From 32f93dd12f28d6b37f9baef2bc0f8c45d83e73ef Mon Sep 17 00:00:00 2001 From: sam-butcher Date: Fri, 22 Nov 2024 13:48:31 +0000 Subject: [PATCH 1/3] Improve code signing --- common/shell/Shell.kt | 4 ++-- platform/jvm/AppleCodeSigner.kt | 20 ++---------------- platform/jvm/JVMPlatformAssembler.kt | 6 ++++-- platform/jvm/MacAppNotarizer.kt | 31 ++++++++++++++++------------ 4 files changed, 26 insertions(+), 35 deletions(-) diff --git a/common/shell/Shell.kt b/common/shell/Shell.kt index 982c6c5..b0f2e11 100644 --- a/common/shell/Shell.kt +++ b/common/shell/Shell.kt @@ -38,8 +38,8 @@ class Shell(private val logger: Logger, private val verbose: Boolean = false, pr return verbose && (!sensitive || printSensitiveData) } - class Command(vararg args: Argument) { - val args = args.toList() + class Command(val args: List) { + constructor(vararg args: Argument): this(args.toList()) override fun toString(): String { return args.toString() diff --git a/platform/jvm/AppleCodeSigner.kt b/platform/jvm/AppleCodeSigner.kt index 05e1440..11be6b9 100644 --- a/platform/jvm/AppleCodeSigner.kt +++ b/platform/jvm/AppleCodeSigner.kt @@ -7,12 +7,7 @@ import com.typedb.bazel.distribution.platform.jvm.AppleCodeSigner.Codesign.Args. import com.typedb.bazel.distribution.platform.jvm.AppleCodeSigner.Codesign.Args.KEYCHAIN import com.typedb.bazel.distribution.platform.jvm.AppleCodeSigner.Codesign.Args.OPTIONS import com.typedb.bazel.distribution.platform.jvm.AppleCodeSigner.Codesign.Args.SIGN -import com.typedb.bazel.distribution.platform.jvm.AppleCodeSigner.Codesign.Args.STRICT import com.typedb.bazel.distribution.platform.jvm.AppleCodeSigner.Codesign.Args.TIMESTAMP -import com.typedb.bazel.distribution.platform.jvm.AppleCodeSigner.Codesign.Args.VERIFY -import com.typedb.bazel.distribution.platform.jvm.AppleCodeSigner.Paths.CONTENTS -import com.typedb.bazel.distribution.platform.jvm.AppleCodeSigner.Paths.MAC_OS -import com.typedb.bazel.distribution.platform.jvm.AppleCodeSigner.Paths.RUNTIME import com.typedb.bazel.distribution.platform.jvm.AppleCodeSigner.Paths.TMP import com.typedb.bazel.distribution.platform.jvm.AppleCodeSigner.Security.CN import com.typedb.bazel.distribution.platform.jvm.AppleCodeSigner.Security.CREATE_KEYCHAIN @@ -140,7 +135,7 @@ class AppleCodeSigner(private val shell: Shell, private val macEntitlements: Fil val nativeLibs = tmpDir.listFilesRecursively().filter { it.extension in listOf(JNILIB, DYLIB) } if (nativeLibs.isNotEmpty()) { - nativeLibs.forEach { signFile(file = it, skipIfSigned = true) } + nativeLibs.forEach { signFile(file = it) } jar.setWritable(true) jar.delete() shell.execute(listOf(ShellArgs.Programs.JAR, "cMf", "../${jar.path}", "."), baseDir = tmpPath) @@ -150,18 +145,7 @@ class AppleCodeSigner(private val shell: Shell, private val macEntitlements: Fil } } - fun signFile(file: File, skipIfSigned: Boolean = false) { - if (skipIfSigned) { - val verifySignatureResult = VerifySignatureResult( - shell.execute(listOf(CODESIGN, VERIFY, STRICT, file.path), throwOnError = false) - ) - if (verifySignatureResult.status == VerifySignatureResult.Status.SIGNED) return - else if (verifySignatureResult.status == VerifySignatureResult.Status.ERROR) { - throw IllegalStateException("Command '${CODESIGN}' failed with exit code " + - "${verifySignatureResult.exitValue} and output: ${verifySignatureResult.outputString()}") - } - } - + fun signFile(file: File) { file.setWritable(true) val signCommand: MutableList = mutableListOf( CODESIGN, SIGN, certSubject, diff --git a/platform/jvm/JVMPlatformAssembler.kt b/platform/jvm/JVMPlatformAssembler.kt