Skip to content
This repository has been archived by the owner on Jul 14, 2021. It is now read-only.

Commit

Permalink
Fixes all notarization issues
Browse files Browse the repository at this point in the history
    This changes makes the neccessary changes to enable the pkg to pass apples notarization requirements.

    1. Update omnibus and omnibus-software to versions that support deep signing
    2. Drop 'Developer ID Installer:' from signing key. This lets sigining pick up the correct key for what is being signed.
    3. Add bin_dirs and lib_dirs to chefdk and git-custom-bindir software definitions so siging can find their binaries and libraries.
    4. Add software definition for rb-fsevent-gem so we build the gem. This resolves an issue where the shipped binary is build on to old an sdk.
    5. Patch rb-fsevent-gem build to work in our environment. Set minimum target to current os and discover the sdk version.

Signed-off-by: Jon Morrow <jmorrow@chef.io>
  • Loading branch information
Jon Morrow committed Jan 23, 2020
1 parent b5a615c commit c96c4bb
Show file tree
Hide file tree
Showing 7 changed files with 112 additions and 53 deletions.
2 changes: 1 addition & 1 deletion omnibus/Gemfile
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ group :development do
gem "berkshelf", ">= 7.0"

# Use Test Kitchen with Vagrant for converging the build environment
gem "test-kitchen", ">= 2"
gem "test-kitchen", ">= 1.23"
gem "kitchen-vagrant"
gem "winrm-elevated"
end
94 changes: 43 additions & 51 deletions omnibus/Gemfile.lock
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
GIT
remote: https://github.com/chef/omnibus-software.git
revision: 1b2dfe467cbc22e0e2e232e2648af3482830bfd7
revision: ad7ed679f1b34c20f8be34365d38cb1c21e737cd
branch: master
specs:
omnibus-software (4.0.0)
omnibus (>= 5.6.1)

