support multiple notarize blocks, more validation in gon

Author: mitchellh

cmd/gon/item.go

@@ -18,6 +18,9 @@ type item struct {
 	// Path is the path to the file to notarize.
 	Path string
 
+	// BundleId is the bundle ID to use for this notarization.
+	BundleId string
+
 	// Staple is true if we should perform stapling on this file. Not
 	// all files support stapling so the default depends on the type of file.
 	Staple bool
@@ -54,10 +57,16 @@ type processOptions struct {
 func (i *item) notarize(ctx context.Context, opts *processOptions) error {
 	lock := opts.OutputLock
 
+	// The bundle ID defaults to the root one
+	bundleId := i.BundleId
+	if bundleId == "" {
+		bundleId = opts.Config.BundleId
+	}
+
 	// Start notarization
 	_, err := notarize.Notarize(ctx, &notarize.Options{
 		File:       i.Path,
-		BundleId:   opts.Config.BundleId,
+		BundleId:   bundleId,
 		Username:   opts.Config.AppleId.Username,
 		Password:   opts.Config.AppleId.Password,
 		Provider:   opts.Config.AppleId.Provider,

cmd/gon/main.go

@@ -81,83 +81,123 @@ func realMain() int {
 
 	// Notarize is an alternative to "Source", where you specify
 	// a single .pkg or .zip that is ready for notarization and stapling
-	if cfg.Notarize != nil {
-		items = append(items, &item{Path: cfg.Notarize.Package, Staple: cfg.Notarize.Staple})
+	if len(cfg.Notarize) > 0 {
+		for _, c := range cfg.Notarize {
+			items = append(items, &item{
+				Path:     c.Path,
+				BundleId: c.BundleId,
+				Staple:   c.Staple,
+			})
+		}
+	}
+
+	if len(cfg.Source) > 0 {
+		if cfg.Sign == nil {
+			color.New(color.Bold, color.FgRed).Fprintf(os.Stdout,
+				"❗️ `sign` configuration required with `source` set\n")
+			color.New(color.FgRed).Fprintf(os.Stdout,
+				"When you set the `source` configuration, you must also specify the\n"+
+					"`sign` configuration to sign the input files.\n")
+			return 1
+		}
+	} else {
+		if cfg.Zip != nil {
+			color.New(color.Bold, color.FgRed).Fprintf(os.Stdout,
+				"❗️ `zip` can only be set while `source` is also set\n")
+			color.New(color.FgRed).Fprintf(os.Stdout,
+				"Zip packaging is only supported when `source` is specified. This is\n"+
+					"because the `zip` option packages the source files. If there are no\n"+
+					"source files specified, then there is nothing to package.\n")
+			return 1
+		}
+
+		if cfg.Dmg != nil {
+			color.New(color.Bold, color.FgRed).Fprintf(os.Stdout,
+				"❗️ `dmg` can only be set while `source` is also set\n")
+			color.New(color.FgRed).Fprintf(os.Stdout,
+				"Dmg packaging is only supported when `source` is specified. This is\n"+
+					"because the `dmg` option packages the source files. If there are no\n"+
+					"source files specified, then there is nothing to package.\n")
+			return 1
+		}
 	}
 
 	// If we have no items to sign then its probably an error
-	if len(cfg.Source) == 0 && cfg.Notarize == nil {
+	if len(cfg.Source) == 0 && len(cfg.Notarize) == 0 {
 		color.New(color.Bold, color.FgRed).Fprintf(os.Stdout, "❗️ No source files specified\n")
 		color.New(color.FgRed).Fprintf(os.Stdout,
 			"Your configuration had an empty 'source' and empty 'notarize' values. This must be populated with\n"+
 				"at least one file to sign, package, and notarize.\n")
 		return 1
 	}
 
-	if len(cfg.Source) > 0 && cfg.Sign != nil {
-		// Perform codesigning
-		color.New(color.Bold).Fprintf(os.Stdout, "==> %s  Signing files...\n", iconSign)
-		err = sign.Sign(context.Background(), &sign.Options{
-			Files:    cfg.Source,
-			Identity: cfg.Sign.ApplicationIdentity,
-			Logger:   logger.Named("sign"),
-		})
-		if err != nil {
-			fmt.Fprintf(os.Stdout, color.RedString("❗️ Error signing files:\n\n%s\n", err))
-			return 1
+	// If we're in source mode, then sign & package as configured
+	if len(cfg.Source) > 0 {
+		if cfg.Sign != nil {
+			// Perform codesigning
+			color.New(color.Bold).Fprintf(os.Stdout, "==> %s  Signing files...\n", iconSign)
+			err = sign.Sign(context.Background(), &sign.Options{
+				Files:    cfg.Source,
+				Identity: cfg.Sign.ApplicationIdentity,
+				Logger:   logger.Named("sign"),
+			})
+			if err != nil {
+				fmt.Fprintf(os.Stdout, color.RedString("❗️ Error signing files:\n\n%s\n", err))
+				return 1
+			}
+			color.New(color.Bold, color.FgGreen).Fprintf(os.Stdout, "    Code signing successful\n")
 		}
-		color.New(color.Bold, color.FgGreen).Fprintf(os.Stdout, "    Code signing successful\n")
-	}
 