index cb33fc5..4b99429 100644 --- a/platform/jvm/JVMPlatformAssembler.kt +++ b/platform/jvm/JVMPlatformAssembler.kt @@ -230,8 +230,10 @@ object JVMPlatformAssembler { null -> logger.debug { "Skipping notarizing step: Apple code signing is not enabled" } else -> { MacAppNotarizer( - dmgPath = Path.of(distDir.path, "${options.image.filename}-$version.dmg") - ).notarize(codeSigningOptions) + dmgPath = Path.of(distDir.path, "${options.image.filename}-$version.dmg"), + appleCodeSigning = codeSigningOptions, + logging = options.logging, + ).notarize() appleCodeSigner!!.deleteKeychain() } } diff --git a/platform/jvm/MacAppNotarizer.kt b/platform/jvm/MacAppNotarizer.kt index badb4e3..6aa7386 100644 --- a/platform/jvm/MacAppNotarizer.kt +++ b/platform/jvm/MacAppNotarizer.kt @@ -11,29 +11,33 @@ import com.typedb.bazel.distribution.platform.jvm.MacAppNotarizer.Args.STAPLER import com.typedb.bazel.distribution.platform.jvm.MacAppNotarizer.Args.SUBMIT import com.typedb.bazel.distribution.platform.jvm.MacAppNotarizer.Args.TEAM_ID import com.typedb.bazel.distribution.platform.jvm.MacAppNotarizer.Args.TIMEOUT +import com.typedb.bazel.distribution.platform.jvm.MacAppNotarizer.Args.VERBOSE import com.typedb.bazel.distribution.platform.jvm.MacAppNotarizer.Args.WAIT import com.typedb.bazel.distribution.platform.jvm.ShellArgs.Programs.XCRUN import java.nio.file.Path -class MacAppNotarizer(private val dmgPath: Path) { - fun notarize(appleCodeSigning: Options.AppleCodeSigning) { - shell.execute(notarizeCommand(appleCodeSigning)).outputString() +class MacAppNotarizer( + private val dmgPath: Path, appleCodeSigning: Options.AppleCodeSigning, private val logging: Options.Logging +) { + fun notarize() { + shell.execute(notarizeCommand).outputString() markPackageAsApproved() } - private fun notarizeCommand(appleCodeSigning: Options.AppleCodeSigning): Shell.Command { - return Shell.Command( - Shell.Command.arg(XCRUN), Shell.Command.arg(NOTARYTOOL), Shell.Command.arg(SUBMIT), - Shell.Command.arg(APPLE_ID), Shell.Command.arg(appleCodeSigning.appleID), - Shell.Command.arg(PASSWORD), Shell.Command.arg(appleCodeSigning.appleIDPassword, printable = false), - Shell.Command.arg(TEAM_ID), Shell.Command.arg(appleCodeSigning.appleTeamID, printable = false), - Shell.Command.arg(WAIT), Shell.Command.arg(TIMEOUT), Shell.Command.arg(ONE_HOUR), - Shell.Command.arg(dmgPath.toString()), + private val notarizeCommand = Shell.Command( + listOfNotNull( + Shell.Command.arg(XCRUN), Shell.Command.arg(NOTARYTOOL), Shell.Command.arg(SUBMIT), + if (logging.verbose) Shell.Command.arg(VERBOSE) else null, + Shell.Command.arg(APPLE_ID), Shell.Command.arg(appleCodeSigning.appleID), + Shell.Command.arg(PASSWORD), Shell.Command.arg(appleCodeSigning.appleIDPassword, printable = false), + Shell.Command.arg(TEAM_ID), Shell.Command.arg(appleCodeSigning.appleTeamID, printable = false), + Shell.Command.arg(WAIT), Shell.Command.arg(TIMEOUT), Shell.Command.arg(ONE_HOUR), + Shell.Command.arg(dmgPath.toString()), ) - } + ) private fun markPackageAsApproved() { - shell.execute(listOf(XCRUN, STAPLER, STAPLE, dmgPath.toString())) + shell.execute(listOfNotNull(XCRUN, STAPLER, STAPLE, if (logging.verbose) VERBOSE else null, dmgPath.toString())) } private object Args { @@ -46,6 +50,7 @@ class MacAppNotarizer(private val dmgPath: Path) { const val SUBMIT = "submit" const val TIMEOUT = "--timeout" const val TEAM_ID = "--team-id" + const val VERBOSE = "-v" const val WAIT = "--wait" } } From 531b079f85f103f5a41007fd304aaf393759a8d8 Mon Sep 17 00:00:00 2001 From: sam-butcher Date: Fri, 22 Nov 2024 