Mercurial > hg > tony
changeset 619:fe1a77d4aeaa
Update deployment scripts - make the copy-and-update-paths deployment a smaller unit that is run after any build, separate out signing, and add notarization script
| author | Chris Cannam |
|---|---|
| date | Thu, 10 Oct 2019 13:17:29 +0100 |
| parents | 287b7b349a8a |
| children | 85ba31c30ea4 |
| files | .hgignore deploy/osx/Entitlements.plist deploy/osx/deploy-and-package.sh deploy/osx/deploy.sh deploy/osx/notarize.sh deploy/osx/sign.sh tony.pro tonyapp.pro |
| diffstat | 8 files changed, 174 insertions(+), 78 deletions(-) [+] |
line wrap: on
line diff
--- a/.hgignore Wed Oct 09 15:01:41 2019 +0100 +++ b/.hgignore Thu Oct 10 13:17:29 2019 +0100 @@ -50,3 +50,4 @@ *.dylib test-svcore-* *.dmg +.notarization-uuid
--- a/deploy/osx/Entitlements.plist Wed Oct 09 15:01:41 2019 +0100 +++ b/deploy/osx/Entitlements.plist Thu Oct 10 13:17:29 2019 +0100 @@ -1,10 +1,14 @@ <?xml version="1.0" encoding="utf-8"?> <plist version="1.0"> <dict> +<!-- <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> +--> + <key>com.apple.security.app-sandbox</key> + <false/> <key>com.apple.security.device.audio-input</key> <true/> </dict>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/deploy/osx/deploy-and-package.sh Thu Oct 10 13:17:29 2019 +0100 @@ -0,0 +1,65 @@ +#!/bin/bash + +set -eu + +app=Tony + +version=`perl -p -e 's/^[^"]*"([^"]*)".*$/$1/' version.h` + +source="$app.app" +volume="$app"-"$version" +target="$volume"/"$app".app +dmg="$app"-"$version".dmg + +if [ -d "$volume" ]; then + echo "Target directory $volume already exists, not overwriting" + exit 2 +fi + +if [ -f "$dmg" ]; then + echo "Target disc image $dmg already exists, not overwriting" + exit 2 +fi + +echo +echo "(Re-)running deploy script..." + +deploy/osx/deploy.sh "$app" || exit 1 + +echo +echo "Making target tree." + +mkdir "$volume" || exit 1 + +ln -s /Applications "$volume"/Applications +cp README.md "$volume/README.txt" +cp COPYING "$volume/COPYING.txt" +cp CHANGELOG "$volume/CHANGELOG.txt" +cp CITATION "$volume/CITATION.txt" +cp -rp "$source" "$target" + +echo "Done" + +echo +echo "Code-signing volume..." + +deploy/osx/sign.sh "$volume" || exit 1 + +echo "Done" + +echo +echo "Making dmg..." + +rm -f "$dmg" + +hdiutil create -srcfolder "$volume" "$dmg" -volname "$volume" && + rm -r "$volume" + +echo "Done" + +echo +echo "Submitting dmg for notarization..." + +deploy/osx/notarize.sh "$dmg" || exit 1 + +echo "Done"
--- a/deploy/osx/deploy.sh Wed Oct 09 15:01:41 2019 +0100 +++ b/deploy/osx/deploy.sh Thu Oct 10 13:17:29 2019 +0100 @@ -3,20 +3,23 @@ set -e # Execute this from the top-level directory of the project (the one -# that contains the .app bundle). Supply the name of the .app bundle -# as argument (the target will use $app.app regardless, but we need -# to know the source) +# that contains the .app bundle). Supply the name of the application +# as argument. +# +# This now performs *only* the app deployment step - copying in +# libraries and setting up paths etc. It does not create a +# package. Use deploy-and-package.sh for that. -source="$1" -dmg="$2" -if [ -z "$source" ] || [ ! -d "$source" ] || [ -z "$dmg" ]; then - echo "Usage: $0 <source.app> <target-dmg-basename>" - echo " e.g. $0 MyApplication.app MyApplication" - echo " Version number and .dmg will be appended automatically," - echo " but the .app name must include .app" +app="$1" +source="$app.app" + +if [ -z "$app" ] || [ ! -d "$source" ] || [ -n "$2" ]; then + echo "Usage: $0 <app>" + echo " e.g. $0 MyApplication" + echo " The app bundle must exist in ./<app>.app." + echo " Version number will be extracted from version.h." exit 2 fi -app=`basename "$source" .app` set -u @@ -58,36 +61,3 @@ > "$source"/Contents/Info.plist echo "Done: check $source/Contents/Info.plist for sanity please" - -echo -echo "Making target tree." - -volume="$app"-"$version" -target="$volume"/"$app".app -dmg="$dmg"-"$version".dmg - -mkdir "$volume" || exit 1 - -ln -s /Applications "$volume"/Applications -cp README.md "$volume/README.txt" -cp COPYING "$volume/COPYING.txt" -cp CHANGELOG "$volume/CHANGELOG.txt" -cp CITATION "$volume/CITATION.txt" -cp -rp "$source" "$target" - -echo "Done" - -echo -echo "Code-signing volume..." - -deploy/osx/sign.sh "$volume" || exit 1 - -echo "Done" - -echo -echo "Making dmg..." - -hdiutil create -srcfolder "$volume" "$dmg" -volname "$volume" && - rm -r "$volume" - -echo "Done"
