Skip to content
This repository has been archived by the owner on Jul 14, 2021. It is now read-only.

Commit

Permalink
Merge pull request #2749 from chef/jm/backport_entitlements_to_dk3
Browse files Browse the repository at this point in the history
Adding notarization and entitlements for unsigned memory execution (backport from master)
  • Loading branch information
tas50 authored Feb 3, 2020
2 parents fb2c8cb + e379571 commit 76443bc
Show file tree
Hide file tree
Showing 7 changed files with 87 additions and 10 deletions.
20 changes: 11 additions & 9 deletions omnibus/Gemfile.lock
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,10 @@ GIT

GIT
remote: https://github.com/chef/omnibus.git
revision: d642ae6fd57f4a74846e325fecadebb132069894
revision: 5baaf7a1d4ee66a9273e127c7e09ce0bb3b33d90
branch: master
specs:
omnibus (7.0.1)
omnibus (7.0.2)
aws-sdk-s3 (~> 1)
chef-cleanroom (~> 1.0)
chef-sugar (>= 3.3)
Expand All @@ -32,7 +32,7 @@ GEM
artifactory (3.0.12)
awesome_print (1.8.0)
aws-eventstream (1.0.3)
aws-partitions (1.268.0)
aws-partitions (1.269.0)
aws-sdk-core (3.89.1)
aws-eventstream (~> 1.0, >= 1.0.2)
aws-partitions (~> 1, >= 1.239.0)
Expand Down Expand Up @@ -166,9 +166,9 @@ GEM
erubis (2.7.0)
faraday (1.0.0)
multipart-post (>= 1.2, < 3)
ffi (1.12.1)
ffi (1.12.1-x64-mingw32)
ffi (1.12.1-x86-mingw32)
ffi (1.12.2)
ffi (1.12.2-x64-mingw32)
ffi (1.12.2-x86-mingw32)
ffi-libarchive (1.0.0)
ffi (~> 1.0)
ffi-win32-extensions (1.0.3)
Expand Down Expand Up @@ -226,7 +226,7 @@ GEM
mixlib-versioning (1.2.12)
molinillo (0.6.6)
multi_json (1.14.1)
multipart-post (2.0.0)
multipart-post (2.1.1)
necromancer (0.5.1)
net-scp (2.0.0)
net-ssh (>= 2.6.5, < 6.0.0)
Expand Down Expand Up @@ -257,17 +257,19 @@ GEM
pastel (0.7.3)
equatable (~> 0.6)
tty-color (~> 0.5)
pedump (0.5.2)
pedump (0.5.4)
awesome_print
iostruct (>= 0.0.4)
multipart-post (~> 2.0.0)
multipart-post (>= 2.0.0)
progressbar
rainbow
zhexdump (>= 0.0.2)
plist (3.5.0)
progressbar (1.10.1)
proxifier (1.0.3)
public_suffix (4.0.3)
rack (2.1.1)
rainbow (3.0.0)
retryable (3.0.5)
ruby-progressbar (1.10.1)
rubyntlm (0.6.2)
Expand Down
24 changes: 24 additions & 0 deletions omnibus/config/patches/rb-fsevent-gem.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
diff --git a/bin/fsevent_watch b/bin/fsevent_watch
index 889204f..17b894b 100755
Binary files a/bin/fsevent_watch and b/bin/fsevent_watch differ
diff --git a/ext/rakefile.rb b/ext/rakefile.rb
index d7789bd..fd8ec36 100644
--- a/ext/rakefile.rb
+++ b/ext/rakefile.rb
@@ -48,13 +48,13 @@ CLOBBER.include $final_exe.to_s
task :sw_vers do
$mac_product_version = `sw_vers -productVersion`.strip
$mac_build_version = `sw_vers -buildVersion`.strip
- $MACOSX_DEPLOYMENT_TARGET = ENV["MACOSX_DEPLOYMENT_TARGET"] || $mac_product_version.sub(/\.\d*$/, '')
- $CFLAGS = "#{$CFLAGS} -mmacosx-version-min=#{$MACOSX_DEPLOYMENT_TARGET}"
+ $MACOSX_MIN_TARGET = $mac_product_version.sub(/\.\d*$/, '')
+ $CFLAGS = "#{$CFLAGS} -mmacosx-version-min=#{$MACOSX_MIN_TARGET}"
end

task :get_sdk_info => :sw_vers do
$SDK_INFO = {}
- version_info = `xcodebuild -version -sdk macosx#{$MACOSX_DEPLOYMENT_TARGET}`
+ version_info = `xcodebuild -version -sdk macosx`
raise "invalid SDK" unless !!$?.exitstatus
version_info.strip.each_line do |line|
next if line.strip.empty?
2 changes: 1 addition & 1 deletion omnibus/config/projects/chefdk.rb
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@

package :pkg do
identifier "com.getchef.pkg.chefdk"
signing_identity "Developer ID Installer: Chef Software, Inc. (EU3VF8YLX2)"
signing_identity "Chef Software, Inc. (EU3VF8YLX2)"
end

package :msi do
Expand Down
5 changes: 5 additions & 0 deletions omnibus/config/software/chef-dk.rb
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@
# for train
dependency "google-protobuf"

# This is a transative dep but we need to build from source so binaries are built on current sdk.
# Only matters on mac.
# TODO: Contact gem mainter about getting new release.
dependency "rb-fsevent-gem" if mac_os_x?

build do
env = with_standard_compiler_flags(with_embedded_path)

Expand Down
2 changes: 2 additions & 0 deletions omnibus/config/software/git-custom-bindir.rb
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@

source url: "https://www.kernel.org/pub/software/scm/git/git-#{version}.tar.gz"

bin_dirs ["#{install_dir}/gitbin", "#{install_dir}/embedded/libexec/git-core"]

build do
env = with_standard_compiler_flags(with_embedded_path)

Expand Down
36 changes: 36 additions & 0 deletions omnibus/config/software/rb-fsevent-gem.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#
# Copyright 2012-2014 Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

name "rb-fsevent-gem"
default_version "master"

source git: "https://github.com/thibaudgg/rb-fsevent.git"

license "Apache-2.0"
license_file "https://raw.githubusercontent.com/thibaudgg/rb-fsevent/master/LICENSE.txt"

dependency "ruby"

build do
env = with_standard_compiler_flags(with_embedded_path)
# Look up active sdk version.
sdk_ver = `xcrun --sdk macosx --show-sdk-version`.strip
env["MACOSX_DEPLOYMENT_TARGET"] = sdk_ver

bundle "install", env: env
bundle "exec rake replace_exe", env: env, cwd: "#{project_dir}/ext"
bundle "exec rake install:local", env: env
end
8 changes: 8 additions & 0 deletions omnibus/resources/chefdk/pkg/entitlements.plist
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
</dict>
</plist>

0 comments on commit 76443bc

Please sign in to comment.