Skip to content

Commit

Permalink
tools: add osx notarization support for tarballs
Browse files Browse the repository at this point in the history
  • Loading branch information
UlisesGascon committed Apr 21, 2024
1 parent d545984 commit c281a1e
Showing 1 changed file with 51 additions and 22 deletions.
73 changes: 51 additions & 22 deletions tools/osx-notarize.sh
Original file line number Diff line number Diff line change
@@ -1,8 +1,5 @@
#!/bin/sh

# Notarize a generated node-<version>.pkg file as an Apple requirement for installation on macOS Catalina and later, as validated by Gatekeeper.
# Uses notarytool and requires Xcode >= 13.0.

pkgid="$1"

if [ -z "$pkgid" ]; then
Expand Down Expand Up @@ -34,26 +31,58 @@ then
exit 1
fi

echo "Submitting node-$pkgid.pkg for notarization..."
# heck each file type
for filetype in pkg tar.gz tar.xz; do
for filename in node-"$pkgid"*."$filetype"; do
# Check if the file exists
if [ -f "$filename" ]; then
echo "Found $filename. Submitting for notarization..."

xcrun notarytool submit \
--keychain-profile "NODE_RELEASE_PROFILE" \
--wait \
"node-$pkgid.pkg"
if [ $filetype = "pkg" ]; then
if xcrun notarytool submit \
--keychain-profile "NODE_RELEASE_PROFILE" \
--wait \
"$filename"
then
echo "Notarization $filename submitted successfully."
else
echo "Notarization $filename failed."
exit 1
fi

if [ $? -eq 0 ]; then
echo "Notarization node-$pkgid.pkg submitted successfully."
else
echo "Notarization node-$pkgid.pkg failed."
exit 1
fi
if ! xcrun spctl --assess --type install --context context:primary-signature --ignore-cache --verbose=2 "$filename"; then
echo "error: Signature will not be accepted by Gatekeeper!" 1>&2
exit 1
else
echo "Verification was successful."
fi

if ! xcrun spctl --assess --type install --context context:primary-signature --ignore-cache --verbose=2 "node-$pkgid.pkg"; then
echo "error: Signature will not be accepted by Gatekeeper!" 1>&2
exit 1
else
echo "Verification was successful."
fi
xcrun stapler staple "$filename"
echo "Stapler was successful."

elif [ $filetype = "tar.gz" ] || [ $filetype = "tar.xz" ]; then
echo "Converting tarball to zip for notarization..."

tar -xf "$filename" -C "${filename%.*}"
zip -r "${filename%.*}.zip" "${filename%.*}"

if xcrun notarytool submit \
--keychain-profile "NODE_RELEASE_PROFILE" \
--wait \
"${filename%.*}.zip"
then
echo "Notarization ${filename%.*}.zip submitted successfully."
else
echo "Notarization ${filename%.*}.zip failed."
exit 1
fi

echo "Converting zip back to tarball..."

xcrun stapler staple "node-$pkgid.pkg"
echo "Stapler was successful."
rm -rf "${filename%.*}"
tar -czf "$filename" "${filename%.*}"
rm "${filename%.*}.zip"
fi
fi
done
done

0 comments on commit c281a1e

Please sign in to comment.