Jenkinsfile notarization (#6869)
* Add in notarization script for xamarin.mac/xamarin.iOS * Flatten the list to get rid of the braces * Add in keychain password * Add login.keychain back in to access codesigning certificates * Always sign pkgs, upload notarized copies * Enable ios notarization and make notarized pkgs public * Make notarization non-fatal * Publish GH statuses for notarized PKGs * Don't forget to declare URI variables for notarized pkgs * report proper package links * [jenkins] Improve package reporting.
This commit is contained in:
Родитель
9e193eaca3
Коммит
c384add291
|
@ -10,6 +10,8 @@ packagePrefix = null
|
||||||
virtualPath = null
|
virtualPath = null
|
||||||
xiPackageUrl = null
|
xiPackageUrl = null
|
||||||
xmPackageUrl = null
|
xmPackageUrl = null
|
||||||
|
xiNotarizedPackageUrl = null
|
||||||
|
xmNotarizedPackageUrl = null
|
||||||
utils = null
|
utils = null
|
||||||
errorMessage = null
|
errorMessage = null
|
||||||
currentStage = null
|
currentStage = null
|
||||||
|
@ -19,6 +21,8 @@ manualException = false
|
||||||
|
|
||||||
xiPackageFilename = null
|
xiPackageFilename = null
|
||||||
xmPackageFilename = null
|
xmPackageFilename = null
|
||||||
|
xiNotarizedPkgFilename = null
|
||||||
|
xmNotarizedPkgFilename = null
|
||||||
msbuildZipFilename = null
|
msbuildZipFilename = null
|
||||||
bundleZipFilename = null
|
bundleZipFilename = null
|
||||||
manifestFilename = null
|
manifestFilename = null
|
||||||
|
@ -477,6 +481,9 @@ timestamps {
|
||||||
}
|
}
|
||||||
|
|
||||||
stage ('Signing') {
|
stage ('Signing') {
|
||||||
|
def notarize_mac = true
|
||||||
|
def notarize_ios = true
|
||||||
|
def entitlements = "${workspace}/xamarin-macios/mac-entitlements.plist"
|
||||||
currentStage = "${STAGE_NAME}"
|
currentStage = "${STAGE_NAME}"
|
||||||
echo ("Building on ${env.NODE_NAME}")
|
echo ("Building on ${env.NODE_NAME}")
|
||||||
def xiPackages = findFiles (glob: "package/xamarin.ios-*.pkg")
|
def xiPackages = findFiles (glob: "package/xamarin.ios-*.pkg")
|
||||||
|
@ -495,8 +502,49 @@ timestamps {
|
||||||
def bundleZip = findFiles (glob: "package/bundle.zip")
|
def bundleZip = findFiles (glob: "package/bundle.zip")
|
||||||
if (bundleZip.length > 0)
|
if (bundleZip.length > 0)
|
||||||
bundleZipFilename = bundleZip [0].name
|
bundleZipFilename = bundleZip [0].name
|
||||||
|
|
||||||
withCredentials ([string (credentialsId: 'codesign_keychain_pw', variable: 'PRODUCTSIGN_KEYCHAIN_PASSWORD')]) {
|
withCredentials ([string (credentialsId: 'codesign_keychain_pw', variable: 'PRODUCTSIGN_KEYCHAIN_PASSWORD')]) {
|
||||||
sh ("${workspace}/xamarin-macios/jenkins/productsign.sh")
|
sh ("${workspace}/xamarin-macios/jenkins/productsign.sh")
|
||||||
|
}
|
||||||
|
|
||||||
|
if (notarize_mac || notarize_ios) {
|
||||||
|
try {
|
||||||
|
pkgs = []
|
||||||
|
if (fileExists('release-scripts')) {
|
||||||
|
dir('release-scripts') {
|
||||||
|
sh ('git checkout sign-and-notarized && git pull')
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
sh ('git clone git@github.com:xamarin/release-scripts -b sign-and-notarized')
|
||||||
|
}
|
||||||
|
if (notarize_mac)
|
||||||
|
pkgs = pkgs + xmPackages
|
||||||
|
if (notarize_ios)
|
||||||
|
pkgs = pkgs + xiPackages
|
||||||
|
withCredentials([string(credentialsId: 'codesign_keychain_pw', variable: 'KEYCHAIN_PASS'), string(credentialsId: 'team_id', variable: 'TEAM_ID'), string(credentialsId: 'application_id', variable: 'APP_ID'), string(credentialsId: 'installer_id', variable: 'INSTALL_ID'), usernamePassword(credentialsId: 'apple_account', passwordVariable: 'APPLE_PASS', usernameVariable: 'APPLE_ACCOUNT')]) {
|
||||||
|
sh (returnStatus: true, script: "security create-keychain -p ${env.KEYCHAIN_PASS} login.keychain") // needed to repopulate the keychain
|
||||||
|
sh ("security unlock-keychain -p ${env.KEYCHAIN_PASS} login.keychain")
|
||||||
|
sh ("python release-scripts/sign_and_notarize.py -a ${env.APP_ID} -i ${env.INSTALL_ID} -u ${env.APPLE_ACCOUNT} -p ${env.APPLE_PASS} -t ${env.TEAM_ID} -d package/notarized -e ${entitlements} -k login.keychain " + pkgs.flatten().join(" "))
|
||||||
|
}
|
||||||
|
|
||||||
|
def xiNotarizedPackages = findFiles (glob: "package/notarized/xamarin.ios-*.pkg")
|
||||||
|
if (xiNotarizedPackages.length > 0) {
|
||||||
|
xiNotarizedPkgFilename = xiNotarizedPackages [0].name
