macOS: add a make notarize target. Usage: make notarize USERNAME=""

4 files changed, 149 insertions, 2 deletions

diff --git a/macosx/hbnotarize b/macosx/hbnotarize
new file mode 100755
index 000000000..cb4d782a8
--- /dev/null
+++ b/macosx/hbnotarize
@@ -0,0 +1,139 @@
+#!/usr/bin/env bash
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
+
+NAME="hbnotarize"
+
+set -e
+set -u
+
+SELF="${0}"
+SELF_NAME=$(basename "${SELF}")
+HELP="\
+usage: ${SELF_NAME} [-h]
+       ${SELF_NAME} username application [application2 ...]
+where:
+   -h  display this help text
+"
+
+# Logs error message and exits
+function exit_with_error {
+    set +e
+    ERROR="${2}"
+    echo "${SELF_NAME}: ${ERROR}" >&2
+    PRINT_HELP="${3:-false}"
+    if [[ "${PRINT_HELP}" == true ]]; then
+        echo -e "${HELP}"
+    fi
+    exit "${1}"
+}
+
+LOG="${NAME}.log"
+touch "${LOG}" || exit_with_error 1 "${SELF_NAME}: unable to create log file ${LOG}"
+
+OPTIND=1
+while getopts ":h" OPT; do
+    case "${OPT}" in
+        h)
+            # Print help and exit
+            echo -e "${HELP}"
+            exit 0
+            ;;
+        :)
+            # Option without required argument
+            exit_with_error 1 "${SELF_NAME}: option -${OPTARG} requires a value" true
+            ;;
+        \?)
+            # Invalid option specified
+            exit_with_error 1 "${SELF_NAME}: invalid option: -${OPTARG}" true
+            ;;
+    esac
+done
+shift $((${OPTIND} - 1))
+
+USERNAME="${1:-}"
+if [[ "${USERNAME}" == "" ]]; then
+    exit_with_error 1 "${SELF_NAME}: username not specified" true
+fi
+shift 1
+
+if [[ ${#@} -eq 0 ]]; then
+    exit_with_error 1 "${SELF_NAME}: application not specified" true
+fi
+
+echo "Username: ${USERNAME}"
+echo -n "Password: "
+read -s PASSWORD
+echo
+if [[ "${PASSWORD}" == "" ]]; then
+    exit_with_error 1 "${SELF_NAME}: password not specified" true
+fi
+
+CREDENTIALS="--username ${USERNAME} --password ${PASSWORD}"
+
+for TARGET in "${@}"; do
+
+    TARGET="${TARGET#./}"
+    echo "${TARGET}:"
+
+    FILENAME=$(basename -- "${TARGET}")
+    EXTENSION="${TARGET##*.}"
+    ARCHIVE="${TARGET}"
+
+    # Notary service accepts only DMG, ZIP, and PKG
+    if [[ "${EXTENSION}" != "dmg" ]] && [[ "${EXTENSION}" != "pkg" ]]; then
+        echo "  Zipping app"
+        ARCHIVE="${TARGET}.zip"
+        ditto -c -k --sequesterRsrc --keepParent "${TARGET}" "${ARCHIVE}" >>"${LOG}" 2>&1 || exit_with_error 1 "Failed to compress the app. More info may be available in ${LOG}"
+    fi
+
+    echo "  Uploading app to notary service"
+
+    uuid=$(xcrun altool --notarize-app --primary-bundle-id "fr.handbrake.HandBrake" ${CREDENTIALS} --file "${ARCHIVE}" 2>&1 | grep 'RequestUUID' | awk '{ print $3 }')
+
+    echo "  Upload successful"
+    echo "  Identifier = ${uuid}"
+    echo "  Waiting for result"
+
+    sleep 20
+
+    while :
+        do
+        notaryStatus=$(xcrun altool --notarization-info "${uuid}" ${CREDENTIALS} 2>&1)
+        status=$(echo "$notaryStatus" | grep 'Status\:' | awk '{ print $2 }')
+        if [ "${status}" = "success" ]; then
+            # It's not possible to staple a command line exec
+            if [[ "${EXTENSION}" !=  "${TARGET}" ]]; then
+                xcrun stapler staple "${TARGET}" >>"${LOG}" 2>&1 || exit_with_error 1 "Failed to staple the app. More info may be available in ${LOG}"
+                xcrun stapler validate -v "${TARGET}" >>"${LOG}" 2>&1 || exit_with_error 1 "Failed to staple the app. More info may be available in ${LOG}"
+                echo "    Success, archive has been stapled"
+            else
+                echo "    Success"
+            fi
+            break
+        elif [ "$status" = "in" ]; then
+            echo "    In progress"
+            sleep 20
+        else
+            echo "    Failed:"
+            echo "    ${notaryStatus}"
+            exit_with_error 1 "${SELF_NAME}: Notarization failed ${LOG}"
+        fi
+    done
+
+done
+
+echo "Complete."
+exit 0
diff --git a/macosx/module.defs b/macosx/module.defs
index ce0a5e0ac..20daeef5a 100644
--- a/macosx/module.defs
+++ b/macosx/module.defs
@@ -104,3 +104,6 @@ ifeq (1,$(SECURITY.sandbox))
 else
     MACOSX.SIGN = $(strip $(MACOSX.src/)hbsign -r '$(ID)' $(MACOSX.xroot/)HandBrake.app $(MACOSX.xroot/)HandBrakeCLI)
 endif
+
+MACOSX.NOTARIZE = $(strip $(MACOSX.src/)hbnotarize '$(USERNAME)' $(MACOSX.xroot/)HandBrake.app $(MACOSX.xroot/)HandBrakeCLI)
+
diff --git a/macosx/module.rules b/macosx/module.rules
index 8f8cd15fe..7159cb367 100644
--- a/macosx/module.rules
+++ b/macosx/module.rules
@@ -41,6 +41,7 @@ macosx.clean:
 	$(RM.exe) -rf $(MACOSX.xroot/)HandBrake.app
 	$(RM.exe) -f $(MACOSX.xroot/)HandBrakeCLI
 	$(RM.exe) -f $(MACOSX.xroot/)hbsign.log
+	$(RM.exe) -f $(MACOSX.xroot/)hbnotarize.log
 	$(RM.exe) -f $(MACOSX.m4.out)
 	$(RM.exe) -f $(MACOSX.osl.filelist)
 
