Submits an executable to Apple notary service.
(signing_data: CdSigningData, exe_path: pathlib.Path)
| 313 | |
| 314 | |
| 315 | def notarize_executable(signing_data: CdSigningData, exe_path: pathlib.Path): |
| 316 | """ |
| 317 | Submits an executable to Apple notary service. |
| 318 | """ |
| 319 | # Load the Apple id and password from secrets manager. |
| 320 | secret_id = signing_data.apple_notarizing_secret_arn |
| 321 | secret_region = parse_region_from_arn(signing_data.apple_notarizing_secret_arn) |
| 322 | info(f"Loading secretmanager value: {secret_id}") |
| 323 | secret_value = run_cmd_output( |
| 324 | ["aws", "--region", secret_region, "secretsmanager", "get-secret-value", "--secret-id", secret_id] |
| 325 | ) |
| 326 | secret_string = json.loads(secret_value)["SecretString"] |
| 327 | secrets = json.loads(secret_string) |
| 328 | |
| 329 | # Submit the exe to Apple notary service. It must be zipped first. |
| 330 | info(f"Submitting {exe_path} to Apple notary service") |
| 331 | zip_path = BUILD_DIR / f"{exe_path.name}.zip" |
| 332 | zip_path.unlink(missing_ok=True) |
| 333 | run_cmd(["zip", "-j", zip_path, exe_path], cwd=BUILD_DIR) |
| 334 | submit_res = run_cmd_output( |
| 335 | [ |
| 336 | "xcrun", |
| 337 | "notarytool", |
| 338 | "submit", |
| 339 | zip_path, |
| 340 | "--team-id", |
| 341 | APPLE_TEAM_ID, |
| 342 | "--apple-id", |
| 343 | secrets["appleId"], |
| 344 | "--password", |
| 345 | secrets["appleIdPassword"], |
| 346 | "--wait", |
| 347 | "-f", |
| 348 | "json", |
| 349 | ] |
| 350 | ) |
| 351 | debug(f"Notary service response: {submit_res}") |
| 352 | |
| 353 | # Confirm notarization succeeded. |
| 354 | assert json.loads(submit_res)["status"] == "Accepted" |
| 355 | |
| 356 | # Cleanup |
| 357 | zip_path.unlink() |
| 358 | |
| 359 | |
| 360 | def sign_and_notarize(signing_data: CdSigningData, chat_path: pathlib.Path) -> pathlib.Path: |
no test coverage detected