|
||||||
|
echo ("Created notarized Xamarin.iOS package: ${xiNotarizedPkgFilename}")
|
||||||
|
}
|
||||||
|
def xmNotarizedPackages = findFiles (glob: "package/notarized/xamarin.mac-*.pkg")
|
||||||
|
if (xmNotarizedPackages.length > 0) {
|
||||||
|
xmNotarizedPkgFilename = xmNotarizedPackages [0].name
|
||||||
|
echo ("Created notarized Xamarin.Mac package: ${xmNotarizedPkgFilename}")
|
||||||
|
}
|
||||||
|
} catch (ex) {
|
||||||
|
echo "Notarization failed:\n${ex.getMessage()}"
|
||||||
|
for (def stack : ex.getStackTrace()) {
|
||||||
|
echo "\t${stack}"
|
||||||
|
}
|
||||||
|
manager.addWarningBadge("PKGs are not notarized")
|
||||||
|
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -531,6 +579,7 @@ timestamps {
|
||||||
|
|
||||||
sh ("ls -la package")
|
sh ("ls -la package")
|
||||||
uploadFiles ("package/*", "wrench", virtualPath)
|
uploadFiles ("package/*", "wrench", virtualPath)
|
||||||
|
uploadFiles ("package/notarized/*", "wrench", virtualPath)
|
||||||
uploadFiles ("package-internal/*", "jenkins-internal", virtualPath)
|
uploadFiles ("package-internal/*", "jenkins-internal", virtualPath)
|
||||||
|
|
||||||
// Also upload manifest to a predictable url (without the build number)
|
// Also upload manifest to a predictable url (without the build number)
|
||||||
|
@ -558,12 +607,22 @@ timestamps {
|
||||||
if (xiPackageFilename != null) {
|
if (xiPackageFilename != null) {
|
||||||
xiPackageUrl = "${packagePrefix}/${xiPackageFilename}"
|
xiPackageUrl = "${packagePrefix}/${xiPackageFilename}"
|
||||||
utils.reportGitHubStatus (gitHash, 'PKG-Xamarin.iOS', "${xiPackageUrl}", 'SUCCESS', "${xiPackageFilename}")
|
utils.reportGitHubStatus (gitHash, 'PKG-Xamarin.iOS', "${xiPackageUrl}", 'SUCCESS', "${xiPackageFilename}")
|
||||||
packagesMessage += "[${xiPackageFilename}](${xiPackageUrl}) "
|
packagesMessage += "* [${xiPackageFilename} (Not notarized)](${xiPackageUrl})\n"
|
||||||
}
|
}
|
||||||
if (xmPackageFilename != null) {
|
if (xmPackageFilename != null) {
|
||||||
xmPackageUrl = "${packagePrefix}/${xmPackageFilename}"
|
xmPackageUrl = "${packagePrefix}/${xmPackageFilename}"
|
||||||
utils.reportGitHubStatus (gitHash, 'PKG-Xamarin.Mac', "${xmPackageUrl}", 'SUCCESS', "${xmPackageFilename}")
|
utils.reportGitHubStatus (gitHash, 'PKG-Xamarin.Mac', "${xmPackageUrl}", 'SUCCESS', "${xmPackageFilename}")
|
||||||
packagesMessage += "[${xmPackageFilename}](${xmPackageUrl})"
|
packagesMessage += "* [${xmPackageFilename} (Not notarized)](${xmPackageUrl})\n"
|
||||||
|
}
|
||||||
|
if (xiNotarizedPkgFilename != null) {
|
||||||
|
xiNotarizedPackageUrl = "${packagePrefix}/notarized/${xiNotarizedPkgFilename}"
|
||||||
|
utils.reportGitHubStatus (gitHash, 'PKG-Xamarin.iOS-notarized', "${xiNotarizedPackageUrl}", 'SUCCESS', "${xiNotarizedPkgFilename}")
|
||||||
|
packagesMessage += "* [${xiNotarizedPkgFilename} (Notarized)](${xiNotarizedPackageUrl})\n"
|
||||||
|
}
|
||||||
|
if (xmNotarizedPkgFilename != null) {
|
||||||
|
xmNotarizedPackageUrl = "${packagePrefix}/notarized/${xmNotarizedPkgFilename}"
|
||||||
|
utils.reportGitHubStatus (gitHash, 'PKG-Xamarin.Mac-notarized', "${xmNotarizedPackageUrl}", 'SUCCESS', "${xmNotarizedPkgFilename}")
|
||||||
|
packagesMessage += "* [${xmNotarizedPkgFilename} (Notarized)](${xmNotarizedPackageUrl})\n"
|
||||||
}
|
}
|
||||||
if (manifestFilename != null) {
|
if (manifestFilename != null) {
|
||||||
def manifestUrl = "${packagePrefix}/${manifestFilename}"
|
def manifestUrl = "${packagePrefix}/${manifestFilename}"
|
||||||
|
@ -583,7 +642,7 @@ timestamps {
|
||||||
}
|
}
|
||||||
|
|
||||||
if (packagesMessage != "")
|
if (packagesMessage != "")
|
||||||
appendFileComment ("✅ Packages: ${packagesMessage}\n")
|
appendFileComment ("✅ Packages: \n${packagesMessage}\n")
|
||||||
}
|
}
|
||||||
|
|
||||||
dir ('xamarin-macios') {
|
dir ('xamarin-macios') {
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<key>com.apple.security.cs.allow-jit</key>
|
||||||
|
<true/>
|
||||||
|
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
|
||||||
|
<true/>
|
||||||
|
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
|
||||||
|
<true/>
|
||||||
|
<key>com.apple.security.cs.disable-library-validation</key>
|
||||||
|
<true/>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
Загрузка…
Ссылка в новой задаче