14:20:12 +0000 Subject: [PATCH 2/3] log info about notarytool --- platform/jvm/MacAppNotarizer.kt | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/platform/jvm/MacAppNotarizer.kt b/platform/jvm/MacAppNotarizer.kt index 6aa7386..7d79bda 100644 --- a/platform/jvm/MacAppNotarizer.kt +++ b/platform/jvm/MacAppNotarizer.kt @@ -1,5 +1,9 @@ package com.typedb.bazel.distribution.platform.jvm +import com.typedb.bazel.distribution.common.Logging.LogLevel +import com.typedb.bazel.distribution.common.Logging.LogLevel.DEBUG +import com.typedb.bazel.distribution.common.Logging.LogLevel.ERROR +import com.typedb.bazel.distribution.common.Logging.Logger import com.typedb.bazel.distribution.common.shell.Shell import com.typedb.bazel.distribution.platform.jvm.JVMPlatformAssembler.shell import com.typedb.bazel.distribution.platform.jvm.MacAppNotarizer.Args.APPLE_ID @@ -19,8 +23,11 @@ import java.nio.file.Path class MacAppNotarizer( private val dmgPath: Path, appleCodeSigning: Options.AppleCodeSigning, private val logging: Options.Logging ) { + private val logger = Logger(logLevel = if (logging.verbose) DEBUG else ERROR) + fun notarize() { shell.execute(notarizeCommand).outputString() + logger.debug { "\nUse `xcrun notarytool log ` to view further information about this notarization\n" } markPackageAsApproved() } From ca485fc3410d7275798360a329934c88a8cd1e29 Mon Sep 17 00:00:00 2001 From: sam-butcher Date: Fri, 22 Nov 2024 14:28:47 +0000 Subject: [PATCH 3/3] Cleanup code style --- platform/jvm/MacAppNotarizer.kt | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/platform/jvm/MacAppNotarizer.kt b/platform/jvm/MacAppNotarizer.kt index 7d79bda..b3210e9 100644 --- a/platform/jvm/MacAppNotarizer.kt +++ b/platform/jvm/MacAppNotarizer.kt @@ -5,6 +5,7 @@ import com.typedb.bazel.distribution.common.Logging.LogLevel.DEBUG import com.typedb.bazel.distribution.common.Logging.LogLevel.ERROR import com.typedb.bazel.distribution.common.Logging.Logger import com.typedb.bazel.distribution.common.shell.Shell +import com.typedb.bazel.distribution.common.shell.Shell.Command.Companion.arg import com.typedb.bazel.distribution.platform.jvm.JVMPlatformAssembler.shell import com.typedb.bazel.distribution.platform.jvm.MacAppNotarizer.Args.APPLE_ID import com.typedb.bazel.distribution.platform.jvm.MacAppNotarizer.Args.NOTARYTOOL @@ -31,17 +32,15 @@ class MacAppNotarizer( markPackageAsApproved() } - private val notarizeCommand = Shell.Command( - listOfNotNull( - Shell.Command.arg(XCRUN), Shell.Command.arg(NOTARYTOOL), Shell.Command.arg(SUBMIT), - if (logging.verbose) Shell.Command.arg(VERBOSE) else null, - Shell.Command.arg(APPLE_ID), Shell.Command.arg(appleCodeSigning.appleID), - Shell.Command.arg(PASSWORD), Shell.Command.arg(appleCodeSigning.appleIDPassword, printable = false), - Shell.Command.arg(TEAM_ID), Shell.Command.arg(appleCodeSigning.appleTeamID, printable = false), - Shell.Command.arg(WAIT), Shell.Command.arg(TIMEOUT), Shell.Command.arg(ONE_HOUR), - Shell.Command.arg(dmgPath.toString()), - ) - ) + private val notarizeCommand = Shell.Command(listOfNotNull( + arg(XCRUN), arg(NOTARYTOOL), arg(SUBMIT), + if (logging.verbose) arg(VERBOSE) else null, + arg(APPLE_ID), arg(appleCodeSigning.appleID), + arg(PASSWORD), arg(appleCodeSigning.appleIDPassword, printable = false), + arg(TEAM_ID), arg(appleCodeSigning.appleTeamID, printable = false), + arg(WAIT), arg(TIMEOUT), arg(ONE_HOUR), + arg(dmgPath.toString()), + )) private fun markPackageAsApproved() { shell.execute(listOfNotNull(XCRUN, STAPLER, STAPLE, if (logging.verbose) VERBOSE else null, dmgPath.toString()))