Skip to content

Commit

Permalink
Notarization for beta builds
Browse files Browse the repository at this point in the history 
- Enable hardened runtime
- Add entitlements to avoid breaking stuff (tested with ffmpeg recording from mic)
- Udpate beta script to perform notification
- Disable hardened runtime in debug
- Add ExportOptions.plist.
  • Loading branch information
@gnachman
gnachman committed Sep 22, 2019
1 parent 3c855ec commit d76d28a
Show file tree
Hide file tree
Showing 4 changed files with 69 additions and 7 deletions.
17 changes: 16 additions & 1 deletion iTerm2.entitlements
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict/>
<dict>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
<key>com.apple.security.personal-information.addressbook</key>
<true/>
<key>com.apple.security.personal-information.calendars</key>
<true/>
<key>com.apple.security.personal-information.location</key>
<true/>
<key>com.apple.security.personal-information.photos-library</key>
<true/>
</dict>
</plist>
28 changes: 24 additions & 4 deletions iTerm2.xcodeproj/project.pbxproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10570,7 +10570,7 @@
ProvisioningStyle = Manual;
SystemCapabilities = {
com.apple.HardenedRuntime = {
enabled = 0;
enabled = 1;
};
};
};
Expand Down Expand Up @@ -13208,12 +13208,13 @@
ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
CLANG_ENABLE_OBJC_WEAK = YES;
CLANG_WARN_INT_CONVERSION = YES;
CODE_SIGN_ENTITLEMENTS = iTerm2.entitlements;
CODE_SIGN_IDENTITY = "Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)";
CODE_SIGN_STYLE = Manual;
COMBINE_HIDPI_IMAGES = YES;
COPY_PHASE_STRIP = YES;
DEVELOPMENT_TEAM = "";
ENABLE_HARDENED_RUNTIME = NO;
ENABLE_HARDENED_RUNTIME = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
"$(SRCROOT)",
Expand Down Expand Up @@ -13744,6 +13745,7 @@
ONLY_ACTIVE_ARCH = YES;
PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = macosx;
SKIP_INSTALL = NO;
};
name = Development;
};
Expand Down Expand Up @@ -13782,6 +13784,7 @@
MACOSX_DEPLOYMENT_TARGET = 10.12;
PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = macosx;
SKIP_INSTALL = NO;
};
name = Deployment;
};
Expand Down Expand Up @@ -13820,6 +13823,7 @@
MACOSX_DEPLOYMENT_TARGET = 10.12;
PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = macosx;
SKIP_INSTALL = NO;
};
name = Nightly;
};
Expand Down Expand Up @@ -13872,12 +13876,13 @@
ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
CLANG_ENABLE_OBJC_WEAK = YES;
CLANG_WARN_INT_CONVERSION = YES;
CODE_SIGN_ENTITLEMENTS = iTerm2.entitlements;
CODE_SIGN_IDENTITY = "Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)";
CODE_SIGN_STYLE = Manual;
COMBINE_HIDPI_IMAGES = YES;
COPY_PHASE_STRIP = YES;
DEVELOPMENT_TEAM = "";
ENABLE_HARDENED_RUNTIME = NO;
ENABLE_HARDENED_RUNTIME = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
"$(SRCROOT)",
Expand Down Expand Up @@ -14047,6 +14052,7 @@
MACOSX_DEPLOYMENT_TARGET = 10.12;
PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = macosx;
SKIP_INSTALL = NO;
};
name = Beta;
};
Expand Down Expand Up @@ -14161,6 +14167,7 @@
OTHER_LDFLAGS = "";
PRODUCT_NAME = iTerm2Shared;
SDKROOT = macosx;
SKIP_INSTALL = NO;
WARNING_CFLAGS = (
"-Wall",
"-Wpartial-availability",
Expand Down Expand Up @@ -14264,6 +14271,7 @@
MTL_ENABLE_DEBUG_INFO = NO;
PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = macosx;
SKIP_INSTALL = YES;
};
name = Beta;
};
Expand Down Expand Up @@ -14315,6 +14323,7 @@
OTHER_LDFLAGS = "";
PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = macosx;
SKIP_INSTALL = NO;
WARNING_CFLAGS = (
"-Wall",
"-Wno-nullability-completeness",
Expand Down Expand Up @@ -14378,6 +14387,7 @@
OTHER_LDFLAGS = "";
PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = macosx;
SKIP_INSTALL = NO;
WARNING_CFLAGS = (
"-Wall",
"-Wno-nullability-completeness",
Expand Down Expand Up @@ -14432,6 +14442,7 @@
OTHER_LDFLAGS = "";
PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = macosx;
SKIP_INSTALL = NO;
WARNING_CFLAGS = (
"-Wall",
"-Wno-nullability-completeness",
Expand Down Expand Up @@ -14486,6 +14497,7 @@
OTHER_LDFLAGS = "";
PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = macosx;
SKIP_INSTALL = NO;
WARNING_CFLAGS = (
"-Wall",
"-Wno-nullability-completeness",
Expand Down Expand Up @@ -14541,6 +14553,7 @@
OTHER_LDFLAGS = "";
PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = macosx;
SKIP_INSTALL = YES;
};
name = Development;
};
Expand Down Expand Up @@ -14579,6 +14592,7 @@
MTL_ENABLE_DEBUG_INFO = NO;
PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = macosx;
SKIP_INSTALL = YES;
};
name = Deployment;
};
Expand Down Expand Up @@ -14617,6 +14631,7 @@
MTL_ENABLE_DEBUG_INFO = NO;
PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = macosx;
SKIP_INSTALL = YES;
};
name = Nightly;
};
Expand Down Expand Up @@ -14673,6 +14688,7 @@
OTHER_LDFLAGS = "";
PRODUCT_NAME = iTerm2Shared;
SDKROOT = macosx;
SKIP_INSTALL = NO;
WARNING_CFLAGS = (
"-Wall",
"-Wpartial-availability",
Expand Down Expand Up @@ -14726,6 +14742,7 @@
OTHER_LDFLAGS = "";
PRODUCT_NAME = iTerm2Shared;
SDKROOT = macosx;
SKIP_INSTALL = NO;
WARNING_CFLAGS = (
"-Wall",
"-Wpartial-availability",
Expand Down Expand Up @@ -14779,6 +14796,7 @@
OTHER_LDFLAGS = "";
PRODUCT_NAME = iTerm2Shared;
SDKROOT = macosx;
SKIP_INSTALL = NO;
WARNING_CFLAGS = (
"-Wall",
"-Wpartial-availability",
Expand Down Expand Up @@ -14980,6 +14998,7 @@
ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
CLANG_ENABLE_OBJC_WEAK = YES;
CLANG_WARN_INT_CONVERSION = YES;
CODE_SIGN_ENTITLEMENTS = iTerm2.entitlements;
CODE_SIGN_IDENTITY = "-";
CODE_SIGN_STYLE = Manual;
COMBINE_HIDPI_IMAGES = YES;
Expand Down Expand Up @@ -15063,12 +15082,13 @@
ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
CLANG_ENABLE_OBJC_WEAK = YES;
CLANG_WARN_INT_CONVERSION = YES;
CODE_SIGN_ENTITLEMENTS = iTerm2.entitlements;
CODE_SIGN_IDENTITY = "Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)";
CODE_SIGN_STYLE = Manual;
COMBINE_HIDPI_IMAGES = YES;
COPY_PHASE_STRIP = YES;
DEVELOPMENT_TEAM = "";
ENABLE_HARDENED_RUNTIME = NO;
ENABLE_HARDENED_RUNTIME = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
"$(SRCROOT)",
Expand Down
9 changes: 9 additions & 0 deletions plists/ExportOptions.plist
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>method</key>
<string>developer-id</string>
</dict>
</plist>

