Utilities/Release/macos/sign-notarize.bash - third_party/cmake - Git at Google

 #!/usr/bin/env bash
 set -e
 readonly usage='usage: sign-notarize.bash -i <id> -d <dev-acct> -k <key-item> [-p <provider>] [--] <package>.dmg

 Sign and notarize the "CMake.app" bundle inside the given "<package>.dmg" disk image.
 Also produce a "<package>.tar.gz" tarball containing the same "CMake.app".

 Options:

     -i <id>                Signing Identity
     -d <dev-acct>          Developer account name
     -k <key-item>          Keychain item containing account credentials
     -p <provider>          Provider short name
 '

 cleanup() {
     if test -d "$tmpdir"; then
         rm -rf "$tmpdir"
     fi
     if test -d "$vol_path"; then
         hdiutil detach "$vol_path"
     fi
 }

 trap "cleanup" EXIT

 die() {
     echo "$@" 1>&2; exit 1
 }

 id=''
 dev_acct=''
 key_item=''
 provider=''
 while test "$#" != 0; do
     case "$1" in
     -i) shift; id="$1" ;;
     -d) shift; dev_acct="$1" ;;
     -k) shift; key_item="$1" ;;
     -p) shift; provider="$1" ;;
     --) shift ; break ;;
     -*) die "$usage" ;;
     *) break ;;
     esac
     shift
 done
 case "$1" in
 *.dmg) readonly dmg="$1"; shift ;;
 *) die "$usage" ;;
 esac
 test "$#" = 0 || die "$usage"

 # Verify arguments.
 if test -z "$id" -o -z "$dev_acct" -o -z "$key_item"; then
     die "$usage"
 fi
 if test -n "$provider"; then
     provider="--provider $provider"
 fi

 # Verify environment.
 if ! xcnotary="$(type -p xcnotary)"; then
     die "'xcnotary' not found in PATH"
 fi
 readonly xcnotary

 readonly tmpdir="$(mktemp -d)"

 # Prepare entitlements.
 readonly entitlements_xml="$tmpdir/entitlements.xml"
 echo '<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
   <key>com.apple.security.cs.allow-dyld-environment-variables</key>
   <true/>
 </dict>
 </plist>' > "$entitlements_xml"

 # Convert from read-only original image to read-write.
 readonly udrw_dmg="$tmpdir/udrw.dmg"
 hdiutil convert "$dmg" -format UDRW -o "${udrw_dmg}"

 # Mount the temporary udrw image.
 readonly vol_name="$(basename "${dmg%.dmg}")"
 readonly vol_path="/Volumes/$vol_name"
 hdiutil attach "${udrw_dmg}"

 codesign --verify --timestamp --options=runtime --verbose --deep \
   -s "$id" \
   --entitlements "$entitlements_xml" \
   "$vol_path/CMake.app/Contents/bin/cmake" \
   "$vol_path/CMake.app/Contents/bin/ccmake" \
   "$vol_path/CMake.app/Contents/bin/ctest" \
   "$vol_path/CMake.app/Contents/bin/cpack" \
   "$vol_path/CMake.app"

 xcnotary notarize "$vol_path/CMake.app" -d "$dev_acct" -k "$key_item" $provider

 # Create a tarball of the volume next to the original disk image.
 readonly tar_gz="${dmg/%.dmg/.tar.gz}"
 tar cvzf "$tar_gz" -C /Volumes "$vol_name/CMake.app"

 # Unmount the modified udrw image.
 hdiutil detach "$vol_path"

 # Convert back to read-only, compressed image.
 hdiutil convert "${udrw_dmg}" -format UDZO -imagekey zlib-level=9 -ov -o "$dmg"
	#!/usr/bin/env bash
	set -e
	readonly usage='usage: sign-notarize.bash -i <id> -d <dev-acct> -k <key-item> [-p <provider>] [--] <package>.dmg

	Sign and notarize the "CMake.app" bundle inside the given "<package>.dmg" disk image.
	Also produce a "<package>.tar.gz" tarball containing the same "CMake.app".

	Options:

	-i <id> Signing Identity
	-d <dev-acct> Developer account name
	-k <key-item> Keychain item containing account credentials
	-p <provider> Provider short name
	'

	cleanup() {
	if test -d "$tmpdir"; then
	rm -rf "$tmpdir"
	fi
	if test -d "$vol_path"; then
	hdiutil detach "$vol_path"
	fi
	}

	trap "cleanup" EXIT

	die() {
	echo "$@" 1>&2; exit 1
	}

	id=''
	dev_acct=''
	key_item=''
	provider=''
	while test "$#" != 0; do
	case "$1" in
	-i) shift; id="$1" ;;
	-d) shift; dev_acct="$1" ;;
	-k) shift; key_item="$1" ;;
	-p) shift; provider="$1" ;;
	--) shift ; break ;;
	-*) die "$usage" ;;
	*) break ;;
	esac
	shift
	done
	case "$1" in
	*.dmg) readonly dmg="$1"; shift ;;
	*) die "$usage" ;;
	esac
	test "$#" = 0 \|\| die "$usage"

	# Verify arguments.
	if test -z "$id" -o -z "$dev_acct" -o -z "$key_item"; then
	die "$usage"
	fi
	if test -n "$provider"; then
	provider="--provider $provider"
	fi

	# Verify environment.
	if ! xcnotary="$(type -p xcnotary)"; then
	die "'xcnotary' not found in PATH"
	fi
	readonly xcnotary

	readonly tmpdir="$(mktemp -d)"

	# Prepare entitlements.
	readonly entitlements_xml="$tmpdir/entitlements.xml"
	echo '<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>com.apple.security.cs.allow-dyld-environment-variables</key>
	<true/>
	</dict>
	</plist>' > "$entitlements_xml"

	# Convert from read-only original image to read-write.
	readonly udrw_dmg="$tmpdir/udrw.dmg"
	hdiutil convert "$dmg" -format UDRW -o "${udrw_dmg}"

	# Mount the temporary udrw image.
	readonly vol_name="$(basename "${dmg%.dmg}")"
	readonly vol_path="/Volumes/$vol_name"
	hdiutil attach "${udrw_dmg}"

	codesign --verify --timestamp --options=runtime --verbose --deep \
	-s "$id" \
	--entitlements "$entitlements_xml" \
	"$vol_path/CMake.app/Contents/bin/cmake" \
	"$vol_path/CMake.app/Contents/bin/ccmake" \
	"$vol_path/CMake.app/Contents/bin/ctest" \
	"$vol_path/CMake.app/Contents/bin/cpack" \
	"$vol_path/CMake.app"

	xcnotary notarize "$vol_path/CMake.app" -d "$dev_acct" -k "$key_item" $provider

	# Create a tarball of the volume next to the original disk image.
	readonly tar_gz="${dmg/%.dmg/.tar.gz}"
	tar cvzf "$tar_gz" -C /Volumes "$vol_name/CMake.app"

	# Unmount the modified udrw image.
	hdiutil detach "$vol_path"

	# Convert back to read-only, compressed image.
	hdiutil convert "${udrw_dmg}" -format UDZO -imagekey zlib-level=9 -ov -o "$dmg"