try the new notary path

RellikJaeger · Aug 18, 2021 · 597dbc4 · 597dbc4
1 parent 65e97ec
commit 597dbc4
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 11 deletions.
diff --git a/.github/workflows/build_nudge_prerelease.yml b/.github/workflows/build_nudge_prerelease.yml
@@ -1,5 +1,8 @@
 name: Build signed Nudge and upload signed package (prerelease)
 
+env:
+  NOTARY_APP_PASSWORD: ${{ secrets.NOTARY_APP_PASSWORD }}
+
 on:
   push:
     branches:
@@ -13,8 +16,7 @@ jobs:
   build:
     runs-on: macos-11
 
-    steps:
-    - name: Checkout python repo
+    - name: Checkout nudge repo
       uses: actions/checkout@v2
 
     - name: Install Apple Xcode certificates
@@ -33,7 +35,7 @@ jobs:
         p12-password: ${{ secrets.PKG_CERTIFICATES_P12_PASSWORD }}
 
     - name: Run build package script
-      run: ./build_nudge.zsh "CREATE_PKG"
+      run: ./build_nudge.zsh "CREATE_PKG" "$NOTARY_APP_PASSWORD"
 
     - name: get environment variables
       id: get_env_var

diff --git a/.github/workflows/build_nudge_prerelease_manual.yml b/.github/workflows/build_nudge_prerelease_manual.yml
@@ -1,13 +1,16 @@
 name: Manual build signed Nudge and upload signed package (prerelease)
 
+env:
+  NOTARY_APP_PASSWORD: ${{ secrets.NOTARY_APP_PASSWORD }}
+
 on: [workflow_dispatch]
 
 jobs:
   build:
     runs-on: macos-11
 
     steps:
-    - name: Checkout python repo
+    - name: Checkout nudge repo
       uses: actions/checkout@v2
 
     - name: Install Apple Xcode certificates
@@ -26,7 +29,7 @@ jobs:
         p12-password: ${{ secrets.PKG_CERTIFICATES_P12_PASSWORD }}
 
     - name: Run build package script
-      run: ./build_nudge.zsh "CREATE_PKG"
+      run: ./build_nudge.zsh "CREATE_PKG" "$NOTARY_APP_PASSWORD"
 
     - name: get environment variables
       id: get_env_var

diff --git a/.github/workflows/build_nudge_prerelease_pr.yml b/.github/workflows/build_nudge_prerelease_pr.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: macos-11
 
     steps:
-    - name: Checkout python repo
+    - name: Checkout nudge repo
       uses: actions/checkout@v2
 
     - name: Install Apple Xcode certificates

diff --git a/.github/workflows/build_nudge_release.yml b/.github/workflows/build_nudge_release.yml
@@ -1,5 +1,8 @@
 name: Build signed Nudge and upload signed package
 
+env:
+  NOTARY_APP_PASSWORD: ${{ secrets.NOTARY_APP_PASSWORD }}
+
 on:
   push:
     branches:
@@ -14,7 +17,7 @@ jobs:
     runs-on: macos-11
 
     steps:
-    - name: Checkout python repo
+    - name: Checkout nudge repo
       uses: actions/checkout@v2
 
     - name: Install Apple Xcode certificates
@@ -33,7 +36,7 @@ jobs:
         p12-password: ${{ secrets.PKG_CERTIFICATES_P12_PASSWORD }}
 
     - name: Run build package script
-      run: ./build_nudge.zsh "CREATE_PKG"
+      run: ./build_nudge.zsh "CREATE_PKG" "$NOTARY_APP_PASSWORD"
 
     - name: get environment variables
       id: get_env_var

diff --git a/.github/workflows/build_nudge_release_manual.yml b/.github/workflows/build_nudge_release_manual.yml
@@ -1,13 +1,16 @@
 name: Manual build signed Nudge and upload signed package
 
+env:
+  NOTARY_APP_PASSWORD: ${{ secrets.NOTARY_APP_PASSWORD }}
+
 on: [workflow_dispatch]
 
 jobs:
   build:
     runs-on: macos-11
 
     steps:
-    - name: Checkout python repo
+    - name: Checkout nudge repo
       uses: actions/checkout@v2
 
     - name: Install Apple Xcode certificates
@@ -26,7 +29,7 @@ jobs:
         p12-password: ${{ secrets.PKG_CERTIFICATES_P12_PASSWORD }}
 
     - name: Run build package script
-      run: ./build_nudge.zsh "CREATE_PKG"
+      run: ./build_nudge.zsh "CREATE_PKG" "$NOTARY_APP_PASSWORD"
 
     - name: get environment variables
       id: get_env_var

diff --git a/.github/workflows/build_nudge_release_pr.yml b/.github/workflows/build_nudge_release_pr.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: macos-11
 
     steps:
-    - name: Checkout python repo
+    - name: Checkout nudge repo
       uses: actions/checkout@v2
 
     - name: Install Apple Xcode certificates

diff --git a/build_nudge.zsh b/build_nudge.zsh
@@ -13,6 +13,8 @@ BUILDSDIR="$TOOLSDIR/build"
 OUTPUTSDIR="$TOOLSDIR/outputs"
 MP_ZIP="/tmp/munki-pkg.zip"
 XCODE_BUILD_PATH="/Applications/Xcode_13.0.app/Contents/Developer/usr/bin/xcodebuild"
+XCODE_NOTARY_PATH="/Applications/Xcode_13.0.app/Contents/Developer/usr/bin/notarytool"
+XCODE_STAPLER_PATH="/Applications/Xcode_13.0.app/Contents/Developer/usr/bin/stapler"
 CURRENT_NUDGE_MAIN_BUILD_VERSION=$(/usr/libexec/PlistBuddy -c Print:CFBundleVersion $TOOLSDIR/Nudge/Info.plist)
 DATE=$(/bin/date -u "+%m%d%Y%H%M%S")
 
@@ -44,6 +46,14 @@ if ! [ -n "$1" ]; then
   exit 0
 fi
 
+# Setup notary item
+$XCODE_NOTARY_PATH store-credentials --apple-id "[email protected]" --team-id "9GQZ7KUFR6" --password "$2" nudge
+
+# Zip application for notary
+/usr/bin/ditto -c -k --keepParent "${BUILDSDIR}/Release/Nudge.app" "${BUILDSDIR}/Release/Nudge.zip"
+# Notarize nudge application
+$XCODE_NOTARY_PATH submit "${BUILDSDIR}/Release/Nudge.zip" --keychain-profile "nudge" --wait
+
 # Create outputs folder
 if [ -e $OUTPUTSDIR ]; then
   /bin/rm -rf $OUTPUTSDIR
@@ -100,6 +110,9 @@ PKG_RESULT="$?"
 if [ "${PKG_RESULT}" != "0" ]; then
   echo "Could not sign package: ${PKG_RESULT}" 1>&2
 else
+  # Notarize nudge package
+  $XCODE_NOTARY_PATH submit "$NUDGE_PKG_PATH/build/Nudge-$AUTOMATED_NUDGE_BUILD.pkg" --keychain-profile "nudge" --wait
+  $XCODE_STAPLER_PATH staple "$NUDGE_PKG_PATH/build/Nudge-$AUTOMATED_NUDGE_BUILD.pkg"
   # Move the signed pkg
   /bin/mv "$NUDGE_PKG_PATH/build/Nudge-$AUTOMATED_NUDGE_BUILD.pkg" "$OUTPUTSDIR"
 fi