diff --git a/README.md b/README.md index dd88743..b94b37e 100644 --- a/README.md +++ b/README.md @@ -215,6 +215,8 @@ Supported configurations: flag for the `codesign` binary on macOS. See `man codesign` for detailed documentation on accepted values. + * `entitlements_file` (`string` _optional_) - The full path to a plist format .entitlements file, used for the `--entitlements` argument to `codesign` + * `dmg` (_optional_) - Settings related to creating a disk image (dmg) as output. This will only be created if this is specified. The dmg will also have the notarization ticket stapled so that it can be verified offline and @@ -378,5 +380,3 @@ These are some things I'd love to see but aren't currently implemented. - The underlying script we use already supports this. * Support adding additional files to the zip, dmg packages * Support the creation of '.app' bundles for CLI applications - * Support entitlements for codesigning - diff --git a/cmd/gon/main.go b/cmd/gon/main.go index 0579bd8..6bfbf90 100644 --- a/cmd/gon/main.go +++ b/cmd/gon/main.go @@ -146,9 +146,10 @@ func realMain() int { // Perform codesigning color.New(color.Bold).Fprintf(os.Stdout, "==> %s Signing files...\n", iconSign) err = sign.Sign(context.Background(), &sign.Options{ - Files: cfg.Source, - Identity: cfg.Sign.ApplicationIdentity, - Logger: logger.Named("sign"), + Files: cfg.Source, + Identity: cfg.Sign.ApplicationIdentity, + Entitlements: cfg.Sign.EntitlementsFile, + Logger: logger.Named("sign"), }) if err != nil { fmt.Fprintf(os.Stdout, color.RedString("❗️ Error signing files:\n\n%s\n", err)) diff --git a/internal/config/config.go b/internal/config/config.go index 529e53f..a0bc3d5 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -47,7 +47,7 @@ type AppleId struct { Provider string `hcl:"provider,optional"` } -// NOtarize are the options for notarizing a pre-built file. +// Notarize are the options for notarizing a pre-built file. type Notarize struct { // Path is the path to the file to notarize. This can be any supported // filetype (dmg, pkg, app, zip). @@ -66,6 +66,8 @@ type Sign struct { // ApplicationIdentity is the ID or name of the certificate to // use for signing binaries. This is used for all binaries in "source". ApplicationIdentity string `hcl:"application_identity"` + // Specify a path to an entitlements file in plist format + EntitlementsFile string `hcl:"entitlements_file,optional"` } // Dmg are the options for a dmg file as output. diff --git a/internal/config/testdata/entitle.hcl b/internal/config/testdata/entitle.hcl new file mode 100644 index 0000000..ff180eb --- /dev/null +++ b/internal/config/testdata/entitle.hcl @@ -0,0 +1,12 @@ +source = ["./terraform"] +bundle_id = "com.mitchellh.test.terraform" + +apple_id { + username = "mitchellh@example.com" + password = "hello" +} + +sign { + application_identity = "foo" + entitlements_file = "/path/to/example.entitlements" +} diff --git a/internal/config/testdata/notarize.hcl b/internal/config/testdata/notarize.hcl index 40b517e..c814e28 100644 --- a/internal/config/testdata/notarize.hcl +++ b/internal/config/testdata/notarize.hcl @@ -2,8 +2,8 @@ source = [] bundle_id = "com.example.terraform" notarize { - path = "/path/to/terraform.pkg" - bundle_id = "foo.bar" + path = "/path/to/terraform.pkg" + bundle_id = "foo.bar" } apple_id { diff --git a/internal/config/testdata/notarize_multiple.hcl b/internal/config/testdata/notarize_multiple.hcl index 4b8d9bb..5a2cecc 100644 --- a/internal/config/testdata/notarize_multiple.hcl +++ b/internal/config/testdata/notarize_multiple.hcl @@ -2,14 +2,14 @@ source = [] bundle_id = "" notarize { - path = "/path/to/terraform.pkg" - bundle_id = "foo.bar" + path = "/path/to/terraform.pkg" + bundle_id = "foo.bar" } notarize { - path = "/path/to/terraform.pkg" - bundle_id = "foo.bar" - staple = true + path = "/path/to/terraform.pkg" + bundle_id = "foo.bar" + staple = true } apple_id { diff --git a/sign/sign.go b/sign/sign.go index 06da149..498863f 100644 --- a/sign/sign.go +++ b/sign/sign.go @@ -23,6 +23,9 @@ type Options struct { // be in a variety of forms. Identity string + // Entitlements is an (optional) path to a plist format .entitlements file + Entitlements string + // Output is an io.Writer where the output of the command will be written. // If this is nil then the output will only be sent to the log (if set) // or in the error result value if signing failed. @@ -68,6 +71,10 @@ func Sign(ctx context.Context, opts *Options) error { "--options", "runtime", } + if len(opts.Entitlements) > 0 { + cmd.Args = append(cmd.Args, "--entitlements", opts.Entitlements) + } + // Append the files that we want to sign cmd.Args = append(cmd.Args, opts.Files...)