From d613c17fc49e4e4cd3a15b5bb686491c2dbd9e10 Mon Sep 17 00:00:00 2001 From: Robert Hilbrich Date: Sat, 14 Dec 2024 12:17:57 +0100 Subject: [PATCH] signing the dmg file, refs #15213 --- .jenkins/sign-macos-installer.jenkinsfile | 51 +++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/.jenkins/sign-macos-installer.jenkinsfile b/.jenkins/sign-macos-installer.jenkinsfile index 30efcf0d5480..02a1eaa5a793 100644 --- a/.jenkins/sign-macos-installer.jenkinsfile +++ b/.jenkins/sign-macos-installer.jenkinsfile @@ -105,6 +105,57 @@ spec: // Step 4: Extract the artifact sh "unzip -o ${ARTIFACT_NAME}.zip -d artifact" + + // Step 5: Create the entitlements file + def entitlementsFile = "sumo.entitlement" + writeFile file: entitlementsFile, text: ''' + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-executable-page-protection + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.cs.disable-library-validation + + com.apple.security.cs.debugger + + +''' + + // Step 6: Extract the .dmg file name dynamically + def dmgFile = sh( + script: "ls artifact/*.dmg", + returnStdout: true + ).trim() + + if (!dmgFile) { + error("No .dmg file found in artifact directory") + } + + // Extract the base name of the .dmg file (without the extension) + def baseName = dmgFile.replaceAll(/\.dmg$/, "") + + // Define the signed DMG file name + def signedDmgFile = "${baseName}-signed.dmg" + + // Step 7: Upload for signing + sh """ + curl -o ${signedDmgFile} -F file=@${dmgFile} -F entitlements=@${entitlementsFile} \ + https://cbi.eclipse.org/macos/codesign/sign + """ + + // Verify signed file + if (!fileExists(signedDmgFile)) { + error("Signed DMG file not created: ${signedDmgFile}") + } + + echo "Signed DMG file created successfully: ${signedDmgFile}" } } }