-
Notifications
You must be signed in to change notification settings - Fork 98
/
Copy pathgenerate_wazuh_packages.sh
executable file
·429 lines (376 loc) · 13.5 KB
/
generate_wazuh_packages.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
#!/bin/bash
set -x
# Program to build and package OSX wazuh-agent
# Wazuh package generator
# Copyright (C) 2015, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
CURRENT_PATH="$( cd $(dirname ${0}) ; pwd -P )"
SOURCES_DIRECTORY="${CURRENT_PATH}/repository"
WAZUH_PATH="${SOURCES_DIRECTORY}/wazuh"
WAZUH_SOURCE_REPOSITORY="https://github.com/wazuh/wazuh"
export CONFIG="${WAZUH_PATH}/etc/preloaded-vars.conf"
ENTITLEMENTS_PATH="${CURRENT_PATH}/entitlements.plist"
ARCH="intel64"
INSTALLATION_PATH="/Library/Ossec" # Installation path
VERSION="" # Default VERSION (branch/tag)
REVISION="1" # Package revision.
BRANCH_TAG="master" # Branch that will be downloaded to build package.
DESTINATION="${CURRENT_PATH}/output/" # Where package will be stored.
JOBS="2" # Compilation jobs.
DEBUG="no" # Enables the full log by using `set -exf`.
CHECKSUMDIR="" # Directory to store the checksum of the package.
CHECKSUM="no" # Enables the checksum generation.
CERT_APPLICATION_ID="" # Apple Developer ID certificate to sign Apps and binaries.
CERT_INSTALLER_ID="" # Apple Developer ID certificate to sign pkg.
KEYCHAIN="" # Keychain where the Apple Developer ID certificate is.
KC_PASS="" # Password of the keychain.
NOTARIZE="no" # Notarize the package for macOS Catalina.
DEVELOPER_ID="" # Apple Developer ID.
ALTOOL_PASS="" # Temporary Application password for altool.
TEAM_ID="" # Team ID of the Apple Developer ID.
pkg_name=""
notarization_path=""
trap ctrl_c INT
function clean_and_exit() {
exit_code=$1
rm -rf "${SOURCES_DIRECTORY}"
rm "${CURRENT_PATH}"/specs/wazuh-agent.pkgproj-e
${CURRENT_PATH}/uninstall.sh
exit ${exit_code}
}
function ctrl_c() {
clean_and_exit 1
}
function notarize_pkg() {
# Notarize the macOS package
sleep_time="120"
build_timestamp="$(date +"%m%d%Y%H%M%S")"
if [ "${NOTARIZE}" = "yes" ]; then
if sudo xcrun notarytool submit ${1} --apple-id "${DEVELOPER_ID}" --team-id "${TEAM_ID}" --password "${ALTOOL_PASS}" --wait ; then
echo "Package is notarized and ready to go."
echo "Adding the ticket to the package."
if xcrun stapler staple -v "${1}" ; then
echo "Ticket added. Ready to release the package."
mkdir -p "${DESTINATION}" && cp "${1}" "${DESTINATION}/"
return 0
else
echo "Something went wrong while adding the package."
clean_and_exit 1
fi
else
echo "Error notarizing the package."
clean_and_exit 1
fi
fi
return 0
}
function sign_binaries() {
if [ ! -z "${KEYCHAIN}" ] && [ ! -z "${CERT_APPLICATION_ID}" ] ; then
security -v unlock-keychain -p "${KC_PASS}" "${KEYCHAIN}" > /dev/null
# Sign every single binary in Wazuh's installation. This also includes library files.
for bin in $(find ${INSTALLATION_PATH} -exec file {} \; | grep bit | cut -d: -f1); do
codesign -f --sign "${CERT_APPLICATION_ID}" --entitlements ${ENTITLEMENTS_PATH} --deep --timestamp --options=runtime --verbose=4 "${bin}"
done
security -v lock-keychain "${KEYCHAIN}" > /dev/null
fi
}
function sign_pkg() {
if [ ! -z "${KEYCHAIN}" ] && [ ! -z "${CERT_INSTALLER_ID}" ] ; then
# Unlock the keychain to use the certificate
security -v unlock-keychain -p "${KC_PASS}" "${KEYCHAIN}" > /dev/null
# Sign the package
productsign --sign "${CERT_INSTALLER_ID}" --timestamp ${DESTINATION}/${pkg_name} ${DESTINATION}/${pkg_name}.signed
mv ${DESTINATION}/${pkg_name}.signed ${DESTINATION}/${pkg_name}
security -v lock-keychain "${KEYCHAIN}" > /dev/null
fi
}
function build_package() {
# Download source code
git clone --depth=1 -b ${BRANCH_TAG} ${WAZUH_SOURCE_REPOSITORY} "${WAZUH_PATH}"
get_pkgproj_specs
VERSION=$(cat ${WAZUH_PATH}/src/VERSION | cut -d "-" -f1 | cut -c 2-)
if [ -d "${INSTALLATION_PATH}" ]; then
echo "\nThe wazuh agent is already installed on this machine."
