Add MacOS notarization

Fixes: brave/brave-browser#5177
brave · Jul 31, 2019 · a097b30 · a097b30
1 parent 4e65b36
commit a097b30
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 3 deletions.
diff --git a/build/mac/BUILD.gn b/build/mac/BUILD.gn
@@ -10,6 +10,10 @@ declare_args() {
   mac_installer_signing_identifier = ""
   mac_signing_keychain = "login"
   mac_signing_output_prefix = "signing"
+  notary_user = ""
+  notary_password = ""
+  notarize = false
+  notarize_argument = "False"
 }
 
 group("brave") {}
@@ -129,6 +133,9 @@ if (skip_signing) {
       provisioning_profile = "//brave/build/mac/dummy.provisionprofile"
       is_development = "True"
     }
+    if (notarize) {
+      notarize_argument = "True"
+    }
 
     inputs = [
       script,
@@ -149,6 +156,9 @@ if (skip_signing) {
       rebase_path(provisioning_profile, root_out_dir),
       keychain_db,
       mac_signing_identifier,
+      notarize_argument,
+      notary_user,
+      notary_password
     ]
   }
 

diff --git a/build/mac/sign_app.sh b/build/mac/sign_app.sh
@@ -2,8 +2,12 @@
 
 set -euo pipefail
 
+usage() {
+  echo "usage: $0 <input_dir> <output_dir> <packaging_dir> <is_development> <mac_provisioning_profile> <mac_signing_keychain> <mac_signing_identifier> <notarize> <notary_user> <notary_password>"
+}
+
 if [[ ${#} -lt "7" ]]; then
-  echo "usage: $0 <input_dir> <output_dir> <packaging_dir> <is_development> <mac_provisioning_profile> <mac_signing_keychain> <mac_signing_identifier>"
+  usage
   exit 1
 fi
 
@@ -25,6 +29,24 @@ if [[ -z ${7} ]]; then
   exit 1
 fi
 
+if [[ ${#} -gt "7" ]]; then
+  NOTARIZE="${8}"
+  if [[ "${NOTARIZE}" = "True" ]]; then
+    NOTARIZE="--notarize"
+  else
+    unset NOTARIZE
+  fi
+  NOTARY_USER="${9}"
+  NOTARY_PASSWORD="${10}"
+  if [[ -n "${NOTARIZE}" ]]; then
+      if [[ ( -z "${NOTARY_USER}" ) || ( -z "${NOTARY_PASSWORD}" ) ]]; then
+          echo "Error: when <notarize> is True, both <notary_user> and <notary_password> must be provided. Cannot perform notarization."
+          usage
+          exit 1
+      fi
+  fi
+fi
+
 function check_exit() {
     return=$?;
     if [[ $return -eq 0 ]]; then
@@ -49,12 +71,19 @@ echo "Cleaning $DEST_DIR ..."
 rm -rf $DEST_DIR/*
 
 # Invoke python script to do the signing.
-PARAMS="--input $SOURCE_DIR --output $DEST_DIR --keychain $MAC_SIGNING_KEYCHAIN --identity $MAC_SIGNING_IDENTIFIER --no-dmg --no-notarize"
+PARAMS="--input $SOURCE_DIR --output $DEST_DIR --keychain $MAC_SIGNING_KEYCHAIN --identity $MAC_SIGNING_IDENTIFIER --no-dmg"
 if [[ -z "${DEVELOPMENT}" ]]; then
   # Copy mac_provisioning_profile to the packaging_dir since that's where the
   # signing scripts expects to find it.
   cp -f "$MAC_PROVISIONING_PROFILE" "$PKG_DIR"
 else
   PARAMS="$PARAMS $DEVELOPMENT"
 fi
+
+if [[ -z "${NOTARIZE}" ]]; then
+  PARAMS="$PARAMS --no-notarize"
+else
+  PARAMS="$PARAMS ${NOTARIZE} --notary-user $NOTARY_USER --notary-password $NOTARY_PASSWORD"
+fi
+
 "${PKG_DIR}/sign_chrome.py" $PARAMS
diff --git a/build/mac/sign_dmg.sh b/build/mac/sign_dmg.sh
@@ -38,7 +38,7 @@ cp "$SOURCE" "$DEST"
 
 set -v
 
-/usr/bin/codesign --force --sign "$MAC_SIGNING_IDENTIFIER" --keychain "$MAC_SIGNING_KEYCHAIN" "$DEST"  "$REQUIREMENTS"
+/usr/bin/codesign --force --options runtime --timestamp --sign "$MAC_SIGNING_IDENTIFIER" --keychain "$MAC_SIGNING_KEYCHAIN" "$DEST"  "$REQUIREMENTS"
 
 /usr/bin/codesign -vvvvd "$DEST"
 /usr/bin/codesign --verify --strict --deep -vvvv "$DEST"