#!/bin/bash function cleanup () { echo "Cleaning up any existing Telegraf or Telegraf.app" printf "\n" rm -rf Telegraf rm -rf Telegraf.app } function archive_notarize() { target="${1}" # submit archive for notarization, extract uuid uuid="$( # This extracts the value from `notarytool's` output. Unfortunately, # the 'id' is written to multiple times in the output. This requires # `awk` to `exit` after the first instance. However, doing so closes # `stdout` for `notarytool` which results with error code 141. This # takes the *complete* output from `notarytool` then # parses it with `awk`. awk '{ if ( $1 == "id:" ) { $1 = ""; print $0; exit 0; } }' \ <<< "$( # shellcheck disable=SC2154 xcrun notarytool submit \ --apple-id "${AppleUsername}" \ --password "${ApplePassword}" \ --team-id 'M7DN9H35QT' \ "${target}" )" )" shopt -s extglob uuid="${uuid%%+([[:space:]])}" # strips leading whitespace uuid="${uuid##+([[:space:]])}" # strips trailing whitespace if [[ -z "${uuid}" ]]; then exit 1 fi # loop until notarization is complete while true ; do sleep 10 response="$( # This extracts the value from `notarytool's` output. Unfortunately, # the 'id' is written to multiple times in the output. This requires # `awk` to `exit` after the first instance. However, doing so closes # `stdout` for `notarytool` which results with error code 141. This # takes the *complete* output from `notarytool` then # parses it with `awk`. awk '{ if ( $1 == "status:" ) { $1 = ""; print $0; exit 0; } }' \ <<< "$( # shellcheck disable=SC2154 xcrun notarytool info \ --apple-id "${AppleUsername}" \ --password "${ApplePassword}" \ --team-id 'M7DN9H35QT' \ "${uuid}" )" )" shopt -s extglob response="${response%%+([[:space:]])}" # strips leading whitespace response="${response##+([[:space:]])}" # strips trailing whitespace if [[ "${response}" != 'In Progress' ]] ; then break fi done if [[ "${response}" != 'Accepted' ]]; then exit 1 fi } # Acquire the necessary certificates. # MacCertificate, MacCertificatePassword, AppleSigningAuthorityCertificate are environment variables, to follow convention they should have been all caps. # shellcheck disable=SC2154 base64 -D -o MacCertificate.p12 <<< "$MacCertificate" # shellcheck disable=SC2154 sudo security import MacCertificate.p12 -k /Library/Keychains/System.keychain -P "$MacCertificatePassword" -A # shellcheck disable=SC2154 base64 -D -o AppleSigningAuthorityCertificate.cer <<< "$AppleSigningAuthorityCertificate" sudo security import AppleSigningAuthorityCertificate.cer -k '/Library/Keychains/System.keychain' -A amdFile=$(find "$HOME/project/dist" -name "*darwin_amd64.tar*") armFile=$(find "$HOME/project/dist" -name "*darwin_arm64.tar*") macFiles=("${amdFile}" "${armFile}") version=$(make version) plutil -insert CFBundleShortVersionString -string "$version" ~/project/Info.plist plutil -insert CFBundleVersion -string "$version" ~/project/Info.plist for tarFile in "${macFiles[@]}"; do cleanup # Create the .app bundle directory structure RootAppDir="Telegraf.app/Contents" mkdir -p "$RootAppDir" mkdir -p "$RootAppDir/MacOS" mkdir -p "$RootAppDir/Resources" DeveloperID="Developer ID Application: InfluxData Inc. (M7DN9H35QT)" # Sign telegraf binary echo "Extract $tarFile to $RootAppDir/Resources" tar -xzvf "$tarFile" --strip-components=2 -C "$RootAppDir/Resources" printf "\n" TelegrafBinPath="$RootAppDir/Resources/usr/bin/telegraf" codesign --force -s "$DeveloperID" --timestamp --options=runtime "$TelegrafBinPath" echo "Verify if $TelegrafBinPath was signed" codesign -dvv "$TelegrafBinPath" printf "\n" cp ~/project/scripts/telegraf_entry_mac "$RootAppDir"/MacOS cp ~/project/Info.plist "$RootAppDir" cp ~/project/assets/windows/icon.icns "$RootAppDir/Resources" chmod +x "$RootAppDir/MacOS/telegraf_entry_mac" # Sign the entire .app bundle, and wrap it in a DMG. codesign -s "$DeveloperID" --timestamp --options=runtime --deep --force Telegraf.app baseName=$(basename "$tarFile" .tar.gz) echo "$baseName" hdiutil create -size 500m -volname Telegraf -srcfolder Telegraf.app "$baseName".dmg codesign -s "$DeveloperID" --timestamp --options=runtime "$baseName".dmg archive_notarize "${baseName}.dmg" # Attach the notarization to the DMG. xcrun stapler staple "$baseName".dmg cleanup mkdir -p ~/project/build/dist mv "$baseName".dmg ~/project/build/dist echo "$baseName.dmg signed and notarized!" done