Merge pull request #2 from mitchellh/etter-tanium-standalone-notarization

Support a notarization-only mode, thanks to @etter-tanium

Author: mitchellh

README.md

@@ -190,6 +190,21 @@ Supported configurations:
     for your application. You should choose something unique for your application.
     You can also [register these with Apple](https://developer.apple.com/account/resources/identifiers/list).
 
+  * `notarize` (_optional_) - Settings for notarizing an already built files.
+    This is an alternative to using the `source` option.
+
+    * `path` (`string`) - The path to the file to notarize. This must be
+      one of Apple's supported file types for notarization: dmg, pkg, app, or
+      zip.
+
+    * `bundle_id` (`string`) - The bundle ID to use for this notarization.
+      This is used instead of the top-level `bundle_id` (which controls the
+      value for source-based runs).
+
+    * `staple` (`bool` _optional_) - Controls if `stapler staple` should run
+      if notarization succeeds. This should only be set for filetypes that
+      support it (dmg, pkg, or app).
+
   * `apple_id` - Settings related to the Apple ID to use for notarization.
 
     * `username` (`string`) - The Apple ID username, typically an email address.
@@ -232,6 +247,55 @@ Supported configurations:
       already exists, it will be overwritten. All files in `source` will be copied
       into the root of the zip archive.
 
+### Notarization-Only Configuration
+
+You can configure `gon` to notarize already-signed files. This is useful
+if you're integrating `gon` into an existing build pipeline that may already
+support creation of pkg, app, etc. files.
+
+You can use this in addition to specifying `source` as well. In this case,
+we will codesign & package the files specified in `source` and then notarize
+those results as well as those in `notarize` blocks.
+
+Example in HCL and then the identical configuration in JSON:
+
+```hcl
+sources = []
+bundle_id = ""
+
+notarize {
+  path = "/path/to/terraform.pkg"
+  bundle_id = "com.mitchellh.example.terraform"
+  staple = true
+}
+
+apple_id {
+  username = "mitchell@example.com"
+  password = "@env:AC_PASSWORD"
+}
+```
+
+```json
+{
+  "sources": [],
+  "bundle_id": "",
+
+  "notarize": [{
+    "path": "/path/to/terraform.pkg",
+	"bundle_id": "com.mitchellh.example.terraform",
+	"staple": true
+  }],
+
+  "apple_id": {
+     "username": "mitchell@example.com",
+	 "password": "@env:AC_PASSWORD"
+  }
+}
+```
+
+Note you may specify multiple `notarize` blocks to notarize multipel files
+concurrently.
+
 ### Processing Time
 
 The notarization process requires submitting your package(s) to Apple

cmd/gon/item.go

@@ -18,6 +18,9 @@ type item struct {
 	// Path is the path to the file to notarize.
 	Path string
 
+	// BundleId is the bundle ID to use for this notarization.
+	BundleId string
+
 	// Staple is true if we should perform stapling on this file. Not
 	// all files support stapling so the default depends on the type of file.
 	Staple bool
@@ -54,10 +57,16 @@ type processOptions struct {
 func (i *item) notarize(ctx context.Context, opts *processOptions) error {
 	lock := opts.OutputLock
 
+	// The bundle ID defaults to the root one
+	bundleId := i.BundleId
+	if bundleId == "" {
+		bundleId = opts.Config.BundleId
+	}
+
 	// Start notarization
 	_, err := notarize.Notarize(ctx, &notarize.Options{
 		File:       i.Path,
-		BundleId:   opts.Config.BundleId,
+		BundleId:   bundleId,
 		Username:   opts.Config.AppleId.Username,
 		Password:   opts.Config.AppleId.Password,
 		Provider:   opts.Config.AppleId.Provider,

cmd/gon/main.go

@@ -75,101 +75,149 @@ func realMain() int {
 		return 1
 	}
 
-	// If we have no items to sign then its probably an error
-	if len(cfg.Source) == 0 {
-		color.New(color.Bold, color.FgRed).Fprintf(os.Stdout, "❗️ No source files specified\n")
-		color.New(color.FgRed).Fprintf(os.Stdout,
-			"Your configuration had an empty 'source' value. This must be populated with\n"+
-				"at least one file to sign, package, and notarize.\n")
-		return 1
-	}
-
 	// The files to notarize should be added to this. We'll submit one notarization
 	// request per file here.
 	var items []*item
 
