MONGOSH-278 - Notarize macOS package (#342)

Author: addaleax

.evergreen.yml

@@ -30,6 +30,10 @@ variables:
             -c 'cd /tmp/build && npm run evergreen-release package'
         else
           npm run evergreen-release package
+          if [ `uname` == Darwin ]; then
+            # Verify signing
+            spctl -a -vvv -t install dist/mongosh
+          fi
         fi
         RELEASE_MONGOSH
 

config/build.conf.js

@@ -64,6 +64,7 @@ module.exports = {
   appleUser: process.env.APPLE_DEV_USER,
   applePassword: process.env.APPLE_DEV_PASSWORD,
   appleAppIdentity: process.env.APPLE_APP_IDENTITY,
+  entitlementsFile: path.resolve(__dirname, 'macos-entitlements.xml'),
   isCi: process.env.IS_CI === 'true',
   isPatch: process.env.IS_PATCH === 'true',
   platform: os.platform(),

config/macos-entitlements.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+</dict>
+</plist>

package-lock.json

@@ -95,7 +95,7 @@
     "mocha": "^7.1.2",
     "mongodb-js-precommit": "^2.0.0",
     "mongodb-runner": "^4.7.5",
-    "node-codesign": "durran/node-codesign",
+    "node-codesign": "github:addaleax/node-codesign",
     "parcel-bundler": "^1.12.4",
     "pkg": "^4.4.3",
     "pkg-deb": "^1.1.1",

package.json

@@ -1,6 +1,9 @@
 import compileExec from './compile-exec';
 import { createTarball, TarballFile } from './tarball';
 import Config from './config';
+import Platform from './platform';
+import os from 'os';
+import macOSSignAndNotarize from './macos-sign';
 
 export default async function compileAndZipExecutable(config: Config): Promise<TarballFile> {
   const executable = await compileExec(
@@ -12,15 +15,21 @@ export default async function compileAndZipExecutable(config: Config): Promise<T
     config.segmentKey,
   );
 
-  // Zip the executable.
-  const artifact = await createTarball(
-    executable,
-    config.outputDir,
-    config.buildVariant,
-    config.version,
-    config.rootDir
-  );
+  const runCreateTarball = async(): Promise<TarballFile> => {
+    return await createTarball(
+      executable,
+      config.outputDir,
+      config.buildVariant,
+      config.version,
+      config.rootDir
+    );
+  };
 
-  // add artifcats for .rpm and .msi
-  return artifact;
+  // Zip the executable, or, on macOS, do it as part of the notarization/signing
+  // step.
+  if (os.platform() === Platform.MacOs && !config.dryRun) {
+    return await macOSSignAndNotarize(executable, config, runCreateTarball);
+  } else {
+    return await runCreateTarball();
+  }
 }

packages/build/src/compile-and-zip-executable.ts

@@ -21,6 +21,7 @@ export default interface Config {
   appleUser?: string;
   applePassword?: string;
   appleAppIdentity?: string;
+  entitlementsFile?: string;
   isCi?: boolean;
   platform?: string;
   execNodeVersion?: string;

packages/build/src/config.ts

@@ -3,7 +3,7 @@ import util from 'util';
 import codesign from 'node-codesign';
 import { notarize as nodeNotarize } from 'electron-notarize';
 import Config from './config';
-import { createTarball } from './tarball';
+import { createTarball, TarballFile } from './tarball';
 
 /**
  * Notarizes the zipped mongosh. Will send the tarball to Apple and poll apple
@@ -29,31 +29,29 @@ const notarize = (bundleId: string, artifact: string, user: string, password: st
  * @param {string} executable - The mongosh executable.
  * @param {string} identity - The apple developer identity.
  */
-const sign = (executable: string, identity: string) => {
-  return new Promise((resolve, reject) => {
-    codesign({ identity: identity, appPath: executable }, (err, paths) => {
-      if (err) {
-        reject(err);
-      } else {
-        resolve(err);
-      }
-    });
+const sign = (executable: string, identity: string, entitlementsFile: string) => {
+  return util.promisify(codesign)({
+    identity: identity,
+    appPath: executable,
+    entitlements: entitlementsFile,
   });
 };
 
-const publish = async(executable: string, artifact: string, platform: string, config: Config) => {
-  console.log('mongosh: removing unsigned tarball:', artifact);
-  await util.promisify(fs.unlink)(artifact);
+const macOSSignAndNotarize = async(
+  executable: string,
+  config: Config,
+  runCreateTarball: () => Promise<TarballFile>): Promise<TarballFile> => {
+
   console.log('mongosh: signing:', executable);
-  await sign(executable, config.appleAppIdentity).
-    catch((e) => { console.error(e); throw e; });
+  await sign(executable, config.appleAppIdentity, config.entitlementsFile);
   console.log('mongosh: notarizing and creating tarball:', executable);
-  await createTarball(executable, config.outputDir, platform, config.version, config.rootDir);
+  const artifact = await runCreateTarball();
   await notarize(
     config.bundleId,
-    artifact,
+    artifact.path,
     config.appleUser,
-    config.applePassword).catch((e) => { console.error(e); throw e; });
+    config.applePassword);
+  return artifact;
 };
 
-export default publish;
+export default macOSSignAndNotarize;

packages/build/src/macos-sign.ts

@@ -11,7 +11,7 @@ const runRelease = async() => {
   const command = process.argv[2];
 
   if (!['package', 'publish'].includes(command)) {
-    throw new Error('USAGE: npm run evergreen-release <package|publish> [--dry]');
+    throw new Error('USAGE: npm run evergreen-release -- <package|publish> [--dry]');
   }
 
   if (process.argv.includes('--dry')) {