forked from lifeunexpected/Scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathMunki.Notarize.zsh
142 lines (112 loc) · 6.15 KB
/
Munki.Notarize.zsh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#!/bin/zsh
# encoding: utf-8
# Made by Lux
# https://github.com/lifeunexpected
# Scripts are based on code by:
# https://groups.google.com/forum/#!topic/munki-dev/FADUXPWJeds - Michal Moravec
# https://github.com/rednoah/notarize-app/blob/master/notarize-app - rednoah
# https://github.com/munki/munki/tree/master/code/tools - Greg Neagle
# https://stackoverflow.com/a/57083245 - Perry
# 1: Copy script to Munki folder
# 2: In terminal "cd FolderWheremunki" git repo is located
# 3: run script
# 4 Enter Password when asked for it
# Tip: if you get “You must first sign the relevant contracts online. (1048)” error
# Go to Apple.developer.com and sign in with the account you are trying to notarize the app with and agree to the updated license agreement.
# Change what is needed below this line
# _____________________
# Change DevApp to your personal/company Developer ID Application Name + ID number
DevApp="Developer ID Application: Name/Company (ID)"
# Change DevInst to your personal/company Developer ID Installer Name + ID number
DevInst="Developer ID Installer: Name/Company (ID)"
# Change Bundle_ID if you are using a custom one, default is "com.googlecode.munki"
BUNDLE_ID="com.googlecode.munki"
# Defaults do NOT Change!
MUNKIROOT="."
# Convert to absolute path.
MUNKIROOT=$(cd "$MUNKIROOT"; pwd)
OUTPUTDIR="$(pwd)"
# Update munki to latest version
# Disable with # before the command if you dont want it to update
git pull
# Rename existing munkitools files
Old_PKG=$( ls munkitools-[0-9]* )
if [[ -f $Old_PKG ]]; then
mv $Old_PKG Unkown-$Old_PKG
echo "Renamed $Old_PKG to Unkown-$Old_PKG to let the script run properly later on"
fi
# Python notarization part of the sript
$MUNKIROOT/code/tools/build_python_framework.sh
#get current python version used in Munki build so that it doesn't have to be hardcoded
PYTHON_FRAMEWORK_VERSION=$(ls Python.framework/Versions | grep -v "Current")
find $MUNKIROOT/Python.framework/Versions/$PYTHON_FRAMEWORK_VERSION/lib/ -type f -perm -u=x -exec codesign --force --deep --verbose -s "$DevApp" {} \;
find $MUNKIROOT/Python.framework/Versions/$PYTHON_FRAMEWORK_VERSION/bin/ -type f -perm -u=x -exec codesign --force --deep --verbose -s "$DevApp" {} \;
find $MUNKIROOT/Python.framework/Versions/$PYTHON_FRAMEWORK_VERSION/lib/ -type f -name "*dylib" -exec codesign --force --deep --verbose -s "$DevApp" {} \;
find $MUNKIROOT/Python.framework/Versions/$PYTHON_FRAMEWORK_VERSION/lib/ -type f -name "*so" -exec codesign --force --deep --verbose -s "$DevApp" {} \;
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-unsigned-executable-memory bool true" $MUNKIROOT/entitlements.plist
codesign --force --options runtime --entitlements $MUNKIROOT/entitlements.plist --deep --verbose -s "$DevApp" $MUNKIROOT/Python.framework/Versions/$PYTHON_FRAMEWORK_VERSION/Resources/Python.app/
codesign --force --options runtime --entitlements $MUNKIROOT/entitlements.plist --deep --verbose -s "$DevApp" $MUNKIROOT/Python.framework/Versions/$PYTHON_FRAMEWORK_VERSION/bin/"python$PYTHON_FRAMEWORK_VERSION"
codesign --force --options runtime --entitlements $MUNKIROOT/entitlements.plist --deep --verbose -s "$DevApp" $MUNKIROOT/Python.framework/Versions/$PYTHON_FRAMEWORK_VERSION/bin/"python$PYTHON_FRAMEWORK_VERSION-intel64"
codesign --force --deep --verbose -s "$DevApp" $MUNKIROOT/Python.framework
# Creating munkitools.pkg
# Ask's if you want too build a package that includes the client settings for the installation or not
echo
echo
echo "Do you want to include a configuration package using the preferences defined in the
MunkiClientSettings.plist?"
if read -q "? Yes/No: "; then
echo "Building munkitools.pkg that includes the configuration package using the preferences defined in the
MunkiClientSettings.plist"
sudo $MUNKIROOT/code/tools/make_munki_mpkg.sh -i "$BUNDLE_ID" -S "$DevApp" -s "$DevInst" -c "$MUNKIROOT/code/tools/MunkiClientSettings.plist" -o "$OUTPUTDIR"
else
echo "Building munkitools.pkg without a configuration package"
sudo $MUNKIROOT/code/tools/make_munki_mpkg.sh -i "$BUNDLE_ID" -S "$DevApp" -s "$DevInst" -o "$OUTPUTDIR"
fi
# Get filename for munkitools file that was created above
BUNDLE_PKG=$( ls munkitools-[0-9]* )
# prepare munkitools for notarization and signing
LocalUser=$(whoami)
sudo chown $LocalUser $BUNDLE_PKG
# Notarizing and signing munkitools.pkg
# create temporary files
NOTARIZE_APP_LOG=$(mktemp -t notarize-app)
NOTARIZE_INFO_LOG=$(mktemp -t notarize-info)
# delete temporary files on exit
function finish {
rm "$NOTARIZE_APP_LOG" "$NOTARIZE_INFO_LOG"
}
trap finish EXIT
# submit app for notarization
if xcrun altool --notarize-app --primary-bundle-id "$BUNDLE_ID" --password @keychain:Apple_dev_acc -f "$BUNDLE_PKG" > "$NOTARIZE_APP_LOG" 2>&1; then
cat "$NOTARIZE_APP_LOG"
RequestUUID=$(awk -F ' = ' '/RequestUUID/ {print $2}' "$NOTARIZE_APP_LOG")
# check status periodically
while sleep 60 && date; do
echo "Waiting on Apple to approve the notarization so it can be stapled. This can take a few minutes or more. Script auto checks every 60 sec"
# check notarization status
if xcrun altool --notarization-info "$RequestUUID" --password @keychain:Apple_dev_acc > "$NOTARIZE_INFO_LOG" 2>&1; then
cat "$NOTARIZE_INFO_LOG"
# once notarization is complete, run stapler and exit
if ! grep -q "Status: in progress" "$NOTARIZE_INFO_LOG"; then
#wait for package to be successfully notarized before renaming; if notarization fails the file will still be renamed accordingly
if grep -q "Status Message: Package Approved" "$NOTARIZE_INFO_LOG"; then
xcrun stapler staple "$BUNDLE_PKG"
mv $BUNDLE_PKG Notarized-$BUNDLE_PKG
# Renames the $BUNDLE_PKG file too Notarized-$BUNDLE_PKG so the script can run again without any problems
echo "Renamed $BUNDLE_PKG to Notarized-$BUNDLE_PKG to let you know it was notarized"
echo "You can check if its notarized properly with Taccy - https://eclecticlight.co/taccy-signet-precize-alifix-utiutility-alisma/"
exit $?
else
echo "Notarization Unsuccessful; $BUNDLE_PKG is still available as a signed package"
exit 1
fi
fi
else
cat "$NOTARIZE_INFO_LOG" 1>&2
exit 1
fi
done
else
cat "$NOTARIZE_APP_LOG" 1>&2
exit 1
fi