Skip to content
This repository has been archived by the owner on Jul 14, 2021. It is now read-only.

Adding notarization and entitlements for unsigned memory execution (backport from master) #2749

Merged
merged 2 commits into from
Feb 3, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 11 additions & 9 deletions omnibus/Gemfile.lock
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,10 @@ GIT

GIT
remote: https://github.com/chef/omnibus.git
revision: d642ae6fd57f4a74846e325fecadebb132069894
revision: 5baaf7a1d4ee66a9273e127c7e09ce0bb3b33d90
branch: master
specs:
omnibus (7.0.1)
omnibus (7.0.2)
aws-sdk-s3 (~> 1)
chef-cleanroom (~> 1.0)
chef-sugar (>= 3.3)
Expand All @@ -32,7 +32,7 @@ GEM
artifactory (3.0.12)
awesome_print (1.8.0)
aws-eventstream (1.0.3)
aws-partitions (1.268.0)
aws-partitions (1.269.0)
aws-sdk-core (3.89.1)
aws-eventstream (~> 1.0, >= 1.0.2)
aws-partitions (~> 1, >= 1.239.0)
Expand Down Expand Up @@ -166,9 +166,9 @@ GEM
erubis (2.7.0)
faraday (1.0.0)
multipart-post (>= 1.2, < 3)
ffi (1.12.1)
ffi (1.12.1-x64-mingw32)
ffi (1.12.1-x86-mingw32)
ffi (1.12.2)
ffi (1.12.2-x64-mingw32)
ffi (1.12.2-x86-mingw32)
ffi-libarchive (1.0.0)
ffi (~> 1.0)
ffi-win32-extensions (1.0.3)
Expand Down Expand Up @@ -226,7 +226,7 @@ GEM
mixlib-versioning (1.2.12)
molinillo (0.6.6)
multi_json (1.14.1)
multipart-post (2.0.0)
multipart-post (2.1.1)
necromancer (0.5.1)
net-scp (2.0.0)
net-ssh (>= 2.6.5, < 6.0.0)
Expand Down Expand Up @@ -257,17 +257,19 @@ GEM
pastel (0.7.3)
equatable (~> 0.6)
tty-color (~> 0.5)
pedump (0.5.2)
pedump (0.5.4)
awesome_print
iostruct (>= 0.0.4)
multipart-post (~> 2.0.0)
multipart-post (>= 2.0.0)
progressbar
rainbow
zhexdump (>= 0.0.2)
plist (3.5.0)
progressbar (1.10.1)
proxifier (1.0.3)
public_suffix (4.0.3)
rack (2.1.1)
rainbow (3.0.0)
retryable (3.0.5)
ruby-progressbar (1.10.1)
rubyntlm (0.6.2)
Expand Down
24 changes: 24 additions & 0 deletions omnibus/config/patches/rb-fsevent-gem.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
diff --git a/bin/fsevent_watch b/bin/fsevent_watch
index 889204f..17b894b 100755
Binary files a/bin/fsevent_watch and b/bin/fsevent_watch differ
diff --git a/ext/rakefile.rb b/ext/rakefile.rb
index d7789bd..fd8ec36 100644
--- a/ext/rakefile.rb
+++ b/ext/rakefile.rb
@@ -48,13 +48,13 @@ CLOBBER.include $final_exe.to_s
task :sw_vers do
$mac_product_version = `sw_vers -productVersion`.strip
$mac_build_version = `sw_vers -buildVersion`.strip
- $MACOSX_DEPLOYMENT_TARGET = ENV["MACOSX_DEPLOYMENT_TARGET"] || $mac_product_version.sub(/\.\d*$/, '')
- $CFLAGS = "#{$CFLAGS} -mmacosx-version-min=#{$MACOSX_DEPLOYMENT_TARGET}"
+ $MACOSX_MIN_TARGET = $mac_product_version.sub(/\.\d*$/, '')
+ $CFLAGS = "#{$CFLAGS} -mmacosx-version-min=#{$MACOSX_MIN_TARGET}"
end

task :get_sdk_info => :sw_vers do
$SDK_INFO = {}
- version_info = `xcodebuild -version -sdk macosx#{$MACOSX_DEPLOYMENT_TARGET}`
+ version_info = `xcodebuild -version -sdk macosx`
raise "invalid SDK" unless !!$?.exitstatus
version_info.strip.each_line do |line|
next if line.strip.empty?
2 changes: 1 addition & 1 deletion omnibus/config/projects/chefdk.rb
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@

package :pkg do
identifier "com.getchef.pkg.chefdk"
signing_identity "Developer ID Installer: Chef Software, Inc. (EU3VF8YLX2)"
signing_identity "Chef Software, Inc. (EU3VF8YLX2)"
end

package :msi do
Expand Down
5 changes: 5 additions & 0 deletions omnibus/config/software/chef-dk.rb
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@
# for train
dependency "google-protobuf"

# This is a transative dep but we need to build from source so binaries are built on current sdk.
# Only matters on mac.
# TODO: Contact gem mainter about getting new release.
dependency "rb-fsevent-gem" if mac_os_x?

build do
env = with_standard_compiler_flags(with_embedded_path)

Expand Down
2 changes: 2 additions & 0 deletions omnibus/config/software/git-custom-bindir.rb
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@

source url: "https://www.kernel.org/pub/software/scm/git/git-#{version}.tar.gz"

bin_dirs ["#{install_dir}/gitbin", "#{install_dir}/embedded/libexec/git-core"]

build do
env = with_standard_compiler_flags(with_embedded_path)

Expand Down
36 changes: 36 additions & 0 deletions omnibus/config/software/rb-fsevent-gem.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#
# Copyright 2012-2014 Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

name "rb-fsevent-gem"
default_version "master"

source git: "https://github.com/thibaudgg/rb-fsevent.git"

license "Apache-2.0"
license_file "https://raw.githubusercontent.com/thibaudgg/rb-fsevent/master/LICENSE.txt"

dependency "ruby"

build do
env = with_standard_compiler_flags(with_embedded_path)
# Look up active sdk version.
sdk_ver = `xcrun --sdk macosx --show-sdk-version`.strip
env["MACOSX_DEPLOYMENT_TARGET"] = sdk_ver

bundle "install", env: env
bundle "exec rake replace_exe", env: env, cwd: "#{project_dir}/ext"
bundle "exec rake install:local", env: env
end
8 changes: 8 additions & 0 deletions omnibus/resources/chefdk/pkg/entitlements.plist
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
</dict>
</plist>