/
notarize_dmg_pkg.py
executable file
·184 lines (149 loc) · 6.79 KB
/
notarize_dmg_pkg.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
#!/usr/bin/env python
# Copyright (c) 2019 The Brave Authors. All rights reserved.
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this file,
# You can obtain one at http://mozilla.org/MPL/2.0/. */
import argparse
import os
import subprocess
import sys
"""
The sign_chrome.py script does notarization of the app, but we don't use it to
create our .dmg and .pkg files. Instead we do our own signing and packaging,
but must perform notarization after those processes are complete. This script
performs notarizing and stapling of those files.
"""
# Our CWD is the packaging directory (i.e.
# src/out/Release/Brave_Browser_CHANNEL_Packaging), the signing directory is
# relative to that
packaging_signing_path = os.path.realpath(os.path.dirname(os.path.realpath(__file__)))
sys.path.append(packaging_signing_path)
# Import the entire module to avoid circular dependencies in the functions
from signing import config, commands, model, notarize, pipeline, signing
def run_command(args, **kwargs):
print('Running command: {}'.format(args))
subprocess.check_call(args, **kwargs)
def create_config(config_args, development, mac_provisioning_profile):
"""Creates the |model.CodeSignConfig| for the signing operations.
If |development| is True, the config will be modified to not require
restricted internal assets, nor will the products be required to match
specific certificate hashes.
Args:
config_args: List of args to expand to the config class's constructor.
development: Boolean indicating whether or not to modify the chosen
config for development testing.
Returns:
An instance of |model.CodeSignConfig|.
"""
config_class = config.CodeSignConfig
"""
try:
import signing.internal_config
config_class = signing.internal_config.InternalCodeSignConfig
except ImportError as e:
# If the build specified Google Chrome as the product, then the
# internal config has to be available.
if config_class(identity, keychain).product == 'Google Chrome':
raise e
"""
if development:
class DevelopmentCodeSignConfig(config_class):
@property
def codesign_requirements_basic(self):
return ''
@property
def provisioning_profile_basename(self):
return None
@property
def run_spctl_assess(self):
return False
config_class = DevelopmentCodeSignConfig
config_class = GetBraveSigningConfig(config_class, development, mac_provisioning_profile)
return config_class(*config_args)
def GetBraveSigningConfig(config_class, development, mac_provisioning_profile):
if development:
return config_class
if mac_provisioning_profile:
provisioning_profile = mac_provisioning_profile
assert len(provisioning_profile), 'Argument mac_provisioning_profile not provided!'
class ProvisioningProfileCodeSignConfig(config_class):
@property
def provisioning_profile_basename(self):
return os.path.splitext(os.path.basename(
provisioning_profile))[0]
@property
def run_spctl_assess(self):
return True
return ProvisioningProfileCodeSignConfig
def NotarizeBraveDmgPkg(paths, config, dmg, pkg, outdir, signed, do_notarization=True):
"""
Notarize Brave .dmg and .pkg files.
"""
if do_notarization:
uuids_to_path_map = {}
for dist in config.distributions:
dist_config = dist.to_config(config)
uuid = notarize.submit(dmg, dist_config)
uuids_to_path_map[uuid] = dmg
uuid1 = notarize.submit(pkg, dist_config)
uuids_to_path_map[uuid1] = pkg
for result in notarize.wait_for_results(
uuids_to_path_map.keys(), config):
brave_path = uuids_to_path_map[result]
notarize.staple(brave_path)
for item in uuids_to_path_map.values():
commands.copy_files(os.path.join(signed, item), outdir)
return 0
def main():
args = parse_args()
if args.mac_provisioning_profile and args.development is not True:
config = create_config((args.identity, args.keychain, args.notary_user,
args.notary_password, args.notary_asc_provider),
args.development, args.mac_provisioning_profile)
else:
config = create_config((args.identity, args.keychain, args.notary_user,
args.notary_password, args.notary_asc_provider),
args.development)
paths = model.Paths(args.pkgdir, args.outdir, None)
rc = NotarizeBraveDmgPkg(paths, config, args.dmg, args.pkg, args.outdir, args.signed)
return rc
def parse_args():
parser = argparse.ArgumentParser(description='Notarize Mac DMG and PKG')
parser.add_argument(
'--keychain', help='The keychain to load the identity from.')
parser.add_argument(
'--identity', required=True, help='The identity to sign with.')
parser.add_argument(
'--notary-user',
help='The username used to authenticate to the Apple notary service.')
parser.add_argument(
'--notary-password',
help='The password or password reference (e.g. @keychain, see '
'`xcrun altool -h`) used to authenticate to the Apple notary service.')
parser.add_argument(
'--notary-asc-provider',
help='The ASC provider string to be used as the `--asc-provider` '
'argument to `xcrun altool`, to be used when --notary-user is '
'associated with multiple Apple developer teams. See `xcrun altool -h. '
'Run `iTMSTransporter -m provider -account_type itunes_connect -v off '
'-u USERNAME -p PASSWORD` to list valid providers.')
parser.add_argument(
'--development',
action='store_true',
help='The specified identity is for development. Certain codesign '
'requirements will be omitted.')
parser.add_argument('-d', '--dmg', help='Path to the dmg to notarize',
required=True)
parser.add_argument('-o', '--outdir', help='Output directory',
required=True)
parser.add_argument('--pkgdir', help='Packaging directory',
required=True)
parser.add_argument('-s', '--signed', help='Directory with signed DMG and PKG',
required=True)
parser.add_argument('-p', '--pkg', help='Path to the pkg to notarize',
required=True)
parser.add_argument('--mac_provisioning_profile', help='Provisioning profile(optional)')
return parser.parse_args()
if __name__ == '__main__':
import sys
sys.exit(main())