-	// Perform codesigning
-	color.New(color.Bold).Fprintf(os.Stdout, "==> %s  Signing files...\n", iconSign)
-	err = sign.Sign(context.Background(), &sign.Options{
-		Files:    cfg.Source,
-		Identity: cfg.Sign.ApplicationIdentity,
-		Logger:   logger.Named("sign"),
-	})
-	if err != nil {
-		fmt.Fprintf(os.Stdout, color.RedString("❗️ Error signing files:\n\n%s\n", err))
-		return 1
+	// Notarize is an alternative to "Source", where you specify
+	// a single .pkg or .zip that is ready for notarization and stapling
+	if len(cfg.Notarize) > 0 {
+		for _, c := range cfg.Notarize {
+			items = append(items, &item{
+				Path:     c.Path,
+				BundleId: c.BundleId,
+				Staple:   c.Staple,
+			})
+		}
 	}
-	color.New(color.Bold, color.FgGreen).Fprintf(os.Stdout, "    Code signing successful\n")
-
-	// Create a zip
-	if cfg.Zip != nil {
-		color.New(color.Bold).Fprintf(os.Stdout, "==> %s  Creating Zip archive...\n", iconPackage)
-		err = zip.Zip(context.Background(), &zip.Options{
-			Files:      cfg.Source,
-			OutputPath: cfg.Zip.OutputPath,
-		})
-		if err != nil {
-			fmt.Fprintf(os.Stdout, color.RedString("❗️ Error creating zip archive:\n\n%s\n", err))
+
+	if len(cfg.Source) > 0 {
+		if cfg.Sign == nil {
+			color.New(color.Bold, color.FgRed).Fprintf(os.Stdout,
+				"❗️ `sign` configuration required with `source` set\n")
+			color.New(color.FgRed).Fprintf(os.Stdout,
+				"When you set the `source` configuration, you must also specify the\n"+
+					"`sign` configuration to sign the input files.\n")
+			return 1
+		}
+	} else {
+		if cfg.Zip != nil {
+			color.New(color.Bold, color.FgRed).Fprintf(os.Stdout,
+				"❗️ `zip` can only be set while `source` is also set\n")
+			color.New(color.FgRed).Fprintf(os.Stdout,
+				"Zip packaging is only supported when `source` is specified. This is\n"+
+					"because the `zip` option packages the source files. If there are no\n"+
+					"source files specified, then there is nothing to package.\n")
 			return 1
 		}
-		color.New(color.Bold, color.FgGreen).Fprintf(os.Stdout, "    Zip archive created with signed files\n")
 
-		// Queue to notarize
-		items = append(items, &item{Path: cfg.Zip.OutputPath})
+		if cfg.Dmg != nil {
+			color.New(color.Bold, color.FgRed).Fprintf(os.Stdout,
+				"❗️ `dmg` can only be set while `source` is also set\n")
+			color.New(color.FgRed).Fprintf(os.Stdout,
+				"Dmg packaging is only supported when `source` is specified. This is\n"+
+					"because the `dmg` option packages the source files. If there are no\n"+
+					"source files specified, then there is nothing to package.\n")
+			return 1
+		}
 	}
 
