diff --git a/build/mac/BUILD.gn b/build/mac/BUILD.gn index 356771860e192..6c86c2888ed32 100644 --- a/build/mac/BUILD.gn +++ b/build/mac/BUILD.gn @@ -10,6 +10,10 @@ declare_args() { mac_installer_signing_identifier = "" mac_signing_keychain = "login" mac_signing_output_prefix = "signing" + notary_user = "" + notary_password = "" + notarize = false + notarize_argument = "False" } group("brave") {} @@ -129,6 +133,9 @@ if (skip_signing) { provisioning_profile = "//brave/build/mac/dummy.provisionprofile" is_development = "True" } + if (notarize) { + notarize_argument = "True" + } inputs = [ script, @@ -149,6 +156,9 @@ if (skip_signing) { rebase_path(provisioning_profile, root_out_dir), keychain_db, mac_signing_identifier, + notarize_argument, + notary_user, + notary_password ] } diff --git a/build/mac/sign_app.sh b/build/mac/sign_app.sh index 33d7f3f9240e1..29e3a032c6b01 100755 --- a/build/mac/sign_app.sh +++ b/build/mac/sign_app.sh @@ -2,8 +2,12 @@ set -euo pipefail +usage() { + echo "usage: $0 " +} + if [[ ${#} -lt "7" ]]; then - echo "usage: $0 " + usage exit 1 fi @@ -25,6 +29,24 @@ if [[ -z ${7} ]]; then exit 1 fi +if [[ ${#} -gt "7" ]]; then + NOTARIZE="${8}" + if [[ "${NOTARIZE}" = "True" ]]; then + NOTARIZE="--notarize" + else + unset NOTARIZE + fi + NOTARY_USER="${9}" + NOTARY_PASSWORD="${10}" + if [[ -n "${NOTARIZE}" ]]; then + if [[ ( -z "${NOTARY_USER}" ) || ( -z "${NOTARY_PASSWORD}" ) ]]; then + echo "Error: when is True, both and must be provided. Cannot perform notarization." + usage + exit 1 + fi + fi +fi + function check_exit() { return=$?; if [[ $return -eq 0 ]]; then @@ -49,7 +71,7 @@ echo "Cleaning $DEST_DIR ..." rm -rf $DEST_DIR/* # Invoke python script to do the signing. -PARAMS="--input $SOURCE_DIR --output $DEST_DIR --keychain $MAC_SIGNING_KEYCHAIN --identity $MAC_SIGNING_IDENTIFIER --no-dmg --no-notarize" +PARAMS="--input $SOURCE_DIR --output $DEST_DIR --keychain $MAC_SIGNING_KEYCHAIN --identity $MAC_SIGNING_IDENTIFIER --no-dmg" if [[ -z "${DEVELOPMENT}" ]]; then # Copy mac_provisioning_profile to the packaging_dir since that's where the # signing scripts expects to find it. @@ -57,4 +79,11 @@ if [[ -z "${DEVELOPMENT}" ]]; then else PARAMS="$PARAMS $DEVELOPMENT" fi + +if [[ -z "${NOTARIZE}" ]]; then + PARAMS="$PARAMS --no-notarize" +else + PARAMS="$PARAMS ${NOTARIZE} --notary-user $NOTARY_USER --notary-password $NOTARY_PASSWORD" +fi + "${PKG_DIR}/sign_chrome.py" $PARAMS diff --git a/build/mac/sign_dmg.sh b/build/mac/sign_dmg.sh index aa81fa075cb40..5e7fac466967b 100755 --- a/build/mac/sign_dmg.sh +++ b/build/mac/sign_dmg.sh @@ -38,7 +38,7 @@ cp "$SOURCE" "$DEST" set -v -/usr/bin/codesign --force --sign "$MAC_SIGNING_IDENTIFIER" --keychain "$MAC_SIGNING_KEYCHAIN" "$DEST" "$REQUIREMENTS" +/usr/bin/codesign --force --options runtime --timestamp --sign "$MAC_SIGNING_IDENTIFIER" --keychain "$MAC_SIGNING_KEYCHAIN" "$DEST" "$REQUIREMENTS" /usr/bin/codesign -vvvvd "$DEST" /usr/bin/codesign --verify --strict --deep -vvvv "$DEST"