22 changes: 20 additions & 2 deletions tools/release_beta.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ test -f "$PRIVKEY" || die "Set PRIVKEY environment variable to point at a valid
echo Enter the EdDSA private key
read -s EDPRIVKEY

echo Enter the notarization password
read -s NOTPASS

# Usage: SparkleSign testing.xml template.xml
function SparkleSign {
LENGTH=$(ls -l iTerm2-${NAME}.zip | awk '{print $5}')
Expand Down Expand Up @@ -74,8 +77,23 @@ function Build {
rm -rf iTerm.app
mv iTerm2.app iTerm.app

zip -ry iTerm2-${NAME}.zip iTerm.app

# Zip it, notarize it, staple it, and re-zip it.
PRENOTARIZED_ZIP=iTerm2-${NAME}-prenotarized.zip
zip -ry $PRENOTARIZED_ZIP iTerm.app
xcrun altool --notarize-app --primary-bundle-id "com.googlecode.iterm2" --username "apple@georgester.com" --password "$NOTPASS" --file $PRENOTARIZED_ZIP > /tmp/upload.out 2>&1
UUID=$(grep RequestUUID /tmp/upload.out | sed -e 's/RequestUUID = //')
echo "uuid is $UUID"
xcrun altool --notarization-info $UUID -u "apple@georgester.com" -p "$NOTPASS"
sleep 1
while xcrun altool --notarization-info $UUID -u "apple@georgester.com" -p "$NOTPASS" 2>&1 | egrep -i "in progress|Could not find the RequestUUID":
do
echo "Trying again"
sleep 1
done
NOTARIZED_ZIP=iTerm2-${NAME}.zip
xcrun stapler staple iTerm.app
zip -ry $NOTARIZED_ZIP iTerm.app

# Update the list of changes
vi $SVNDIR/source/appcasts/testing_changes3.txt

Expand Down

0 comments on commit d76d28a

Please sign in to comment.