echo "Removing it from the system."
${CURRENT_PATH}/uninstall.sh
fi
packages_script_path="package_files"
cp ${packages_script_path}/*.sh ${CURRENT_PATH}/package_files/
${CURRENT_PATH}/package_files/build.sh "${INSTALLATION_PATH}" "${WAZUH_PATH}" ${JOBS}
# sign the binaries and the libraries
sign_binaries
# create package
if packagesbuild ${AGENT_PKG_FILE} --build-folder ${DESTINATION} ; then
echo "The wazuh agent package for macOS has been successfully built."
pkg_name="wazuh-agent-${VERSION}-${REVISION}.${ARCH}.pkg"
sign_pkg
if [[ "${CHECKSUM}" == "yes" ]]; then
mkdir -p ${CHECKSUMDIR}
cd ${DESTINATION} && shasum -a512 "${pkg_name}" > "${CHECKSUMDIR}/${pkg_name}.sha512"
fi
clean_and_exit 0
else
echo "ERROR: something went wrong while building the package."
clean_and_exit 1
fi
}
function help() {
echo "Usage: $0 [OPTIONS]"
echo
echo " Build options:"
echo " -a, --architecture <arch> [Optional] Target architecture of the package [intel64/arm64]. By Default: intel64."
echo " -b, --branch <branch> [Required] Select Git branch or tag e.g. $BRANCH"
echo " -s, --store-path <path> [Optional] Set the destination absolute path of package."
echo " -j, --jobs <number> [Optional] Number of parallel jobs when compiling."
echo " -r, --revision <rev> [Optional] Package revision that append to version e.g. x.x.x-rev"
echo " -c, --checksum <path> [Optional] Generate checksum on the desired path (by default, if no path is specified it will be generated on the same directory than the package)."
echo " -h, --help [ Util ] Show this help."
echo " -i, --install-deps [ Util ] Install build dependencies (Packages)."
echo " -x, --install-xcode [ Util ] Install X-Code and brew. Can't be executed as root."
echo " -v, --verbose [ Util ] Show additional information during the package generation."
echo
echo " Signing options:"
echo " --keychain [Optional] Keychain where the Certificates are installed."
echo " --keychain-password [Optional] Password of the keychain."
echo " --application-certificate [Optional] Apple Developer ID certificate name to sign Apps and binaries."
echo " --installer-certificate [Optional] Apple Developer ID certificate name to sign pkg."
echo " --notarize [Optional] Notarize the package for its distribution on macOS."
echo " --notarize-path <path> [Optional] Path of the package to be notarized."
echo " --developer-id [Optional] Your Apple Developer ID."
echo " --team-id [Optional] Your Apple Team ID."
echo " --altool-password [Optional] Temporary password to use altool from Xcode."
echo
exit "$1"
}
function get_pkgproj_specs() {
VERSION=$(< "${WAZUH_PATH}/src/VERSION" cut -d "-" -f1 | cut -c 2-)
pkg_file="specs/wazuh-agent-${ARCH}.pkgproj"
if [ ! -f "${pkg_file}" ]; then
echo "Warning: the file ${pkg_file} does not exists. Check the version selected."
exit 1
else
echo "Modifiying ${pkg_file} to match revision."
sed -i -e "s:${VERSION}-.*<:${VERSION}-${REVISION}.${ARCH}<:g" "${pkg_file}"
cp "${pkg_file}" "${AGENT_PKG_FILE}"
fi
return 0
}
function testdep() {
if command -v packagesbuild ; then
return 0
else
echo "Error: packagesbuild not found. Download and install dependencies."
echo "Use $0 -i for install it."
