Add a tool to notarize macOS package for Catalina

[BraulioV]

Hi team,

With the release of macOS Catalina, every installer distributed outside of the App Store must be notarized by Apple before its distribution.

The following tasks must be done before closing this issue:

• Sign the code with codesign and enable hardened runtime.
• Sign the pkg installer with productsign.
• Notarize the pkg with xcode altool.
• Add the notarization ticket to the pkg installer.
• Automate these tasks.
• Test the package on macOS Mojave and macOS Catalina.
• Documentation to create the Apple Developer ID, certificates, temporary passwords, etc.

Regards.

[BraulioV]

Hi team,

In this commit c639837 I added new functions to sign the code, sign the installer, notarize it and include the ticket in the package.

To do all these tasks you need to run the script as follows:

$ sudo ./generate_wazuh_packages.sh -b v3.10.2 -j 4 --keychain "/Path/to/keychain" \
    --keychain-password "password" \
    --application-certificate "Developer ID Application certificate name" \
    --installer-certificate "Developer ID Installer certificate name" \
    --notarize --developer-id "your-developer-id@email.com" \
    --altool-password "temporary-password"

If you run the script without the paramater --notarize, you can sign the code and the package and skip the notarization process.

Now, we must test the package to check if something got broken after enabling the hardened runtime capability.

Regards.

[BraulioV]

Hi team,

I've been testing the installation of the package and checking if the binaries work fine after enabling the hardened runtime feature. The installation and the default configuration worked well, but after doing more testing, I found that if you monitor your "home" directory in macOS with syscheck (/Users/your_user), a window will pop up requesting access to some directories.

To solve this issue, I've created an entitlements.plist file. By using this file, you can specify that the binaries will access to your files, and customize the restrictions of hardened runtime.

Here you can see the commit: 13cc72b.

With these changes, no more messages requesting access to directories where found, but, syscheck shows some errors in logs:

2019/09/27 06:26:34 ossec-syscheckd: ERROR: (6601): Error accessing '/Users/vagrant/Library/Application Support/com.apple.siri.remembers': 'Operation not permitted' (1)
2019/09/27 06:27:26 ossec-syscheckd: WARNING: '/Users/vagrant/Library/Developer/CoreSimulator/Caches/dyld/19A501i/com.apple.CoreSimulator.SimRuntime.iOS-13-0.17A577a/dyld_sim_shared_cache_x86_64' filesize is larger than the maximum allowed (1024 MB). File skipped.
2019/09/27 06:27:50 ossec-syscheckd: ERROR: (6601): Error accessing '/Users/vagrant/Library/com.apple.internal.ck': 'Operation not permitted' (1)

In addition, I added a "timestamp" to the request ID of the notarization process. This will avoid errors in our CI system if we need to rebuild a package.

Regards.

[BraulioV]

Hi team,

No further issues have been found related to the building and notarization process of the package. In addition, in this commit c95ee21 I added some documentation about the notarization process.

I will open a PR to close this issue.

Regards.