-	// Create a zip
-	if len(cfg.Source) > 0 && cfg.Zip != nil {
-		color.New(color.Bold).Fprintf(os.Stdout, "==> %s  Creating Zip archive...\n", iconPackage)
-		err = zip.Zip(context.Background(), &zip.Options{
-			Files:      cfg.Source,
-			OutputPath: cfg.Zip.OutputPath,
-		})
-		if err != nil {
-			fmt.Fprintf(os.Stdout, color.RedString("❗️ Error creating zip archive:\n\n%s\n", err))
-			return 1
+		// Create a zip
+		if cfg.Zip != nil {
+			color.New(color.Bold).Fprintf(os.Stdout, "==> %s  Creating Zip archive...\n", iconPackage)
+			err = zip.Zip(context.Background(), &zip.Options{
+				Files:      cfg.Source,
+				OutputPath: cfg.Zip.OutputPath,
+			})
+			if err != nil {
+				fmt.Fprintf(os.Stdout, color.RedString("❗️ Error creating zip archive:\n\n%s\n", err))
+				return 1
+			}
+			color.New(color.Bold, color.FgGreen).Fprintf(os.Stdout, "    Zip archive created with signed files\n")
+
+			// Queue to notarize
+			items = append(items, &item{Path: cfg.Zip.OutputPath})
 		}
-		color.New(color.Bold, color.FgGreen).Fprintf(os.Stdout, "    Zip archive created with signed files\n")
 
-		// Queue to notarize
-		items = append(items, &item{Path: cfg.Zip.OutputPath})
-	}
+		// Create a dmg
+		if cfg.Dmg != nil && cfg.Sign != nil {
+			// First create the dmg itself. This passes in the signed files.
+			color.New(color.Bold).Fprintf(os.Stdout, "==> %s  Creating dmg...\n", iconPackage)
+			color.New().Fprintf(os.Stdout, "    This will open Finder windows momentarily.\n")
+			err = dmg.Dmg(context.Background(), &dmg.Options{
+				Files:      cfg.Source,
+				OutputPath: cfg.Dmg.OutputPath,
+				VolumeName: cfg.Dmg.VolumeName,
+				Logger:     logger.Named("dmg"),
+			})
+			if err != nil {
+				fmt.Fprintf(os.Stdout, color.RedString("❗️ Error creating dmg:\n\n%s\n", err))
+				return 1
+			}
+			color.New().Fprintf(os.Stdout, "    Dmg file created: %s\n", cfg.Dmg.OutputPath)
+
+			// Next we need to sign the actual DMG as well
+			color.New().Fprintf(os.Stdout, "    Signing dmg...\n")
+			err = sign.Sign(context.Background(), &sign.Options{
+				Files:    []string{cfg.Dmg.OutputPath},
+				Identity: cfg.Sign.ApplicationIdentity,
+				Logger:   logger.Named("dmg"),
+			})
+			if err != nil {
+				fmt.Fprintf(os.Stdout, color.RedString("❗️ Error signing dmg:\n\n%s\n", err))
+				return 1
+			}
+			color.New(color.Bold, color.FgGreen).Fprintf(os.Stdout, "    Dmg created and signed\n")
 
-	// Create a dmg
-	if len(cfg.Source) > 0 && cfg.Dmg != nil && cfg.Sign != nil {
-		// First create the dmg itself. This passes in the signed files.
-		color.New(color.Bold).Fprintf(os.Stdout, "==> %s  Creating dmg...\n", iconPackage)
-		color.New().Fprintf(os.Stdout, "    This will open Finder windows momentarily.\n")
-		err = dmg.Dmg(context.Background(), &dmg.Options{
-			Files:      cfg.Source,
-			OutputPath: cfg.Dmg.OutputPath,
-			VolumeName: cfg.Dmg.VolumeName,
-			Logger:     logger.Named("dmg"),
-		})
-		if err != nil {
-			fmt.Fprintf(os.Stdout, color.RedString("❗️ Error creating dmg:\n\n%s\n", err))
-			return 1
-		}
-		color.New().Fprintf(os.Stdout, "    Dmg file created: %s\n", cfg.Dmg.OutputPath)
-
-		// Next we need to sign the actual DMG as well
-		color.New().Fprintf(os.Stdout, "    Signing dmg...\n")
-		err = sign.Sign(context.Background(), &sign.Options{
-			Files:    []string{cfg.Dmg.OutputPath},
-			Identity: cfg.Sign.ApplicationIdentity,
-			Logger:   logger.Named("dmg"),
-		})
-		if err != nil {
-			fmt.Fprintf(os.Stdout, color.RedString("❗️ Error signing dmg:\n\n%s\n", err))
-			return 1
+			// Queue to notarize
+			items = append(items, &item{Path: cfg.Dmg.OutputPath, Staple: true})
 		}
-		color.New(color.Bold, color.FgGreen).Fprintf(os.Stdout, "    Dmg created and signed\n")
-
-		// Queue to notarize
-		items = append(items, &item{Path: cfg.Dmg.OutputPath, Staple: true})
 	}
 
