Skip to content

Commit

Permalink
fix: sign macos TS CLI binaries
Browse files Browse the repository at this point in the history
  • Loading branch information
@PeterSchafer
PeterSchafer committed Aug 9, 2024
1 parent c8fa39f commit fb10b13
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 1 deletion.
2 changes: 2 additions & 0 deletions .circleci/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -485,6 +485,7 @@ workflows:
go_download_base_url: << pipeline.parameters.go_download_base_url >>
executor: macos-arm64
install_deps_extension: macos-build
context: snyk-macos-signing
requires:
- prepare-build

Expand All @@ -496,6 +497,7 @@ workflows:
go_download_base_url: << pipeline.parameters.go_download_base_url >>
executor: macos-arm64
install_deps_extension: macos-build
context: snyk-macos-signing
requires:
- prepare-build

Expand Down
2 changes: 2 additions & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,10 +133,12 @@ $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-linux-arm64: prepack | $(BINARY_RELEASES_F

$(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI)
$(PKG) -t node$(PKG_NODE_VERSION)-macos-x64 -o $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos
$(SHELL) $(WORKING_DIR)/cliv2/scripts/sign_darwin.sh $(BINARY_RELEASES_FOLDER_TS_CLI) snyk-macos skip-notarize
$(MAKE) $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos.sha256

$(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos-arm64: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI)
$(PKG) -t node$(PKG_NODE_VERSION)-macos-arm64 -o $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos-arm64 --no-bytecode
$(SHELL) $(WORKING_DIR)/cliv2/scripts/sign_darwin.sh $(BINARY_RELEASES_FOLDER_TS_CLI) snyk-macos-arm64 skip-notarize
$(MAKE) $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos-arm64.sha256

$(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-win.exe: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI)
Expand Down
13 changes: 12 additions & 1 deletion cliv2/scripts/sign_darwin.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ set -euo pipefail

EXPORT_PATH=${1:-./bin}
PRODUCT_NAME=${2:-snyk_darwin_amd64}
SKIP_NOTARIZE=${3:-0}
KEYCHAIN_PROFILE=AC_PASSWORD
APP_PATH="$EXPORT_PATH/$PRODUCT_NAME"
ZIP_PATH="$EXPORT_PATH/$PRODUCT_NAME.zip"
Expand All @@ -30,6 +31,12 @@ if [[ "$OSTYPE" != *"darwin"* ]]; then
exit 1
fi

# if the required secrets are not available we skip signing completely without an error to enable local builds on windows. A later issigned check will catch this error in the build pipeline
if [ -z "${APPLE_ID+x}" ]; then
echo "$LOG_PREFIX Skipping signing, since the required secrets are not available."
exit 0
fi

#
# signing
#
Expand All @@ -51,12 +58,16 @@ security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD"
sleep 10

echo "$LOG_PREFIX Signing binary $APP_PATH"
codesign -s "$APPLE_SIGNING_IDENTITY" -v "$APP_PATH" --timestamp --options runtime
codesign -f -s "$APPLE_SIGNING_IDENTITY" -v "$APP_PATH" --timestamp --options runtime

#
# notarization
#

if [[ "$SKIP_NOTARIZE" = "skip-notarize" ]]; then
exit 0
fi

# create a zip file
echo "$LOG_PREFIX Creating zip file $ZIP_PATH"
/usr/bin/ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
Expand Down

0 comments on commit fb10b13

Please sign in to comment.