jfrog · EyalDelarea · Jun 3, 2024 · Jun 3, 2024 · Jun 3, 2024 · Jun 3, 2024
diff --git a/.github/workflows/prepareDarwinBinariesForRelease.yml b/.github/workflows/prepareDarwinBinariesForRelease.yml
@@ -0,0 +1,57 @@
+name: Sign Darwin Binaries for Release
+on:
+  workflow_dispatch:
+    inputs:
+      releaseVersion:
+        description: "Release version"
+        required: true
+      binaryFileName:
+        description: 'Binary file name'
+        required: true
+env:
+  binaryFileName: ${{ github.event.inputs.binaryFileName }}
+  releaseVersion: ${{ github.event.inputs.releaseVersion }}
+jobs:
+  # Builds, signs, notarize and uploads the macOS binaries
+  prepareBinary:
+    name: Prepare-Binary
+    runs-on: macos-latest
+    strategy:
+      matrix:
+        goarch: [ arm64, amd64 ]
+    steps:
+      # Setup
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.23.x
+          cache: false
+
+      - name: Checkout Source
+        uses: actions/checkout@v4
+        with:
+          ref: sign_apple_binary
-          ref: sign_apple_binary
+          ref: dev
-          ref: sign_apple_binary
+          ref: dev
+
+      # Builds the executable and moves it inside the app template
+      - name: Build and Move Executable
+        run: |
+          ./build/build.sh ${{ env.binaryFileName }}
+          mv ${{ env.binaryFileName }} ./build/apple_release/${{ env.binaryFileName }}.app/Contents/MacOS
+
+      - name: Sign & Notarize
+        env:
+          APPLE_CERT_DATA: ${{ secrets.APPLE_CERT_DATA }}
+          APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          APPLE_ACCOUNT_ID: ${{ secrets.APPLE_ACCOUNT_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+          APP_TEMPLATE_PATH: ./build/apple_release/${{ env.binaryFileName }}.app
+        run: ./build/apple_release/scripts/darwin-sign-and-notarize.sh
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.binaryFileName }}-darwin-v${{ env.releaseVersion }}-${{ matrix.goarch }}
+          path: ./${{ env.binaryFileName }}
+          retention-days: 1
+          if-no-files-found: error
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -105,6 +105,16 @@ def runRelease(architectures) {
         version = getCliVersion(builderPath)
         print "CLI version: $version"
     }
+
+    /*
+    * Prepare Signed MacOS binaries
+    * This happens at the start of the release process, so the binaries will be ready
+    * for the release process later on.
+    */
+    stage('Sign MacOS binaries') {
+        triggerDarwinBinariesSigningWorkflow()
+    }
+
     configRepo21()
 
     try {
@@ -314,7 +324,13 @@ def uploadCli(architectures) {
     for (int i = 0; i < architectures.size(); i++) {
         def currentBuild = architectures[i]
         stage("Build and upload ${currentBuild.pkg}") {
-            buildAndUpload(currentBuild.goos, currentBuild.goarch, currentBuild.pkg, currentBuild.fileExtension)
+            // MacOS binaries should be downloaded from GitHub packages, as they are signed there.
+            if (currentBuild.goos == 'darwin') {
+                downloadDarwinSignedBinaries(currentBuild.goarch,currentBuild.fileExtension)()
+                uploadBinaryToJfrogRepo21(currentBuild.pkg, $cliExecutableName)
+            } else {
+                buildAndUpload(currentBuild.goos, currentBuild.goarch, currentBuild.pkg, currentBuild.fileExtension)
+            }
         }
     }
 }
@@ -511,3 +527,31 @@ def dockerLogin(){
             sh "echo $REPO21_PASSWORD | docker login $REPO_NAME_21 -u=$REPO21_USER --password-stdin"
        }
 }
+
+/**
+ * This will trigger the Github action that will sign and notarize the MacOS binaries.
+ * The artifacts will be uploaded to Github artifacts
+ */
+def triggerDarwinBinariesSigningWorkflow() {
+    withCredentials([string(credentialsId: 'github-access-token', variable: "GITHUB_ACCESS_TOKEN")]) {
+        stage("Sign MacOS binaries") {
+            sh """
+                ./build/apple_release/scripts/trigger-sign-mac-OS-workflow.sh $cliExecutableName $releaseVersion $GITHUB_ACCESS_TOKEN
+            """
+        }
+    }
+}
+
+/**
+ * The Darwin binaries are signed in GitHub actions.
+ * This function will make sure to download the specific artifact according to
+ * executable name and release version.
+ * As the GitHub action may take some time, we will retry to download the artifact with timeout.
