eclipse-sumo
diff --git a/‎.jenkins/sign-macos-installer.jenkinsfile‎
Lines changed: 132 additions & 14 deletions b/‎.jenkins/sign-macos-installer.jenkinsfile‎
Lines changed: 132 additions & 14 deletions
@@ -12,10 +12,10 @@ spec:
   - name: jnlp
     resources:
       limits:
-        memory: "1Gi"
+        memory: "2Gi"
         cpu: "500m"
       requests:
-        memory: "1Gi"
+        memory: "2Gi"
         cpu: "500m"
   - name: ubuntu-sumo
     image: ghcr.io/eclipse/eclipse-sumo-build-ubuntu:latest
@@ -75,10 +75,7 @@ spec:
           script {
             // Step 1: Find the last successful workflow run
             def workflowRunsResponse = sh(
-              script: """
-                curl -H "Authorization: Bearer ${GITHUB_TOKEN}" -s \
-                "https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/workflows/${WORKFLOW_ID}/runs?status=success"
-              """,
+              script: 'curl -H "Authorization: Bearer ${GITHUB_TOKEN}" -s "https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/workflows/${WORKFLOW_ID}/runs?status=success"',
               returnStdout: true
             ).trim()
 
@@ -87,14 +84,12 @@ spec:
             if (!workflowRuns.workflow_runs || workflowRuns.workflow_runs.size() == 0) {
               error("No successful workflow runs found for workflow: ${WORKFLOW_ID}")
             }
+
             def lastRunId = workflowRuns.workflow_runs[0].id
 
             // Step 2: Get the artifact list for the last successful run
             def artifactsResponse = sh(
-              script: """
-                curl -H "Authorization: Bearer ${GITHUB_TOKEN}" -s \
-                "https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runs/${lastRunId}/artifacts"
-              """,
+              script: 'curl -H "Authorization: Bearer ${GITHUB_TOKEN}" -s "https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runs/' + "${lastRunId}" + '/artifacts"',
               returnStdout: true
             ).trim()
 
@@ -106,13 +101,136 @@ spec:
             }
 
             // Step 3: Download the artifact
-            sh """
-              curl -H "Authorization: Bearer ${GITHUB_TOKEN}" -L \
-              "${artifact.archive_download_url}" --output ${ARTIFACT_NAME}.zip
-            """
+            sh 'curl -H "Authorization: Bearer ${GITHUB_TOKEN}" -L "' + "${artifact.archive_download_url}" + '" --output ${ARTIFACT_NAME}.zip'
 
             // Step 4: Extract the artifact
             sh "unzip -o ${ARTIFACT_NAME}.zip -d artifact"
+
+            // Step 5: Create the entitlements file
+            def entitlementsFile = "sumo.entitlement"
+            writeFile file: entitlementsFile, text: '''
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+</dict>
+</plist>'''
+
+            // Step 6: Extract the .dmg file name dynamically
+            def dmgFile = sh(
+                script: "ls artifact/*.dmg",
+                returnStdout: true
+            ).trim()
+
+            if (!dmgFile) {
+                error("No .dmg file found in artifact directory")
+            }
+
+            // Extract the base name of the .dmg file (without the extension)
+            def baseName = dmgFile.replaceAll(/\.dmg$/, "")
+
+            // Define the signed DMG file name
+            def signedDmgFile = "${baseName}-signed.dmg"
+
+            // Step 7: Upload for signing
+            sh """
+            curl -o ${signedDmgFile} -F file=@${dmgFile} -F entitlements=@${entitlementsFile} \
+                https://cbi.eclipse.org/macos/codesign/sign
+            """
+
+            // Verify signed file
+            if (!fileExists(signedDmgFile)) {
+                error("Signed DMG file not created: ${signedDmgFile}")
+            }
+
+            echo "Signed DMG file created successfully: ${signedDmgFile}"
+
+            // Step 8: Notarize the signed DMG
+            def notarizedZip = "macos-14-installer.zip"
+            def primaryBundleId = "org.eclipse.sumo"
+
+            // Regular expressions to extract UUID and status
+            def uuidRegex = /"uuid"\s*:\s*"([^"]+)"/
+            def statusRegex = /"status"\s*:\s*"([^"]+)"/
+
+            echo "Starting notarization process for ${signedDmgFile}"
+
+            // Initiate notarization
+            def response = sh(
+                script: """
+                    curl -X POST -F file=@${signedDmgFile} \
+                    -F 'options={"primaryBundleId": "${primaryBundleId}", "staple": true};type=application/json' \
+                    https://cbi.eclipse.org/macos/xcrun/notarize
+                """,
+                returnStdout: true
+            ).trim()
+
+            // Extract UUID and status from the response
+            def uuidMatch = (response =~ uuidRegex)
+            def statusMatch = (response =~ statusRegex)
+
+            if (!uuidMatch || !statusMatch) {
+                error("Failed to extract UUID or status from notarization response: ${response}")
+            }
+
+            def uuid = uuidMatch[0][1]
+            def status = statusMatch[0][1]
+
+            echo "Notarization initiated with UUID: ${uuid}, initial status: ${status}"
+
+            // Polling notarization status
+            while (status == "IN_PROGRESS") {
+                sleep 60
+                def pollResponse = sh(
+                    script: "curl -s https://cbi.eclipse.org/macos/xcrun/${uuid}/status",
+                    returnStdout: true
+                ).trim()
+
+                statusMatch = (pollResponse =~ statusRegex)
+                if (!statusMatch) {
+                    error("Failed to extract status from notarization polling response: ${pollResponse}")
+                }
+                status = statusMatch[0][1]
+                echo "Notarization progress: ${pollResponse}"
+            }
+
+            if (status != "COMPLETE") {
+                error("Notarization failed: ${response}")
+            }
+
+            // Download the notarized result
+            sh """
+                curl -o ${notarizedZip} https://cbi.eclipse.org/macos/xcrun/${uuid}/download
+            """
+
+            echo "Notarization completed. Downloaded notarized ZIP: ${notarizedZip}"
+
+            // Step 9: Upload notarized ZIP back to the GitHub Actions workflow
+            def uploadUrl = "https://uploads.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runs/${lastRunId}/artifacts"
+            def artifactName = "macos-14-installer"
+
+            // Upload the artifact
+            sh """
+            curl -X POST -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+                -H "Content-Type: application/json" \
+                -F name=${artifactName} \
+                -F file=@${notarizedZip} \
+                ${uploadUrl}
+            """
+
+            echo "Uploaded notarized artifact '${notarizedZip}' as '${artifactName}' to GitHub Actions workflow: ${lastRunId}"
           }
         }
       }