GIT
remote: https://github.com/chef/omnibus.git
revision: 70855aab656d333622c51171828b4f41d04f6ef5
revision: d642ae6fd57f4a74846e325fecadebb132069894
branch: master
specs:
omnibus (6.1.21)
omnibus (7.0.1)
aws-sdk-s3 (~> 1)
chef-cleanroom (~> 1.0)
chef-sugar (>= 3.3)
Expand All @@ -29,16 +29,16 @@ GEM
specs:
addressable (2.7.0)
public_suffix (>= 2.0.2, < 5.0)
artifactory (3.0.12)
artifactory (3.0.5)
awesome_print (1.8.0)
aws-eventstream (1.0.3)
aws-partitions (1.264.0)
aws-partitions (1.267.0)
aws-sdk-core (3.89.1)
aws-eventstream (~> 1.0, >= 1.0.2)
aws-partitions (~> 1, >= 1.239.0)
aws-sigv4 (~> 1.1)
jmespath (~> 1.0)
aws-sdk-kms (1.27.0)
aws-sdk-kms (1.28.0)
aws-sdk-core (~> 3, >= 3.71.0)
aws-sigv4 (~> 1.1)
aws-sdk-s3 (1.60.1)
Expand All @@ -63,13 +63,12 @@ GEM
retryable (>= 2.0, < 4.0)
solve (~> 4.0)
thor (>= 0.20)
builder (3.2.4)
chef (15.6.10)
builder (3.2.3)
chef (15.2.20)
addressable
bcrypt_pbkdf (~> 1.0)
bundler (>= 1.10)
chef-config (= 15.6.10)
chef-utils (= 15.6.10)
chef-config (= 15.2.20)
chef-zero (>= 14.0.11)
diff-lcs (~> 1.2, >= 1.2.4)
ed25519 (~> 1.2)
Expand All @@ -81,27 +80,25 @@ GEM
iniparse (~> 1.4)
license-acceptance (~> 1.0, >= 1.0.5)
mixlib-archive (>= 0.4, < 2.0)
mixlib-authentication (>= 2.1, < 4)
mixlib-authentication (~> 2.1)
mixlib-cli (>= 2.1.1, < 3.0)
mixlib-log (>= 2.0.3, < 4.0)
mixlib-shellout (>= 3.0.3, < 4.0)
mixlib-shellout (>= 2.4, < 4.0)
net-sftp (~> 2.1, >= 2.1.2)
net-ssh (>= 4.2, < 6)
net-ssh-multi (~> 1.2, >= 1.2.1)
ohai (~> 15.0)
plist (~> 3.2)
proxifier (~> 1.0)
syslog-logger (~> 1.6)
train-core (~> 3.1)
train-winrm (>= 0.2.5)
train-core (~> 2.0, >= 2.0.12)
tty-screen (~> 0.6)
uuidtools (~> 2.1.5)
chef (15.6.10-universal-mingw32)
chef (15.2.20-universal-mingw32)
addressable
bcrypt_pbkdf (~> 1.0)
bundler (>= 1.10)
chef-config (= 15.6.10)
chef-utils (= 15.6.10)
chef-config (= 15.2.20)
chef-zero (>= 14.0.11)
diff-lcs (~> 1.2, >= 1.2.4)
ed25519 (~> 1.2)
Expand All @@ -114,19 +111,18 @@ GEM
iso8601 (~> 0.12.1)
license-acceptance (~> 1.0, >= 1.0.5)
mixlib-archive (>= 0.4, < 2.0)
mixlib-authentication (>= 2.1, < 4)
mixlib-authentication (~> 2.1)
mixlib-cli (>= 2.1.1, < 3.0)
mixlib-log (>= 2.0.3, < 4.0)
mixlib-shellout (>= 3.0.3, < 4.0)
mixlib-shellout (>= 2.4, < 4.0)
net-sftp (~> 2.1, >= 2.1.2)
net-ssh (>= 4.2, < 6)
net-ssh-multi (~> 1.2, >= 1.2.1)
ohai (~> 15.0)
plist (~> 3.2)
proxifier (~> 1.0)
syslog-logger (~> 1.6)
train-core (~> 3.1)
train-winrm (>= 0.2.5)
train-core (~> 2.0, >= 2.0.12)
tty-screen (~> 0.6)
uuidtools (~> 2.1.5)
win32-api (~> 1.5.3)
Expand All @@ -141,16 +137,14 @@ GEM
win32-taskscheduler (~> 2.0)
wmi-lite (~> 1.0)
chef-cleanroom (1.0.2)
chef-config (15.6.10)
chef-config (15.2.20)
addressable
chef-utils (= 15.6.10)
fuzzyurl
mixlib-config (>= 2.2.12, < 4.0)
mixlib-shellout (>= 2.0, < 4.0)
tomlrb (~> 1.2)
chef-sugar (5.1.9)
chef-utils (15.6.10)
chef-zero (14.0.17)
chef-zero (14.0.13)
ffi-yajl (~> 2.2)
hashie (>= 2.0, < 4.0)
mixlib-log (>= 2.0, < 4.0)
Expand All @@ -164,12 +158,12 @@ GEM
equatable (0.6.1)
erubi (1.9.0)
erubis (2.7.0)
faraday (1.0.0)
faraday (0.17.0)
multipart-post (>= 1.2, < 3)
ffi (1.12.1)
ffi (1.12.1-x64-mingw32)
ffi (1.12.1-x86-mingw32)
ffi-libarchive (1.0.0)
ffi-libarchive (0.4.10)
ffi (~> 1.0)
ffi-win32-extensions (1.0.3)
ffi
Expand All @@ -188,8 +182,8 @@ GEM
ipaddress (0.8.3)
iso8601 (0.12.1)
jmespath (1.4.0)
json (2.3.0)
kitchen-vagrant (1.6.1)
json (2.2.0)
kitchen-vagrant (1.6.0)
test-kitchen (>= 1.4, < 3)
libyajl2 (1.2.0)
license-acceptance (1.0.13)
Expand All @@ -206,15 +200,15 @@ GEM
little-plugger (~> 1.1)
multi_json (~> 1.10)
minitar (0.9)
mixlib-archive (1.0.5)
mixlib-archive (1.0.1)
mixlib-log
mixlib-archive (1.0.5-universal-mingw32)
mixlib-archive (1.0.1-universal-mingw32)
mixlib-log
mixlib-authentication (3.0.6)
mixlib-authentication (2.1.1)
mixlib-cli (2.1.5)
mixlib-config (3.0.6)
tomlrb
mixlib-install (3.11.26)
mixlib-install (3.11.21)
mixlib-shellout
mixlib-versioning
thor
Expand All @@ -227,7 +221,7 @@ GEM
molinillo (0.6.6)
multi_json (1.14.1)
multipart-post (2.0.0)
necromancer (0.5.1)
necromancer (0.5.0)
net-scp (2.0.0)
net-ssh (>= 2.6.5, < 6.0.0)
net-sftp (2.1.2)
Expand All @@ -239,10 +233,9 @@ GEM
net-ssh (>= 2.6.5)
net-ssh-gateway (>= 1.2.0)
nori (2.6.0)
octokit (4.15.0)
faraday (>= 0.9)
octokit (4.14.0)
sawyer (~> 0.8.0, >= 0.5.3)
ohai (15.6.3)
ohai (15.7.4)
chef-config (>= 12.8, < 16)
ffi (~> 1.9)
ffi-yajl (~> 2.2)
Expand All @@ -267,19 +260,19 @@ GEM
progressbar (1.10.1)
proxifier (1.0.3)
public_suffix (4.0.3)
rack (2.1.1)
rack (2.0.7)
retryable (3.0.5)
ruby-progressbar (1.10.1)
rubyntlm (0.6.2)
rubyzip (2.0.0)
rubyzip (1.3.0)
sawyer (0.8.2)
addressable (>= 2.3.5)
faraday (> 0.8, < 2.0)
semverse (3.0.0)
solve (4.0.3)
solve (4.0.2)
molinillo (~> 0.6)
semverse (>= 1.1, < 4.0)
strings (0.1.8)
strings (0.1.6)
strings-ansi (~> 0.1)
unicode-display_width (~> 1.5)
unicode_utils (~> 1.4)
Expand All @@ -304,12 +297,11 @@ GEM
toml-rb (2.0.1)
citrus (~> 3.0, > 3.0)
tomlrb (1.2.9)
train-core (3.2.5)
train-core (2.1.19)
json (>= 1.8, < 3.0)
mixlib-shellout (>= 2.0, < 4.0)
net-scp (>= 1.2, < 3.0)
net-ssh (>= 2.9, < 6.0)
train-winrm (0.2.6)
winrm (~> 2.0)
winrm-fs (~> 1.0)
tty-box (0.5.0)
Expand All @@ -318,11 +310,11 @@ GEM
tty-cursor (~> 0.7)
tty-color (0.5.0)
tty-cursor (0.7.0)
tty-prompt (0.20.0)
tty-prompt (0.19.0)
necromancer (~> 0.5.0)
pastel (~> 0.7.0)
tty-reader (~> 0.7.0)
tty-reader (0.7.0)
tty-reader (~> 0.6.0)
tty-reader (0.6.0)
tty-cursor (~> 0.7)
tty-screen (~> 0.7)
wisper (~> 2.0.0)
Expand All @@ -331,7 +323,7 @@ GEM
unicode_utils (1.4.0)
uuidtools (2.1.5)
win32-api (1.5.3-universal-mingw32)
win32-certstore (0.4.0)
win32-certstore (0.3.0)
ffi
mixlib-shellout
win32-dir (0.5.1)
Expand All @@ -354,7 +346,7 @@ GEM
win32-taskscheduler (2.0.4)
ffi
structured_warnings
winrm (2.3.4)
winrm (2.3.3)
builder (>= 2.1.2)
erubi (~> 1.8)
gssapi (~> 1.2)
Expand All @@ -367,10 +359,10 @@ GEM
erubi (~> 1.8)
winrm (~> 2.0)
winrm-fs (~> 1.0)
winrm-fs (1.3.4)
winrm-fs (1.3.3)
erubi (~> 1.8)
logging (>= 1.6.1, < 3.0)
rubyzip (~> 2.0)
rubyzip (~> 1.1)
winrm (~> 2.0)
wisper (2.0.1)
wmi-lite (1.0.5)
Expand All @@ -388,7 +380,7 @@ DEPENDENCIES
omnibus!
omnibus-software!
pedump
test-kitchen (>= 2)
test-kitchen (>= 1.23)
winrm-elevated