+ */
+def downloadDarwinSignedBinaries(goarch) {
+    withCredentials([string(credentialsId: 'github-access-token', variable: "GITHUB_ACCESS_TOKEN")]) {
+        sh """
+            ./build/apple_release/scripts/download-signed-mac-OS-binaries.sh $cliExecutableName $releaseVersion $goarch $GITHUB_ACCESS_TOKEN
+        """
+    }
+}
diff --git a/build/apple_release/jf.app/Contents/Info.plist b/build/apple_release/jf.app/Contents/Info.plist
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+    <plist version="1.0">
+    <dict>
+        <key>CFBundleDevelopmentRegion</key>
+        <string>en-US</string>
+        <key>CFBundleName</key>
+        <string>JFrog-CLI</string>
+        <key>CFBundleDisplayName</key>
+        <string>JFrog-CLI</string>
+        <key>CFBundleIdentifier</key>
+        <string>com.jfrog.jfrog-cli</string>
+    </dict>
+</plist>
diff --git a/build/apple_release/jf.app/Contents/MacOs/README.md b/build/apple_release/jf.app/Contents/MacOs/README.md
@@ -0,0 +1,32 @@
+# Apple Bundle Structure README
+
+This README file serves as a guide to maintaining the integrity of the Apple bundle structure required for macOS applications. It is crucial to keep this file and adhere to the outlined structure to ensure the application functions correctly on macOS.
+
+## Structure Overview
+
+The Apple bundle for a macOS application typically has the following directory structure:### Key Components
+```
+              YOUR_APP.app
+               ├── Contents
+                   ├── MacOS
+                   │   └── YOUR_APP (executable file)
+                   └── Info.plist
+
+```
+- **YOUR_APP.app**: This is the root directory of your application bundle. Replace `YOUR_APP` with the name of your application.
+
+- **Contents**: A mandatory directory that contains all the files needed by the application.
+
+- **MacOS**: This directory should contain the executable file for your application. The name of the executable should match the `YOUR_APP` part of your application bundle's name.
+
+- **Info.plist**: A required file that contains configuration and permissions for your application. It informs the macOS about how your app should be treated and what capabilities it has.
+
+### Important Notes
+
+- **Do Not Delete**: This README file and the structure it describes are essential for the application's deployment and functionality on macOS. Removing or altering the structure may result in application failures.
+
+- **Executable File**: Ensure your application's executable file is placed inside the `MacOS` directory. The executable's name must match the `YOUR_APP` portion of your application bundle's name for macOS to recognize and launch it correctly.
+
+- **Info.plist Configuration**: Properly configure the `Info.plist` file according to your application's needs. This file includes critical information such as the app version, display name, permissions, and more.
+
+By adhering to this structure and guidelines, you ensure that your macOS application is packaged correctly for distribution and use.
diff --git a/build/apple_release/jfrog.app/Contents/Info.plist b/build/apple_release/jfrog.app/Contents/Info.plist
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+    <plist version="1.0">
+    <dict>
+        <key>CFBundleDevelopmentRegion</key>
+        <string>en-US</string>
+        <key>CFBundleName</key>
+        <string>JFrog-CLI</string>
+        <key>CFBundleDisplayName</key>
+        <string>JFrog-CLI</string>
+        <key>CFBundleIdentifier</key>
+        <string>com.jfrog.jfrog-cli</string>
+    </dict>
+</plist>
diff --git a/build/apple_release/jfrog.app/Contents/MacOs/README.md b/build/apple_release/jfrog.app/Contents/MacOs/README.md
@@ -0,0 +1,32 @@
+# Apple Bundle Structure README
+
+This README file serves as a guide to maintaining the integrity of the Apple bundle structure required for macOS applications. It is crucial to keep this file and adhere to the outlined structure to ensure the application functions correctly on macOS.
+
+## Structure Overview
+
+The Apple bundle for a macOS application typically has the following directory structure:### Key Components
+```
+              YOUR_APP.app
+               ├── Contents
+                   ├── MacOS
+                   │   └── YOUR_APP (executable file)
+                   └── Info.plist
+
+```
+- **YOUR_APP.app**: This is the root directory of your application bundle. Replace `YOUR_APP` with the name of your application.
+
+- **Contents**: A mandatory directory that contains all the files needed by the application.
+
+- **MacOS**: This directory should contain the executable file for your application. The name of the executable should match the `YOUR_APP` part of your application bundle's name.
+
+- **Info.plist**: A required file that contains configuration and permissions for your application. It informs the macOS about how your app should be treated and what capabilities it has.
+
+### Important Notes
+
+- **Do Not Delete**: This README file and the structure it describes are essential for the application's deployment and functionality on macOS. Removing or altering the structure may result in application failures.
+
+- **Executable File**: Ensure your application's executable file is placed inside the `MacOS` directory. The executable's name must match the `YOUR_APP` portion of your application bundle's name for macOS to recognize and launch it correctly.
+
+- **Info.plist Configuration**: Properly configure the `Info.plist` file according to your application's needs. This file includes critical information such as the app version, display name, permissions, and more.
+
+By adhering to this structure and guidelines, you ensure that your macOS application is packaged correctly for distribution and use.
diff --git a/build/apple_release/scripts/darwin-sign-and-notarize.sh b/build/apple_release/scripts/darwin-sign-and-notarize.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# Script Purpose: Automate the process of signing and notarizing a macOS binary.
+
+# Input:
+# - APPLE_CERT_DATA: Base64 encoded data of the Apple Developer certificate.
+# - APPLE_CERT_PASSWORD: Password for the Apple Developer certificate.
+# - APPLE_TEAM_ID: Identifier for the Apple Developer Team.
