Skip to content

Commit

Permalink
build: macOS package notarization
Browse files Browse the repository at this point in the history
Includes hardened-runtime patch from gdams from
#29216 (comment)

PR-URL: #31459
Refs: #29216
Reviewed-By: Christian Clauss <cclauss@me.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ash Cripps <ashley.cripps@ibm.com>
Signed-off-by: Rod Vagg <rod@vagg.org>
  • Loading branch information
rvagg authored and MylesBorins committed Apr 1, 2020
1 parent 7706dad commit 5c52453
Show file tree
Hide file tree
Showing 6 changed files with 77 additions and 1 deletion.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
/doc/api.xml
/node
/node_g
/gon-config.json
/*.exe
/*.swp
/out
Expand Down
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -1010,6 +1010,7 @@ $(PKG): release-only
--resources $(MACOSOUTDIR)/installer/productbuild/Resources \
--package-path $(MACOSOUTDIR)/pkgs ./$(PKG)
SIGN="$(PRODUCTSIGN_CERT)" PKG="$(PKG)" bash tools/osx-productsign.sh
bash tools/osx-notarize.sh $(FULLVERSION)

.PHONY: pkg
# Builds the macOS installer for releases.
Expand Down
11 changes: 10 additions & 1 deletion tools/osx-codesign.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,13 @@ if [ "X$SIGN" == "X" ]; then
exit 0
fi

codesign -s "$SIGN" "$PKGDIR"/bin/node
# All macOS executable binaries in the bundle must be codesigned with the
# hardened runtime enabled.
# See https://github.com/nodejs/node/pull/31459

codesign \
--sign "$SIGN" \
--entitlements tools/osx-entitlements.plist \
--options runtime \
--timestamp \
"$PKGDIR"/bin/node
16 changes: 16 additions & 0 deletions tools/osx-entitlements.plist
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>
12 changes: 12 additions & 0 deletions tools/osx-gon-config.json.tmpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"notarize": [{
"path": "node-{{pkgid}}.pkg",
"bundle_id": "org.nodejs.pkg.{{pkgid}}",
"staple": true
}],

"apple_id": {
"username": "{{appleid}}",
"password": "@env:NOTARIZATION_PASSWORD"
}
}
37 changes: 37 additions & 0 deletions tools/osx-notarize.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
#!/bin/bash

# Uses gon, from https://github.com/mitchellh/gon, to notarize a generated node-<version>.pkg file
# with Apple for installation on macOS Catalina and later as validated by Gatekeeper.

set -e

gon_version="0.2.2"
gon_exe="${HOME}/.gon/gon_${gon_version}"

__dirname="$(CDPATH= cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
pkgid="$1"

if [ "X${pkgid}" == "X" ]; then
echo "Usage: $0 <pkgid>"
exit 1
fi

if [ "X$NOTARIZATION_ID" == "X" ]; then
echo "No NOTARIZATION_ID environment var. Skipping notarization."
exit 0
fi

set -x

mkdir -p "${HOME}/.gon/"

if [ ! -f "${gon_exe}" ]; then
curl -sL "https://github.com/mitchellh/gon/releases/download/v${gon_version}/gon_${gon_version}_macos.zip" -o "${gon_exe}.zip"
(cd "${HOME}/.gon/" && rm -f gon && unzip "${gon_exe}.zip" && mv gon "${gon_exe}")
fi

cat tools/osx-gon-config.json.tmpl \
| sed -e "s/{{appleid}}/${NOTARIZATION_ID}/" -e "s/{{pkgid}}/${pkgid}/" \
> gon-config.json

"${gon_exe}" -log-level=info gon-config.json

0 comments on commit 5c52453

Please sign in to comment.