BUNDLED WITH
Expand Down
24 changes: 24 additions & 0 deletions omnibus/config/patches/rb-fsevent-gem.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
diff --git a/bin/fsevent_watch b/bin/fsevent_watch
index 889204f..17b894b 100755
Binary files a/bin/fsevent_watch and b/bin/fsevent_watch differ
diff --git a/ext/rakefile.rb b/ext/rakefile.rb
index d7789bd..fd8ec36 100644
--- a/ext/rakefile.rb
+++ b/ext/rakefile.rb
@@ -48,13 +48,13 @@ CLOBBER.include $final_exe.to_s
task :sw_vers do
$mac_product_version = `sw_vers -productVersion`.strip
$mac_build_version = `sw_vers -buildVersion`.strip
- $MACOSX_DEPLOYMENT_TARGET = ENV["MACOSX_DEPLOYMENT_TARGET"] || $mac_product_version.sub(/\.\d*$/, '')
- $CFLAGS = "#{$CFLAGS} -mmacosx-version-min=#{$MACOSX_DEPLOYMENT_TARGET}"
+ $MACOSX_MIN_TARGET = $mac_product_version.sub(/\.\d*$/, '')
+ $CFLAGS = "#{$CFLAGS} -mmacosx-version-min=#{$MACOSX_MIN_TARGET}"
end

