Merge pull request #24101 from kambala-decapitator/nexus-macos-notarytool

[backport][macOS] migrate from altool to notarytool

5 files changed, 17 insertions, 65 deletions

diff --git a/cmake/scripts/osx/Install.cmake b/cmake/scripts/osx/Install.cmake
index 65bac0705c..b4c4cc8048 100644
--- a/cmake/scripts/osx/Install.cmake
+++ b/cmake/scripts/osx/Install.cmake
@@ -62,9 +62,8 @@ add_custom_target(dmg
     COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_SOURCE_DIR}/tools/darwin/Support/Codesign.command
                                      ${CMAKE_BINARY_DIR}/tools/darwin/packaging/osx/Codesign.command
     COMMAND "CODESIGNING_FOLDER_PATH=${PACKAGE_OUTPUT_DIR}/${APP_NAME}.app"
-            "DEV_ACCOUNT=${DEV_ACCOUNT}"
-            "DEV_ACCOUNT_PASSWORD=${DEV_ACCOUNT_PASSWORD}"
-            "DEV_TEAM=${DEV_TEAM}"
+            "NOTARYTOOL_KEYCHAIN_PROFILE=${NOTARYTOOL_KEYCHAIN_PROFILE}"
+            "NOTARYTOOL_KEYCHAIN_PATH=${NOTARYTOOL_KEYCHAIN_PATH}"
             "EXPANDED_CODE_SIGN_IDENTITY_NAME=${CODE_SIGN_IDENTITY}"
             "PLATFORM_NAME=${PLATFORM}"
             "XCODE_BUILDTYPE=${CMAKE_CFG_INTDIR}"
diff --git a/tools/buildsteps/osx-arm64/configure-xbmc b/tools/buildsteps/osx-arm64/configure-xbmc
index 2fed17071c..c8adee05d2 100755
--- a/tools/buildsteps/osx-arm64/configure-xbmc
+++ b/tools/buildsteps/osx-arm64/configure-xbmc
@@ -2,4 +2,4 @@ WORKSPACE=${WORKSPACE:-$( cd $(dirname $0)/../../.. ; pwd -P )}
 XBMC_PLATFORM_DIR=osx-arm64
 . $WORKSPACE/tools/buildsteps/defaultenv
 
-make -C $WORKSPACE/tools/depends/target/cmakebuildsys APP_WINDOW_SYSTEM=native CMAKE_EXTRA_ARGUMENTS="-D CODE_SIGN_IDENTITY='$CODE_SIGN_IDENTITY' -D DEV_ACCOUNT='$DEV_ACCOUNT' -D DEV_ACCOUNT_PASSWORD='$DEV_ACCOUNT_PASSWORD' -D DEV_TEAM='$DEV_TEAM'"
+make -C $WORKSPACE/tools/depends/target/cmakebuildsys APP_WINDOW_SYSTEM=native CMAKE_EXTRA_ARGUMENTS="-D CODE_SIGN_IDENTITY='$CODE_SIGN_IDENTITY' -D NOTARYTOOL_KEYCHAIN_PROFILE='$NOTARYTOOL_KEYCHAIN_PROFILE' -D NOTARYTOOL_KEYCHAIN_PATH='$NOTARYTOOL_KEYCHAIN_PATH'"
diff --git a/tools/buildsteps/osx64/configure-xbmc b/tools/buildsteps/osx64/configure-xbmc
index 98736c5384..2643cc9e3f 100755
--- a/tools/buildsteps/osx64/configure-xbmc
+++ b/tools/buildsteps/osx64/configure-xbmc
@@ -2,4 +2,4 @@ WORKSPACE=${WORKSPACE:-$( cd $(dirname $0)/../../.. ; pwd -P )}
 XBMC_PLATFORM_DIR=osx64
 . $WORKSPACE/tools/buildsteps/defaultenv
 