exit 1
fi
}
function install_deps() {
# Install packagesbuild tool
curl -O http://s.sudre.free.fr/Software/files/Packages.dmg
hdiutil attach Packages.dmg
cd /Volumes/Packages*/packages/
if installer -package Packages.pkg -target / ; then
echo "Packagesbuild was correctly installed."
else
echo "Something went wrong installing packagesbuild."
fi
if [ "$(uname -m)" = "arm64" ]; then
echo "Installing build dependencies for arm64 architecture"
brew install gcc binutils autoconf automake libtool cmake
fi
exit 0
}
function install_xcode() {
# Install brew tool. Brew will install X-Code if it is not already installed in the host.
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
exit 0
}
function check_root() {
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
echo
exit 1
fi
}
function main() {
BUILD="no"
while [ -n "$1" ]
do
case "$1" in
"-a"|"--architecture")
if [ -n "$2" ]; then
ARCH="$2"
shift 2
else
help 1
fi
;;
"-b"|"--branch")
if [ -n "$2" ]; then
BRANCH_TAG="$2"
BUILD=yes
shift 2
else
help 1
fi
;;
"-s"|"--store-path")
if [ -n "$2" ]; then
DESTINATION="$2"
shift 2
else
help 1
fi
;;
"-j"|"--jobs")
if [ -n "$2" ]; then
JOBS="$2"
shift 2
else
help 1
fi
;;
"-r"|"--revision")
if [ -n "$2" ]; then
REVISION="$2"
shift 2
else
help 1
fi
;;
"-h"|"--help")
help 0
;;
"-i"|"--install-deps")
check_root
install_deps
;;
"-x"|"--install-xcode")
install_xcode
;;
"-v"|"--verbose")
DEBUG="yes"
shift 1
;;
"-c"|"--checksum")
if [ -n "$2" ]; then
CHECKSUMDIR="$2"
CHECKSUM="yes"
shift 2
else
CHECKSUM="yes"
shift 1
fi
;;
"--keychain")
if [ -n "$2" ]; then
KEYCHAIN="$2"
shift 2
else
help 1
fi
;;
"--keychain-password")
if [ -n "$2" ]; then
KC_PASS="$2"
shift 2
else
help 1
fi
;;
"--application-certificate")
if [ -n "$2" ]; then
CERT_APPLICATION_ID="$2"
shift 2
else
help 1
fi
;;
"--installer-certificate")
if [ -n "$2" ]; then
CERT_INSTALLER_ID="$2"
shift 2
else
help 1
fi
;;
"--notarize")
NOTARIZE="yes"
shift 1
;;
"--notarize-path")
if [ -n "$2" ]; then
notarization_path="$2"
shift 2
else
help 1
fi
;;
"--developer-id")
if [ -n "$2" ]; then
DEVELOPER_ID="$2"
shift 2
else
help 1
fi
;;
"--team-id")
if [ -n "$2" ]; then
TEAM_ID="$2"
shift 2
else
help 1
fi
;;
"--altool-password")
if [ -n "$2" ]; then
ALTOOL_PASS="$2"
shift 2
else
help 1
fi
;;
*)
help 1
esac
done
if [ ${DEBUG} = "yes" ]; then
set -exf
fi
testdep
if [ "${ARCH}" != "intel64" ] && [ "${ARCH}" != "arm64" ]; then
echo "Error: architecture not supported."
echo "Supported architectures: intel64, arm64"
exit 1
fi
if [ -z "${CHECKSUMDIR}" ]; then
CHECKSUMDIR="${DESTINATION}"
fi
if [[ "${BUILD}" != "no" ]]; then
check_root
AGENT_PKG_FILE="${CURRENT_PATH}/package_files/wazuh-agent-${ARCH}.pkgproj"
build_package
"${CURRENT_PATH}/uninstall.sh"
fi
if [ "${NOTARIZE}" = "yes" ]; then
if [ "${BUILD}" = "yes" ]; then
pkg_name="wazuh-agent-${VERSION}-${REVISION}.${ARCH}.pkg"
notarization_path="${DESTINATION}/${pkg_name}"
fi
if [ -z "${notarization_path}" ]; then
echo "The path of the package to be notarized has not been specified."
help 1
fi
notarize_pkg "${notarization_path}"
fi
if [ "${BUILD}" = "no" ] && [ "${NOTARIZE}" = "no" ]; then
echo "The branch has not been specified and notarization has not been selected."
help 1
fi
return 0
}
main "$@"