task :get_sdk_info => :sw_vers do
$SDK_INFO = {}
- version_info = `xcodebuild -version -sdk macosx#{$MACOSX_DEPLOYMENT_TARGET}`
+ version_info = `xcodebuild -version -sdk macosx`
raise "invalid SDK" unless !!$?.exitstatus
version_info.strip.each_line do |line|
next if line.strip.empty?
2 changes: 1 addition & 1 deletion omnibus/config/projects/chefdk.rb
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@

package :pkg do
identifier "com.getchef.pkg.chefdk"
signing_identity "Developer ID Installer: Chef Software, Inc. (EU3VF8YLX2)"
signing_identity "Chef Software, Inc. (EU3VF8YLX2)"
end

package :msi do
Expand Down
5 changes: 5 additions & 0 deletions omnibus/config/software/chef-dk.rb
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@
# for train
dependency "google-protobuf"

# This is a transative dep but we need to build from source so binaries are built on current sdk.
# Only matters on mac.
# TODO: Contact gem mainter about getting new release.
dependency "rb-fsevent-gem" if mac_os_x?

build do
env = with_standard_compiler_flags(with_embedded_path)

Expand Down
2 changes: 2 additions & 0 deletions omnibus/config/software/git-custom-bindir.rb
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@

source url: "https://www.kernel.org/pub/software/scm/git/git-#{version}.tar.gz"

bin_dirs ["#{install_dir}/gitbin", "#{install_dir}/embedded/libexec/git-core"]

build do
env = with_standard_compiler_flags(with_embedded_path)

Expand Down
36 changes: 36 additions & 0 deletions omnibus/config/software/rb-fsevent-gem.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#
# Copyright 2012-2014 Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

name "rb-fsevent-gem"
default_version "master"

source git: "https://github.com/thibaudgg/rb-fsevent.git"

license "Apache-2.0"
license_file "https://raw.githubusercontent.com/thibaudgg/rb-fsevent/master/LICENSE.txt"

dependency "ruby"

build do
env = with_standard_compiler_flags(with_embedded_path)
# Look up active sdk version.
sdk_ver = `xcrun --sdk macosx --show-sdk-version`.strip
env["MACOSX_DEPLOYMENT_TARGET"] = sdk_ver

bundle "install", env: env
bundle "exec rake replace_exe", env: env, cwd: "#{project_dir}/ext"
bundle "exec rake install:local", env: env
end

0 comments on commit c96c4bb

Please sign in to comment.