-make -C $WORKSPACE/tools/depends/target/cmakebuildsys CMAKE_EXTRA_ARGUMENTS="-D CODE_SIGN_IDENTITY='$CODE_SIGN_IDENTITY' -D DEV_ACCOUNT='$DEV_ACCOUNT' -D DEV_ACCOUNT_PASSWORD='$DEV_ACCOUNT_PASSWORD' -D DEV_TEAM='$DEV_TEAM'"
+make -C $WORKSPACE/tools/depends/target/cmakebuildsys CMAKE_EXTRA_ARGUMENTS="-D CODE_SIGN_IDENTITY='$CODE_SIGN_IDENTITY' -D NOTARYTOOL_KEYCHAIN_PROFILE='$NOTARYTOOL_KEYCHAIN_PROFILE' -D NOTARYTOOL_KEYCHAIN_PATH='$NOTARYTOOL_KEYCHAIN_PATH'"
diff --git a/tools/darwin/packaging/osx/mkdmg-osx.sh.in b/tools/darwin/packaging/osx/mkdmg-osx.sh.in
index c66c5642f9..9da20f25a7 100755
--- a/tools/darwin/packaging/osx/mkdmg-osx.sh.in
+++ b/tools/darwin/packaging/osx/mkdmg-osx.sh.in
@@ -78,7 +78,7 @@ echo "done"
 # codesign and notarize dmg
 if [ "$EXPANDED_CODE_SIGN_IDENTITY_NAME" ]; then
   codesign --verbose=4 --sign "$EXPANDED_CODE_SIGN_IDENTITY_NAME" "$dmgPath"
-  if ! ./notarize.sh "$dmgPath" "$APP/Contents/Info.plist" && [ "$isReleaseBuild" = 1 ]; then
+  if ! ./notarize.sh "$dmgPath" && [ "$isReleaseBuild" = 1 ]; then
     exit 1
   fi
 fi
diff --git a/tools/darwin/packaging/osx/notarize.sh b/tools/darwin/packaging/osx/notarize.sh
index 1c8f132258..8f6b089cf8 100755
--- a/tools/darwin/packaging/osx/notarize.sh
+++ b/tools/darwin/packaging/osx/notarize.sh
@@ -1,67 +1,20 @@
 #!/usr/bin/env bash
 
-# credits: https://scriptingosx.com/2019/09/notarize-a-command-line-tool/
+# credits:
+# https://scriptingosx.com/2019/09/notarize-a-command-line-tool/
+# https://developer.apple.com/documentation/technotes/tn3147-migrating-to-the-latest-notarization-tool
 
-if [[ -z "$DEV_ACCOUNT" || -z "$DEV_ACCOUNT_PASSWORD" ]]; then
+set -e
+
+if [[ -z "$NOTARYTOOL_KEYCHAIN_PROFILE" ]]; then
   echo "skipping notarization"
   exit 0
 fi
 
-notarizefile() { # $1: path to file to notarize, $2: identifier
-  filepath=${1:?"need a filepath"}
-  identifier=${2:?"need an identifier"}
-
-  # upload file
-  echo "uploading $filepath for notarization"
-  altoolOutput=$(xcrun altool \
-    --notarize-app \
-    --type osx \
-    --file "$filepath" \
-    --primary-bundle-id "$identifier" \
-    --username "$DEV_ACCOUNT" \
-    --password "$DEV_ACCOUNT_PASSWORD" \
-    ${DEV_TEAM:+--asc-provider "$DEV_TEAM"} 2>&1)
-
-  requestUUID=$(echo "$altoolOutput" | awk '/RequestUUID/ { print $NF; }')
-
-  if [[ $requestUUID == "" ]]; then
-    echo "Failed to upload:"
-    echo "$altoolOutput"
-    return 1
-  fi
-  echo "requestUUID: $requestUUID, waiting..."
-
-  # wait for status to be not "in progress" any more
-  request_status="in progress"
-  while [[ "$request_status" == "in progress" ]]; do
-    sleep 60
-    altoolOutput=$(xcrun altool \
-      --notarization-info "$requestUUID" \
-      --username "$DEV_ACCOUNT" \
-      --password "$DEV_ACCOUNT_PASSWORD" 2>&1)
-    request_status=$(echo "$altoolOutput" | awk -F ': ' '/Status:/ { print $2; }' )
-  done
-
-  # print status information
-  echo "$altoolOutput"
-
-  if [[ $request_status != "success" ]]; then
-    echo "warning: could not notarize $filepath"
-    notarizationFailed=1
-  fi
-
-  LogFileURL=$(echo "$altoolOutput" | awk -F ': ' '/LogFileURL:/ { print $2; }')
-  if [[ "$LogFileURL" ]]; then
-    echo -e "\nnotarization details:"
-    curl "$LogFileURL"
-    echo
-  fi
-  if [[ $notarizationFailed == 1 ]]; then
-    return 1
-  fi
-  return 0
-}
-
 dmg="$1"
-notarizefile "$dmg" $(/usr/libexec/PlistBuddy -c 'Print :CFBundleIdentifier' "$2") \
-  && xcrun stapler staple "$dmg"
+xcrun notarytool submit \
+  --keychain-profile "$NOTARYTOOL_KEYCHAIN_PROFILE" \
+  ${NOTARYTOOL_KEYCHAIN_PATH:+--keychain "$NOTARYTOOL_KEYCHAIN_PATH"} \
+  --wait --timeout '1h' \
+  "$dmg" 2>&1
+xcrun stapler staple "$dmg"