+# - APPLE_ACCOUNT_ID: Apple Developer Account ID.
+# - APPLE_APP_SPECIFIC_PASSWORD: Password for app-specific services on the Apple Developer Account.
+# - APP_TEMPLATE_PATH: Path to the .app bundle template.
+
+# Output:
+# A signed and notarized binary file in the current directory, ready for distribution.
+
+validate_app_template_structure() {
+    [ ! -d "$APP_TEMPLATE_PATH" ] && { echo "Error: $APP_TEMPLATE_PATH directory does not exist."; exit 1; }
+    [ ! -d "$APP_TEMPLATE_PATH/Contents" ] && { echo "Error: Contents directory does not exist in $APP_TEMPLATE_PATH."; exit 1; }
+    [ ! -d "$APP_TEMPLATE_PATH/Contents/MacOS" ] && { echo "Error: MacOS directory does not exist in $APP_TEMPLATE_PATH/Contents."; exit 1; }
+    [ ! -f "$APP_TEMPLATE_PATH/Contents/Info.plist" ] && { echo "Error: Info.plist file does not exist in $APP_TEMPLATE_PATH/Contents."; exit 1; }
+
+    local app_name_without_extension
+    app_name_without_extension=$(basename "$APP_TEMPLATE_PATH" .app)
+    export BINARY_FILE_NAME=$app_name_without_extension
+
+    [ ! -f "$APP_TEMPLATE_PATH/Contents/MacOS/$BINARY_FILE_NAME" ] && { echo "Error: $BINARY_FILE_NAME executable not found inside the MacOS folder."; exit 1; }
+}
+
+validate_inputs() {
+    [ -z "$APPLE_CERT_DATA" ] && { echo "Error: Missing APPLE_CERT_DATA environment variable."; exit 1; }
+    [ -z "$APPLE_CERT_PASSWORD" ] && { echo "Error: Missing APPLE_CERT_PASSWORD environment variable."; exit 1; }
+    [ -z "$APPLE_TEAM_ID" ] && { echo "Error: Missing APPLE_TEAM_ID environment variable."; exit 1; }
+
+    validate_app_template_structure
+}
+
+prepare_keychain_and_certificate() {
+    local temp_dir
+    temp_dir=$(mktemp -d)
+    local keychain_name="macos-build.keychain"
+
+    echo "$APPLE_CERT_DATA" | base64 --decode > "$temp_dir/certs.p12"
+
+    security create-keychain -p "$APPLE_CERT_PASSWORD" $keychain_name
+    security default-keychain -s $keychain_name
+    security unlock-keychain -p "$APPLE_CERT_PASSWORD" $keychain_name
+    security set-keychain-settings -t 3600 -u $keychain_name
+
+    security import "$temp_dir/certs.p12" -k ~/Library/Keychains/$keychain_name -P "$APPLE_CERT_PASSWORD" -T /usr/bin/codesign || { echo "Error: Failed to import certificate into keychain."; exit 1; }
+
+    security set-key-partition-list -S apple-tool:,apple: -s -k "$APPLE_CERT_PASSWORD" -D "$APPLE_TEAM_ID" -t private $keychain_name
+}
+
+sign_binary() {
+    codesign -s "$APPLE_TEAM_ID" --timestamp --deep --options runtime --force "$APP_TEMPLATE_PATH/Contents/MacOS/$BINARY_FILE_NAME" || { echo "Error: Failed to sign the binary."; exit 1; }
+    echo "Successfully signed the binary."
+}
+
+notarize_app() {
+    local temp_dir
+    temp_dir=$(mktemp -d)
+    local current_dir
+    current_dir=$(pwd)
+
+    cp -r "$APP_TEMPLATE_PATH" "$temp_dir"
+    cd "$temp_dir" || exit
+
+    local temp_zipped_name="${BINARY_FILE_NAME}-zipped.zip"
+    ditto -c -k --keepParent "$BINARY_FILE_NAME.app" "./$temp_zipped_name" || { echo "Error: Failed to zip the app."; exit 1; }
+
+    xcrun notarytool submit "$temp_zipped_name" --apple-id "$APPLE_ACCOUNT_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --wait || { echo "Error: Failed to notarize the app."; exit 1; }
+    echo "Notarization successful."
+
+    unzip -o "$temp_zipped_name"
+    xcrun stapler staple "$BINARY_FILE_NAME.app" || { echo "Error: Failed to staple the ticket to the app."; exit 1; }
+    echo "Stapling successful."
+
+    cp "./$BINARY_FILE_NAME.app/Contents/MacOS/$BINARY_FILE_NAME" "$current_dir"
+    cd "$current_dir" || exit
+    rm -rf "$temp_dir"
+}
+
+# Cleans up resources used during the process.
+cleanup() {
+    echo "Deleting keychain..."
+    security delete-keychain "macos-build.keychain"
+    echo "Deleting temporary certificate files..."
+    rm -rf "$temp_dir/certs.p12"
+}
+
+main() {
+    validate_inputs
+    prepare_keychain_and_certificate
+    sign_binary
+    notarize_app
+    cleanup
+}
+
+main