diff --git a/.circleci/config.yml b/.circleci/config.yml index 5dcf9abc5e..5b56d01793 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -486,6 +486,7 @@ workflows: go_download_base_url: << pipeline.parameters.go_download_base_url >> executor: macos-arm64 install_deps_extension: macos-build + context: snyk-macos-signing requires: - prepare-build @@ -497,6 +498,7 @@ workflows: go_download_base_url: << pipeline.parameters.go_download_base_url >> executor: macos-arm64 install_deps_extension: macos-build + context: snyk-macos-signing requires: - prepare-build diff --git a/Makefile b/Makefile index 37ba1b5597..3db1e20537 100644 --- a/Makefile +++ b/Makefile @@ -133,10 +133,12 @@ $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-linux-arm64: prepack | $(BINARY_RELEASES_F $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI) $(PKG) -t node$(PKG_NODE_VERSION)-macos-x64 -o $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos + $(SHELL) $(WORKING_DIR)/cliv2/scripts/sign_darwin.sh $(BINARY_RELEASES_FOLDER_TS_CLI) snyk-macos skip-notarize $(MAKE) $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos.sha256 $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos-arm64: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI) $(PKG) -t node$(PKG_NODE_VERSION)-macos-arm64 -o $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos-arm64 --no-bytecode + $(SHELL) $(WORKING_DIR)/cliv2/scripts/sign_darwin.sh $(BINARY_RELEASES_FOLDER_TS_CLI) snyk-macos-arm64 skip-notarize $(MAKE) $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos-arm64.sha256 $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-win.exe: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI) diff --git a/cliv2/scripts/sign_darwin.sh b/cliv2/scripts/sign_darwin.sh index 94a28c9395..1b13f699b4 100755 --- a/cliv2/scripts/sign_darwin.sh +++ b/cliv2/scripts/sign_darwin.sh @@ -11,6 +11,7 @@ set -euo pipefail EXPORT_PATH=${1:-./bin} PRODUCT_NAME=${2:-snyk_darwin_amd64} +SKIP_NOTARIZE=${3:-0} KEYCHAIN_PROFILE=AC_PASSWORD APP_PATH="$EXPORT_PATH/$PRODUCT_NAME" ZIP_PATH="$EXPORT_PATH/$PRODUCT_NAME.zip" @@ -30,6 +31,12 @@ if [[ "$OSTYPE" != *"darwin"* ]]; then exit 1 fi +# if the required secrets are not available we skip signing completely without an error to enable local builds on windows. A later issigned check will catch this error in the build pipeline +if [ -z "${APPLE_ID+x}" ]; then + echo "$LOG_PREFIX Skipping signing, since the required secrets are not available." + exit 0 +fi + # # signing # @@ -51,12 +58,16 @@ security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" sleep 10 echo "$LOG_PREFIX Signing binary $APP_PATH" -codesign -s "$APPLE_SIGNING_IDENTITY" -v "$APP_PATH" --timestamp --options runtime +codesign -f -s "$APPLE_SIGNING_IDENTITY" -v "$APP_PATH" --timestamp --options runtime # # notarization # +if [[ "$SKIP_NOTARIZE" = "skip-notarize" ]]; then + exit 0 +fi + # create a zip file echo "$LOG_PREFIX Creating zip file $ZIP_PATH" /usr/bin/ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"