-	// Create a dmg
-	if cfg.Dmg != nil {
-		// First create the dmg itself. This passes in the signed files.
-		color.New(color.Bold).Fprintf(os.Stdout, "==> %s  Creating dmg...\n", iconPackage)
-		color.New().Fprintf(os.Stdout, "    This will open Finder windows momentarily.\n")
-		err = dmg.Dmg(context.Background(), &dmg.Options{
-			Files:      cfg.Source,
-			OutputPath: cfg.Dmg.OutputPath,
-			VolumeName: cfg.Dmg.VolumeName,
-			Logger:     logger.Named("dmg"),
-		})
-		if err != nil {
-			fmt.Fprintf(os.Stdout, color.RedString("❗️ Error creating dmg:\n\n%s\n", err))
-			return 1
+	// If we have no items to sign then its probably an error
+	if len(cfg.Source) == 0 && len(cfg.Notarize) == 0 {
+		color.New(color.Bold, color.FgRed).Fprintf(os.Stdout, "❗️ No source files specified\n")
+		color.New(color.FgRed).Fprintf(os.Stdout,
+			"Your configuration had an empty 'source' and empty 'notarize' values. This must be populated with\n"+
+				"at least one file to sign, package, and notarize.\n")
+		return 1
+	}
+
+	// If we're in source mode, then sign & package as configured
+	if len(cfg.Source) > 0 {
+		if cfg.Sign != nil {
+			// Perform codesigning
+			color.New(color.Bold).Fprintf(os.Stdout, "==> %s  Signing files...\n", iconSign)
+			err = sign.Sign(context.Background(), &sign.Options{
+				Files:    cfg.Source,
+				Identity: cfg.Sign.ApplicationIdentity,
+				Logger:   logger.Named("sign"),
+			})
+			if err != nil {
+				fmt.Fprintf(os.Stdout, color.RedString("❗️ Error signing files:\n\n%s\n", err))
+				return 1
+			}
+			color.New(color.Bold, color.FgGreen).Fprintf(os.Stdout, "    Code signing successful\n")
 		}
-		color.New().Fprintf(os.Stdout, "    Dmg file created: %s\n", cfg.Dmg.OutputPath)
-
-		// Next we need to sign the actual DMG as well
-		color.New().Fprintf(os.Stdout, "    Signing dmg...\n")
-		err = sign.Sign(context.Background(), &sign.Options{
-			Files:    []string{cfg.Dmg.OutputPath},
-			Identity: cfg.Sign.ApplicationIdentity,
-			Logger:   logger.Named("dmg"),
-		})
-		if err != nil {
-			fmt.Fprintf(os.Stdout, color.RedString("❗️ Error signing dmg:\n\n%s\n", err))
-			return 1
+
+		// Create a zip
+		if cfg.Zip != nil {
+			color.New(color.Bold).Fprintf(os.Stdout, "==> %s  Creating Zip archive...\n", iconPackage)
+			err = zip.Zip(context.Background(), &zip.Options{
+				Files:      cfg.Source,
+				OutputPath: cfg.Zip.OutputPath,
+			})
+			if err != nil {
+				fmt.Fprintf(os.Stdout, color.RedString("❗️ Error creating zip archive:\n\n%s\n", err))
+				return 1
+			}
+			color.New(color.Bold, color.FgGreen).Fprintf(os.Stdout, "    Zip archive created with signed files\n")
+
+			// Queue to notarize
+			items = append(items, &item{Path: cfg.Zip.OutputPath})
 		}
-		color.New(color.Bold, color.FgGreen).Fprintf(os.Stdout, "    Dmg created and signed\n")
 
-		// Queue to notarize
-		items = append(items, &item{Path: cfg.Dmg.OutputPath, Staple: true})
+		// Create a dmg
+		if cfg.Dmg != nil && cfg.Sign != nil {
+			// First create the dmg itself. This passes in the signed files.
+			color.New(color.Bold).Fprintf(os.Stdout, "==> %s  Creating dmg...\n", iconPackage)
+			color.New().Fprintf(os.Stdout, "    This will open Finder windows momentarily.\n")
+			err = dmg.Dmg(context.Background(), &dmg.Options{
+				Files:      cfg.Source,
+				OutputPath: cfg.Dmg.OutputPath,
+				VolumeName: cfg.Dmg.VolumeName,
+				Logger:     logger.Named("dmg"),
+			})
+			if err != nil {
+				fmt.Fprintf(os.Stdout, color.RedString("❗️ Error creating dmg:\n\n%s\n", err))
+				return 1
+			}
+			color.New().Fprintf(os.Stdout, "    Dmg file created: %s\n", cfg.Dmg.OutputPath)
+
+			// Next we need to sign the actual DMG as well
+			color.New().Fprintf(os.Stdout, "    Signing dmg...\n")
+			err = sign.Sign(context.Background(), &sign.Options{
+				Files:    []string{cfg.Dmg.OutputPath},
+				Identity: cfg.Sign.ApplicationIdentity,
+				Logger:   logger.Named("dmg"),
+			})
+			if err != nil {
+				fmt.Fprintf(os.Stdout, color.RedString("❗️ Error signing dmg:\n\n%s\n", err))
+				return 1
+			}
+			color.New(color.Bold, color.FgGreen).Fprintf(os.Stdout, "    Dmg created and signed\n")
+
+			// Queue to notarize
+			items = append(items, &item{Path: cfg.Dmg.OutputPath, Staple: true})
+		}
 	}
 
