Updates for macOS release process

.goreleaser.yaml

@@ -51,7 +51,7 @@ builds:
       -X github.com/anchore/syft/internal/version.buildDate={{.Date}}
       -X github.com/anchore/syft/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
     hooks:
-      post: ./.github/scripts/mac-sign-and-notarize.sh "{{.IsSnapshot}}" "gon.hcl" "./dist/syft_{{.Tag}}_{{.Target}}.dmg"
+      post: ./.github/scripts/mac-sign-and-notarize.sh "{{.IsSnapshot}}" "gon.hcl" "./dist/syft_{{.Version}}_{{.Target}}.dmg"
 
 signs:
   - artifacts: checksum

README.md

@@ -54,7 +54,7 @@ Where the `format`s available are:
 
 ## Installation
 
-**Recommended**
+**Recommended (macOS and Linux)**
 ```bash
 # install the latest version to /usr/local/bin
 curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
@@ -63,17 +63,12 @@ curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -
 curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b <SOME_BIN_PATH> <RELEASE_VERSION>
 ```
 
-**macOS**
+**Homebrew (macOS)**
 ```bash
 brew tap anchore/syft
 brew install syft
 ```
 
-You may experience a "macOS cannot verify app is free from malware" error upon running Syft because it is not yet signed and notarized. You can override this using `xattr`.
-```bash
-xattr -rd com.apple.quarantine syft
-```
-
 ## Configuration
 
 Configuration search paths:

install.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 set -e
-# Code generated by godownloader on 2020-08-10T20:55:46Z. DO NOT EDIT.
+# Code generated by godownloader on 2020-08-10T20:55:46Z.
 #
 
 usage() {
@@ -45,11 +45,16 @@ parse_args() {
 execute() {
   tmpdir=$(mktemp -d)
   log_debug "downloading files into ${tmpdir}"
-  http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}"
+  http_download "${tmpdir}/${ARCHIVE}" "${ARCHIVE_URL}"
   http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}"
-  hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}"
+
+  # macOS has its own secure verification mechanism, and checksums.txt is not used.
+  if [ "$OS" != "darwin" ]; then
+    hash_sha256_verify "${tmpdir}/${ARCHIVE}" "${tmpdir}/${CHECKSUM}"
+  fi
+
   srcdir="${tmpdir}"
-  (cd "${tmpdir}" && untar "${TARBALL}")
+  (cd "${tmpdir}" && unpack "${ARCHIVE}")
   test ! -d "${BINDIR}" && install -d "${BINDIR}"
   for binexe in $BINARIES; do
     if [ "$OS" = "windows" ]; then
@@ -89,6 +94,7 @@ tag_to_version() {
 adjust_format() {
   # change format (tar.gz or zip) based on OS
   case ${OS} in
+    darwin) FORMAT=dmg ;;
     windows) FORMAT=zip ;;
   esac
   true
@@ -221,18 +227,26 @@ uname_arch_check() {
   log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value.  Please file bug report at https://github.com/client9/shlib"
   return 1
 }
-untar() {
-  tarball=$1
-  case "${tarball}" in
-    *.tar.gz | *.tgz) tar --no-same-owner -xzf "${tarball}" ;;
-    *.tar) tar --no-same-owner -xf "${tarball}" ;;
-    *.zip) unzip "${tarball}" ;;
+unpack() {
+  archive=$1
+  case "${archive}" in
+    *.tar.gz | *.tgz) tar --no-same-owner -xzf "${archive}" ;;
+    *.tar) tar --no-same-owner -xf "${archive}" ;;
+    *.zip) unzip "${archive}" ;;
+    *.dmg) extract_from_dmg "${archive}" ;;
     *)
-      log_err "untar unknown archive format for ${tarball}"
+      log_err "unpack unknown archive format for ${archive}"
       return 1
       ;;
   esac
 }
+extract_from_dmg() {
+  dmg_file=$1
+  mount_point="/Volumes/tmp-dmg"
+  hdiutil attach -quiet -mountpoint "${mount_point}" "${dmg_file}"
+  cp -fR "${mount_point}/" ./
+  hdiutil detach -quiet -force "${mount_point}"
+}
 http_download_curl() {
   local_file=$1
   source_url=$2
@@ -366,8 +380,8 @@ adjust_arch
 log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}"
 
 NAME=${PROJECT_NAME}_${VERSION}_${OS}_${ARCH}
-TARBALL=${NAME}.${FORMAT}
-TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL}
+ARCHIVE=${NAME}.${FORMAT}
+ARCHIVE_URL=${GITHUB_DOWNLOAD}/${TAG}/${ARCHIVE}
 CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt
 CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}