diff --git a/macosx/module.xcodebuild b/macosx/module.xcodebuild
index 8f2f43dc7..960e64562 100644
--- a/macosx/module.xcodebuild
+++ b/macosx/module.xcodebuild
@@ -1,6 +1,6 @@
 ## This file is processed only when shunting build through xcodebuild
 
-.PHONY: macosx.build macosx.sign macosx.archive macosx.clean macosx.install macosx.install-strip macosx.uninstall
+.PHONY: macosx.build macosx.sign macosx.notarize macosx.archive macosx.clean macosx.install macosx.install-strip macosx.uninstall
 
 macosx.build:
 	$(call MACOSX.XCODE,HandBrakeCLI HandBrake,build)
@@ -8,6 +8,9 @@ macosx.build:
 macosx.sign:
 	$(call MACOSX.SIGN,HandBrakeCLI HandBrake,sign)
 
+macosx.notarize:
+	$(call MACOSX.NOTARIZE,HandBrakeCLI HandBrake,notarize)
+
 macosx.archive:
 	$(call MACOSX.XCODE_ARCHIVE,HandBrake-Distribution,archive)
 
@@ -32,6 +35,7 @@ macosx.uninstall:
 
 build: macosx.build
 sign: macosx.sign
+notarize: macosx.notarize
 archive: macosx.archive
 clean: macosx.clean
 install: macosx.install
@@ -41,7 +45,7 @@ xclean: clean
 
 ###############################################################################
 
-MACOSX.goals = $(filter-out build sign archive clean install,$(MAKECMDGOALS))
+MACOSX.goals = $(filter-out build sign notarize archive clean install,$(MAKECMDGOALS))
 
 $(MACOSX.goals): __goals__
 	@true