Integrate notarization into the build process

haiwen · Dec 6, 2019 · 776300b · 776300b
1 parent 1021b28
commit 776300b
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 2 deletions.
diff --git a/scripts/build/build-mac.py b/scripts/build/build-mac.py
@@ -990,6 +990,16 @@ def copy_dmg():
     print '>>\t%s' % dst_dmg
     print '---------------------------------------------'
 
+def notarize_dmg():
+    pkg = os.path.join(conf[CONF_BUILDDIR], 'app-{}.dmg'.format(conf[CONF_VERSION]))
+    info('Try to notarize {}'.format(pkg))
+    notarize_script = join(Seafile().projdir, 'scripts/build/notarize.sh')
+    cmdline = '{} {}'.format(notarize_script, pkg)
+    ret = run(cmdline)
+    if ret != 0:
+        error('failed to notarize: %s' % cmdline)
+    info('Successfully notarized {}'.format(pkg))
+
 def build_and_sign_fsplugin():
     """
     Build and sign the fsplugin. The final output would be "${buildder}/Seafile FinderSync.appex"
@@ -1053,6 +1063,7 @@ def local_workflow():
 
     build_and_sign_fsplugin()
     gen_dmg()
+    notarize_dmg()
     copy_dmg()
 
 def master_workflow():
@@ -1062,6 +1073,7 @@ def master_workflow():
 
     build_and_sign_fsplugin()
     gen_dmg()
+    notarize_dmg()
     copy_dmg()
 
 def slave_workflow():
@@ -1096,8 +1108,9 @@ def main():
     if conf[CONF_LOCAL]:
         local_workflow()
     elif conf[CONF_MODE] == 'master':
-        info('entering master workflow')
-        master_workflow()
+        # info('entering master workflow')
+        # master_workflow()
+        local_workflow()
     else:
         info('entering slave workflow')
         slave_workflow()

diff --git a/scripts/build/notarize.sh b/scripts/build/notarize.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+set -e
+
+pkg=${1?:"You must provide the path to the dmg file"}
+if [[ ! -e $pkg ]]; then
+    echo "File $pkg does not exist"
+    exit 1
+fi
+
+security -v unlock-keychain -p vagrant || true
+sudo security -v unlock-keychain -p vagrant || true
+
+APPLE_ACCOUNT=$(security find-generic-password -s "notarize username" -w)
+APPLE_PASSWORD=$(security find-generic-password -s "notarize password" -w)
+
+BUNDLE_ID="com.seafile.seafile-client"
+altool_exe="/Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/Frameworks/ITunesSoftwareService.framework/Support/altool"
+
+_altool() {
+    "${altool_exe}" "$@"
+}
+
+cd /tmp/
+
+echo "Uploading $pkg for notarizing ..."
+
+_altool --notarize-app -t osx -f $pkg \
+       --primary-bundle-id ${BUNDLE_ID} \
+       -u ${APPLE_ACCOUNT} -p ${APPLE_PASSWORD} \
+       --output-format xml > UploadInfo.plist
+
+REQUESTID=$(xmllint --xpath "/plist/dict[key='notarization-upload']/dict/key[.='RequestUUID']/following-sibling::string[1]/node()" UploadInfo.plist)
+echo "file $pkg uploaded for notarization, waiting for apple ..."
+echo ${REQUESTID}
+sleep 60
+x=1
+while [[ $x -le 15 ]]; do
+    _altool --notarization-info ${REQUESTID} -u ${APPLE_ACCOUNT}  -p ${APPLE_PASSWORD} --output-format xml > RequestedInfo.plist
+    ANSWER=$(xmllint --xpath "/plist/dict[key='notarization-info']/dict/key[.='Status']/following-sibling::string[1]/node()" RequestedInfo.plist)
+    if [[ "$ANSWER" == "in progress" ]]; then
+        echo "notarization in progress"
+        sleep 60
+        x=$((x+1))
+    elif [[ "$ANSWER" == "success" ]]; then
+        echo "notarization success"
+        break
+    else
+        echo "notarization failed"
+        break
+        exit 1
+    fi
+done
+ANSWER=$(xmllint --xpath "/plist/dict[key='notarization-info']/dict/key[.='Status']/following-sibling::string[1]/node()" RequestedInfo.plist)
+if [[ "$ANSWER" != "success" ]]; then
+    echo "notarization failed"
+    exit 1
+fi
+
+echo "Notarization success, now stapling the installer ..."
+
+xcrun stapler staple $pkg
+
+echo "Notarization & stapling done."