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/deploy/osx/notarize.sh Thu Oct 10 13:17:29 2019 +0100 @@ -0,0 +1,77 @@ +#!/bin/bash + +## The following assumes we have generated an app password at +## appleid.apple.com and then stored it to keychain id "altool" using +## e.g. +## security add-generic-password -a "cannam+apple@all-day-breakfast.com" \ +## -w "generated-app-password" -s "altool" + +## NB to verify: +# spctl -a -v "/Applications/Application.app" + +user="cannam+apple@all-day-breakfast.com" +bundleid="uk.ac.qmul.eecs.c4dm.Tony" + +set -e + +dmg="$1" + +if [ ! -f "$dmg" ] || [ -n "$2" ]; then + echo "Usage: $0 <dmg>" + echo " e.g. $0 MyApplication-1.0.dmg" + exit 2 +fi + +set -u + +echo +echo "Uploading for notarization..." + +uuidfile=.notarization-uuid +rm -f "$uuidfile" + +xcrun altool --notarize-app \ + -f "$dmg" \ + --primary-bundle-id "$bundleid" \ + -u "$user" \ + -p @keychain:altool 2>&1 | tee "$uuidfile" + +uuid=$(cat "$uuidfile" | grep RequestUUID | awk '{ print $3; }') + +if [ -z "$uuid" ]; then + echo + echo "Failed (no UUID returned, check output)" + exit 1 +fi + +echo "Done, UUID is $uuid" + +echo +echo "Waiting and checking for completion..." + +while true ; do + sleep 30 + status=$(xcrun altool --notarization-info "$uuid" -u "$user" -p @keychain:altool 2>&1) + if echo "$status" | grep -q 'Package Approved' ; then + echo + echo "Approved! Status output is:" + echo "$status" + break + elif echo "$status" | grep -q 'in progress' ; then + echo + echo "Still in progress... Status output is:" + echo "$status" + echo "Waiting..." + else + echo + echo "Failure or unknown status in output:" + echo "$status" + exit 2 + fi +done + +echo +echo "Stapling to package..." + +xcrun stapler staple "$dmg" || exit 1 +
--- a/deploy/osx/sign.sh Wed Oct 09 15:01:41 2019 +0100 +++ b/deploy/osx/sign.sh Thu Oct 10 13:17:29 2019 +0100 @@ -13,35 +13,13 @@ exit 2 fi -if false; then +entitlements=deploy/osx/Entitlements.plist - echo - echo "Experimentally attempting sandboxing + hardened runtime (this won't work)" - echo +for app in "$dir"/*.app; do + find "$app" -name \*.dylib -print | while read fr; do + codesign -s "Developer ID Application: Chris Cannam" -fv --deep --options runtime "$fr" + done + codesign -s "Developer ID Application: Chris Cannam" -fv --deep --options runtime --entitlements "$entitlements" "$app/Contents/MacOS/Tony" + codesign -s "Developer ID Application: Chris Cannam" -fv --deep --options runtime --entitlements "$entitlements" "$app" +done - entitlements=deploy/osx/Entitlements.plist - - for app in "$dir"/*.app; do - find "$app" -name \*.dylib -print | while read fr; do - codesign -s "Developer ID Application: Chris Cannam" -fv --deep --options runtime "$fr" - done - codesign -s "Developer ID Application: Chris Cannam" -fv --deep --options runtime --entitlements "$entitlements" "$app/Contents/MacOS/Tony" - codesign -s "Developer ID Application: Chris Cannam" -fv --deep --options runtime --entitlements "$entitlements" "$app" - done - -else - - echo - echo "Not applying sandboxing or hardened runtime" - echo - - for app in "$dir"/*.app; do - find "$app" -name \*.dylib -print | while read fr; do - codesign -s "Developer ID Application: Chris Cannam" -fv --deep "$fr" - done - codesign -s "Developer ID Application: Chris Cannam" -fv --deep "$app/Contents/MacOS/Tony" - codesign -s "Developer ID Application: Chris Cannam" -fv --deep "$app" - done - -fi -