 	// If we have no items to notarize then its probably an error in the configuration.

internal/config/config.go

@@ -12,7 +12,7 @@ type Config struct {
 
 	// Notarize is a single file (usually a .pkg installer or zip)
 	// that is ready for notarization as-is
-	Notarize *Notarize `hcl:"notarize,block"`
+	Notarize []Notarize `hcl:"notarize,block"`
 
 	// Sign are the settings for code-signing the binaries.
 	Sign *Sign `hcl:"sign,block"`
@@ -47,10 +47,18 @@ type AppleId struct {
 	Provider string `hcl:"provider,optional"`
 }
 
-// Options for notarizing a pre-built .pkg or .zip
+// NOtarize are the options for notarizing a pre-built file.
 type Notarize struct {
-	Package string `hcl:"package"`
-	Staple  bool   `hcl:"staple"`
+	// Path is the path to the file to notarize. This can be any supported
+	// filetype (dmg, pkg, app, zip).
+	Path string `hcl:"path"`
+
+	// BundleId is the bundle ID to use for notarizing this package.
+	// If this isn't specified then the root bundle_id is inherited.
+	BundleId string `hcl:"bundle_id"`
+
+	// Staple, if true will staple the notarization ticket to the file.
+	Staple bool `hcl:"staple,optional"`
 }
 
 // Sign are the options for codesigning the binaries.

internal/config/testdata/basic.hcl.golden

@@ -3,9 +3,10 @@
   (string) (len=11) "./terraform"
  },
  BundleId: (string) (len=28) "com.mitchellh.test.terraform",
- Sign: (config.Sign) {
+ Notarize: ([]config.Notarize) <nil>,
+ Sign: (*config.Sign)({
   ApplicationIdentity: (string) (len=3) "foo"
- },
+ }),
  AppleId: (config.AppleId) {
   Username: (string) (len=21) "mitchellh@example.com",
   Password: (string) (len=5) "hello",

internal/config/testdata/notarize.hcl

@@ -2,8 +2,8 @@ source = []
 bundle_id = "com.example.terraform"
 
 notarize {
-	package = "/path/to/terraform.pkg"
-	staple = true
+	path = "/path/to/terraform.pkg"
+    bundle_id = "foo.bar"
 }
 
 apple_id {

internal/config/testdata/notarize.hcl.golden

@@ -0,0 +1,20 @@
+(*config.Config)({
+ Source: ([]string) {
+ },
+ BundleId: (string) (len=21) "com.example.terraform",
+ Notarize: ([]config.Notarize) (len=1 cap=1) {
+  (config.Notarize) {
+   Path: (string) (len=22) "/path/to/terraform.pkg",
+   BundleId: (string) (len=7) "foo.bar",
+   Staple: (bool) false
+  }
+ },
+ Sign: (*config.Sign)(<nil>),
+ AppleId: (config.AppleId) {
+  Username: (string) (len=21) "mitchellh@example.com",
+  Password: (string) (len=5) "hello",
+  Provider: (string) ""
+ },
+ Zip: (*config.Zip)(<nil>),
+ Dmg: (*config.Dmg)(<nil>)
+})

internal/config/testdata/notarize_multiple.hcl

@@ -0,0 +1,18 @@
+source = []
+bundle_id = ""
+
+notarize {
+	path = "/path/to/terraform.pkg"
+    bundle_id = "foo.bar"
+}
+
+notarize {
+	path = "/path/to/terraform.pkg"
+    bundle_id = "foo.bar"
+    staple = true
+}
+
+apple_id {
+  username = "mitchellh@example.com"
+  password = "hello"
+}

internal/config/testdata/notarize_multiple.hcl.golden

@@ -0,0 +1,25 @@
+(*config.Config)({
+ Source: ([]string) {
+ },
+ BundleId: (string) "",
+ Notarize: ([]config.Notarize) (len=2 cap=2) {
+  (config.Notarize) {
+   Path: (string) (len=22) "/path/to/terraform.pkg",
+   BundleId: (string) (len=7) "foo.bar",
+   Staple: (bool) false
+  },
+  (config.Notarize) {
+   Path: (string) (len=22) "/path/to/terraform.pkg",
+   BundleId: (string) (len=7) "foo.bar",
+   Staple: (bool) true
+  }
+ },
+ Sign: (*config.Sign)(<nil>),
+ AppleId: (config.AppleId) {
+  Username: (string) (len=21) "mitchellh@example.com",
+  Password: (string) (len=5) "hello",
+  Provider: (string) ""
+ },
+ Zip: (*config.Zip)(<nil>),
+ Dmg: (*config.Dmg)(<nil>)
+})