From 90b64df640f6656d205ced36b67f0aa22b0eaa82 Mon Sep 17 00:00:00 2001 From: Allen Reese Date: Mon, 26 Jul 2021 14:04:39 -0700 Subject: [PATCH 1/2] Add support for codesign requirements: https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG6 This allows adding a requirements line to the configuration to specify the requirements. The line should look something like: designated => anchor trusted and identifier com.foo.bar --- README.md | 5 +++++ cmd/gon/main.go | 1 + internal/config/config.go | 3 +++ internal/config/testdata/basic.hcl.golden | 3 ++- internal/config/testdata/entitle.hcl.golden | 3 ++- .../config/testdata/env_appleid.hcl.golden | 3 ++- internal/config/testdata/requirements.hcl | 12 ++++++++++++ .../config/testdata/requirements.hcl.golden | 19 +++++++++++++++++++ sign/sign.go | 10 ++++++++++ 9 files changed, 56 insertions(+), 3 deletions(-) create mode 100644 internal/config/testdata/requirements.hcl create mode 100644 internal/config/testdata/requirements.hcl.golden diff --git a/README.md b/README.md index cba22a6..3cf02b1 100644 --- a/README.md +++ b/README.md @@ -226,6 +226,11 @@ Supported configurations: * `entitlements_file` (`string` _optional_) - The full path to a plist format .entitlements file, used for the `--entitlements` argument to `codesign` + * `requirements` (`string` _optional_) - The full requirements string, used for the `-r=` argument to `codesign`. + + See [Code Designated Requirement](https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG6). + The requirements are wrapped with `"` before being passed, `designated => anchor trusted` will be passed to codesign as `-r="designated => anchor trusted"`. + * `dmg` (_optional_) - Settings related to creating a disk image (dmg) as output. This will only be created if this is specified. The dmg will also have the notarization ticket stapled so that it can be verified offline and diff --git a/cmd/gon/main.go b/cmd/gon/main.go index 26213bf..4abbd36 100644 --- a/cmd/gon/main.go +++ b/cmd/gon/main.go @@ -185,6 +185,7 @@ func realMain() int { Identity: cfg.Sign.ApplicationIdentity, Entitlements: cfg.Sign.EntitlementsFile, Logger: logger.Named("sign"), + Requirements: cfg.Sign.Requirements, }) if err != nil { fmt.Fprintf(os.Stdout, color.RedString("❗️ Error signing files:\n\n%s\n", err)) diff --git a/internal/config/config.go b/internal/config/config.go index 8c8706e..75fd2fe 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -70,6 +70,9 @@ type Sign struct { ApplicationIdentity string `hcl:"application_identity"` // Specify a path to an entitlements file in plist format EntitlementsFile string `hcl:"entitlements_file,optional"` + // Requirements is used to pass requirements to the codesign binary. + // See https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG6 + Requirements string `hcl:"requirements,optional"` } // Dmg are the options for a dmg file as output. diff --git a/internal/config/testdata/basic.hcl.golden b/internal/config/testdata/basic.hcl.golden index e31f737..13cfbde 100644 --- a/internal/config/testdata/basic.hcl.golden +++ b/internal/config/testdata/basic.hcl.golden @@ -6,7 +6,8 @@ Notarize: ([]config.Notarize) , Sign: (*config.Sign)({ ApplicationIdentity: (string) (len=3) "foo", - EntitlementsFile: (string) "" + EntitlementsFile: (string) "", + Requirements: (string) "" }), AppleId: (*config.AppleId)({ Username: (string) (len=21) "mitchellh@example.com", diff --git a/internal/config/testdata/entitle.hcl.golden b/internal/config/testdata/entitle.hcl.golden index 1f10236..797d8a8 100644 --- a/internal/config/testdata/entitle.hcl.golden +++ b/internal/config/testdata/entitle.hcl.golden @@ -6,7 +6,8 @@ Notarize: ([]config.Notarize) , Sign: (*config.Sign)({ ApplicationIdentity: (string) (len=3) "foo", - EntitlementsFile: (string) (len=29) "/path/to/example.entitlements" + EntitlementsFile: (string) (len=29) "/path/to/example.entitlements", + Requirements: (string) "" }), AppleId: (*config.AppleId)({ Username: (string) (len=21) "mitchellh@example.com", diff --git a/internal/config/testdata/env_appleid.hcl.golden b/internal/config/testdata/env_appleid.hcl.golden index 70382c1..c8d7963 100644 --- a/internal/config/testdata/env_appleid.hcl.golden +++ b/internal/config/testdata/env_appleid.hcl.golden @@ -6,7 +6,8 @@ Notarize: ([]config.Notarize) , Sign: (*config.Sign)({ ApplicationIdentity: (string) (len=3) "foo", - EntitlementsFile: (string) "" + EntitlementsFile: (string) "", + Requirements: (string) "" }), AppleId: (*config.AppleId)(), Zip: (*config.Zip)(), diff --git a/internal/config/testdata/requirements.hcl b/internal/config/testdata/requirements.hcl new file mode 100644 index 0000000..e858bac --- /dev/null +++ b/internal/config/testdata/requirements.hcl @@ -0,0 +1,12 @@ +source = ["./terraform"] +bundle_id = "com.mitchellh.test.terraform" + +apple_id { + username = "mitchellh@example.com" + password = "hello" +} + +sign { + application_identity = "foo" + requirements = "designated => anchor trusted and identifier com.mitchellh" +} diff --git a/internal/config/testdata/requirements.hcl.golden b/internal/config/testdata/requirements.hcl.golden new file mode 100644 index 0000000..a52bc4c --- /dev/null +++ b/internal/config/testdata/requirements.hcl.golden @@ -0,0 +1,19 @@ +(*config.Config)({ + Source: ([]string) (len=1 cap=1) { + (string) (len=11) "./terraform" + }, + BundleId: (string) (len=28) "com.mitchellh.test.terraform", + Notarize: ([]config.Notarize) , + Sign: (*config.Sign)({ + ApplicationIdentity: (string) (len=3) "foo", + EntitlementsFile: (string) "", + Requirements: (string) (len=57) "designated => anchor trusted and identifier com.mitchellh" + }), + AppleId: (*config.AppleId)({ + Username: (string) (len=21) "mitchellh@example.com", + Password: (string) (len=5) "hello", + Provider: (string) "" + }), + Zip: (*config.Zip)(), + Dmg: (*config.Dmg)() +}) diff --git a/sign/sign.go b/sign/sign.go index 40e1781..898b1fc 100644 --- a/sign/sign.go +++ b/sign/sign.go @@ -38,6 +38,10 @@ type Options struct { // BaseCmd is the base command for executing the codesign binary. This is // used for tests to overwrite where the codesign binary is. BaseCmd *exec.Cmd + + // Requirements is used to pass requirements to the codesign binary. + // See https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG6 + Requirements string } // Sign signs one or more files returning an error if any. @@ -76,6 +80,12 @@ func Sign(ctx context.Context, opts *Options) error { cmd.Args = append(cmd.Args, "--entitlements", opts.Entitlements) } + if len(opts.Requirements) > 0 { + //requirementsString := fmt.Sprintf("-r=\"%s\"", opts.Requirements) + requirementsString := fmt.Sprintf("-r=%s", opts.Requirements) + cmd.Args = append(cmd.Args, requirementsString) + } + // Append the files that we want to sign cmd.Args = append(cmd.Args, opts.Files...) From 095d27e54e8985de924b079c174983a8f878107c Mon Sep 17 00:00:00 2001 From: Allen Reese Date: Wed, 17 Aug 2022 07:57:44 -0700 Subject: [PATCH 2/2] Address feedback: Use %q for a qouted string instead of %s. Remove commented out line as it does not make sense --- sign/sign.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sign/sign.go b/sign/sign.go index 898b1fc..c9fe708 100644 --- a/sign/sign.go +++ b/sign/sign.go @@ -81,8 +81,7 @@ func Sign(ctx context.Context, opts *Options) error { } if len(opts.Requirements) > 0 { - //requirementsString := fmt.Sprintf("-r=\"%s\"", opts.Requirements) - requirementsString := fmt.Sprintf("-r=%s", opts.Requirements) + requirementsString := fmt.Sprintf("-r=%q", opts.Requirements) cmd.Args = append(cmd.Args, requirementsString) }