl" || ! "$artifactUrl" =~ ^https?://.+ ]]; then
echo "$artifactUrl Failed to find download artifact for version: $releaseVersion and goarch: $goarch. Please validate the artifacts were successfully uploaded."
exit 1
fi

# Download the artifact
curl -L \
EyalDelarea marked this conversation as resolved.
Show resolved Hide resolved
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $GITHUB_ACCESS_TOKEN" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"$artifactUrl" -o artifact.zip

# Extract the artifact and clean up
tar -xvf artifact.zip
rm -rf artifact.zip

# Make the binary executable
chmod +x "$cliExecutableName"

# Validate the binary by checking its version
./"$cliExecutableName" --version
}

# Start the process
downloadSignedMacOSBinaries
Loading
Loading