 	// If we have no items to notarize then its probably an error in the configuration.
 	if len(items) == 0 {
 		color.New(color.Bold, color.FgYellow).Fprintf(os.Stdout, "\n⚠️  No items to notarize\n")
 		color.New(color.FgYellow).Fprintf(os.Stdout,
-			"You must specify a 'zip' or 'dmg' section in your configuration to enable\n"+
-				"packaging and notarization. Without these sections, gon will only sign your\n"+
-				"input files.\n")
+			"You must specify a 'notarize' section or a 'source' section plus a 'zip' or 'dmg' section "+
+				"in your configuration to enable packaging and notarization. Without these sections, gon\n"+
+				"will only sign your input files in 'source'.\n")
 		return 0
 	}
 
 	// Notarize
 	color.New(color.Bold).Fprintf(os.Stdout, "==> %s  Notarizing...\n", iconNotarize)
 	if len(items) > 1 {
-		for _, f := range items {
-			color.New().Fprintf(os.Stdout, "    Path: %s\n", f.Path)
-		}
 		color.New().Fprintf(os.Stdout, "    Files will be notarized concurrently to optimize queue wait\n")
 	}
+	for _, f := range items {
+		color.New().Fprintf(os.Stdout, "    Path: %s\n", f.Path)
+	}
 
 	// Build our prefixes
 	prefixes := statusPrefixList(items)

internal/config/config.go

@@ -10,8 +10,12 @@ type Config struct {
 	// be anything, this is required by Apple.
 	BundleId string `hcl:"bundle_id"`
 
+	// Notarize is a single file (usually a .pkg installer or zip)
+	// that is ready for notarization as-is
+	Notarize []Notarize `hcl:"notarize,block"`
+
 	// Sign are the settings for code-signing the binaries.
-	Sign Sign `hcl:"sign,block"`
+	Sign *Sign `hcl:"sign,block"`
 
 	// AppleId are the credentials to use to talk to Apple.
 	AppleId AppleId `hcl:"apple_id,block"`
@@ -43,6 +47,20 @@ type AppleId struct {
 	Provider string `hcl:"provider,optional"`
 }
 
+// NOtarize are the options for notarizing a pre-built file.
+type Notarize struct {
+	// Path is the path to the file to notarize. This can be any supported
+	// filetype (dmg, pkg, app, zip).
+	Path string `hcl:"path"`
+
+	// BundleId is the bundle ID to use for notarizing this package.
+	// If this isn't specified then the root bundle_id is inherited.
+	BundleId string `hcl:"bundle_id"`
+
+	// Staple, if true will staple the notarization ticket to the file.
+	Staple bool `hcl:"staple,optional"`
+}
+
 // Sign are the options for codesigning the binaries.
 type Sign struct {
 	// ApplicationIdentity is the ID or name of the certificate to

internal/config/testdata/basic.hcl.golden

@@ -3,9 +3,10 @@
   (string) (len=11) "./terraform"
  },
  BundleId: (string) (len=28) "com.mitchellh.test.terraform",
- Sign: (config.Sign) {
+ Notarize: ([]config.Notarize) <nil>,
+ Sign: (*config.Sign)({
   ApplicationIdentity: (string) (len=3) "foo"
- },
+ }),
  AppleId: (config.AppleId) {
   Username: (string) (len=21) "mitchellh@example.com",
   Password: (string) (len=5) "hello",

internal/config/testdata/notarize.hcl

@@ -0,0 +1,12 @@
+source = []
+bundle_id = "com.example.terraform"
+
+notarize {
+	path = "/path/to/terraform.pkg"
+    bundle_id = "foo.bar"
+}
+
+apple_id {
+  username = "mitchellh@example.com"
+  password = "hello"
+}