First take

Author: bep

.gitignore

@@ -5,6 +5,8 @@
 *.so
 *.dylib
 
+.DS_Store
+
 # Test binary, built with `go test -c`
 *.test
 

README.md

@@ -1,3 +1,3 @@
-[![Tests on Linux, MacOS and Windows](https://github.com/bep/golibtemplate/workflows/Test/badge.svg)](https://github.com/bep/golibtemplate/actions?query=workflow:Test)
-[![Go Report Card](https://goreportcard.com/badge/github.com/bep/golibtemplate)](https://goreportcard.com/report/github.com/bep/golibtemplate)
-[![GoDoc](https://godoc.org/github.com/bep/golibtemplate?status.svg)](https://godoc.org/github.com/bep/golibtemplate)
+[![Tests on Linux, MacOS and Windows](https://github.com/bep/buildpkg/workflows/Test/badge.svg)](https://github.com/bep/buildpkg/actions?query=workflow:Test)
+[![Go Report Card](https://goreportcard.com/badge/github.com/bep/buildpkg)](https://goreportcard.com/report/github.com/bep/buildpkg)
+[![GoDoc](https://godoc.org/github.com/bep/buildpkg?status.svg)](https://godoc.org/github.com/bep/buildpkg)

build.go

@@ -0,0 +1,211 @@
+package buildpkg
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/bep/macosnotarylib"
+	"github.com/golang-jwt/jwt/v4"
+)
+
+// New creates a new Builder.
+func New(opts Options) (*Builder, error) {
+	if err := opts.init(); err != nil {
+		return nil, err
+	}
+	return &Builder{Options: opts}, nil
+}
+
+type Builder struct {
+	Options
+}
+
+// Build signs the binary, builds the package and signs and notarizes and staples it.
+// It' currently limited to 1 file only.
+// The notarization part requires the following environment variables to be set:
+// - MACOSNOTARYLIB_ISSUER_ID
+// - MACOSNOTARYLIB_KID
+// - MACOSNOTARYLIB_PRIVATE_KEY (in base64 format).
+func (b *Builder) Build() error {
+	files, err := os.ReadDir(b.StagingDirectory)
+	if err != nil {
+		return err
+	}
+	if len(files) != 1 || files[0].IsDir() {
+		return fmt.Errorf("opts: StagingDirectory must contain exactly one file")
+	}
+
+	if !b.SkipCodeSigning {
+		for _, fi := range files {
+			if err := b.runCommand("codesign", "-s", b.SigningIdentity, "--options=runtime", filepath.Join(b.StagingDirectory, fi.Name())); err != nil {
+				return err
+			}
+		}
+	}
+
+	tempPackageOutputPath := b.PackageOutputPath + ".tmp"
+
+	args := []string{
+		"--root", b.StagingDirectory,
+		"--identifier", b.Identifier,
+		"--version", b.Version,
+		"--install-location", b.InstallLocation,
+	}
+
+	if b.ScriptsDirectory != "" {
+		args = append(args, "--scripts", b.ScriptsDirectory)
+	}
+
+	if b.SkipInstallerSigning {
+		tempPackageOutputPath = b.PackageOutputPath
+	}
+
+	args = append(args, tempPackageOutputPath)
+
+	if err := b.runCommand("pkgbuild", args...); err != nil {
+		return err
+	}
+
+	if !b.SkipInstallerSigning {
+		// Sign the package
+		if err := b.runCommand("productsign", "--sign", b.SigningIdentity, tempPackageOutputPath, b.PackageOutputPath); err != nil {
+			return err
+		}
+
+		if err := os.Remove(filepath.Join(b.Dir, tempPackageOutputPath)); err != nil {
+			return err
+		}
+
+		// Check the package signature.
+		if err := b.runCommand("pkgutil", "--check-signature", b.PackageOutputPath); err != nil {
+			return err
+		}
+	}
+
+	if !b.SkipNotarization {
+		// Notarize the package.
+		if err := b.notarizePackage(filepath.Join("testdata", b.PackageOutputPath)); err != nil {
+			return err
+		}
+
+		// Staple the package.
+		if err := b.runCommand("stapler", "staple", b.PackageOutputPath); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (b *Builder) notarizePackage(filename string) error {
+	issuerID := os.Getenv("MACOSNOTARYLIB_ISSUER_ID")
+
+	kid := os.Getenv("MACOSNOTARYLIB_KID")
+	if kid == "" || issuerID == "" {
+		return fmt.Errorf("env: MACOSNOTARYLIB_ISSUER_ID and MACOSNOTARYLIB_KID must be set")
+	}
+
+	// This test also depends on the private key from env MACOSNOTARYLIB_PRIVATE_KEY in base64 format. See below.
+
+	n, err := macosnotarylib.New(
+		macosnotarylib.Options{
+			InfoLoggerf: b.Infof,
+			IssuerID:    issuerID,
+			Kid:         kid,
+			SignFunc: func(token *jwt.Token) (string, error) {
+				key, err := macosnotarylib.LoadPrivateKeyFromEnvBase64("MACOSNOTARYLIB_PRIVATE_KEY")
+				if err != nil {
+					return "", err
+				}
+				return token.SignedString(key)
+			},
+		},
+	)
+
+	if err != nil {
+		return err
+	}
+
+	return n.Submit(filename)
+
+}
+
+func (b *Builder) runCommand(name string, args ...string) error {
+	fmt.Println(name, args)
+	cmd := exec.Command(name, args...)
+	cmd.Dir = b.Dir
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}
+
+type Options struct {
+	// The Info logger.
+	// If nil, no Info logging will be done.
+	Infof func(format string, a ...interface{})
+
+	// The Dir to build from.
+	Dir string
+
+	// Developer ID Application + Developer ID Installer
+	// https://developer.apple.com/account/resources/certificates/list
+	SigningIdentity string
+
+	// The result
+	PackageOutputPath string
+
+	// The staging directory where all your build artifacts are located.
+	StagingDirectory string
+
+	// E.g. io.gohugo.hugo
+	Identifier string
+
+	// E.g. 234
+	Version string
+
+	// E.g. /Applications
+	InstallLocation string
+
+	// Scripts passed on the command line --scripts flag.
+	// E.g. /mypkgscripts
+	ScriptsDirectory string
+
+	// Flags to enable skipping of build steps.
+	SkipCodeSigning      bool
+	SkipInstallerSigning bool
+	SkipNotarization     bool
+}
+
+func (o *Options) init() error {
+	if o.Infof == nil {
+		o.Infof = func(format string, a ...interface{}) {
+		}
+	}
+	if o.SigningIdentity == "" {
+		return fmt.Errorf("opts: SigningIdentity is required")
+	}
+
+	if o.StagingDirectory == "" {
+		return fmt.Errorf("opts: StagingDirectory not set")
+	}
+
+	if o.Identifier == "" {
+		return fmt.Errorf("opts: Identifier not set")
+	}
+
+	if o.Version == "" {
+		return fmt.Errorf("opts: Version not set")
+	}
+
+	if o.InstallLocation == "" {
+		return fmt.Errorf("opts: InstallLocation not set")
+	}
+
+	if o.PackageOutputPath == "" {
+		return fmt.Errorf("opts: PackageOutputPath not set")
+	}
+
+	return nil
+}

build_test.go

@@ -0,0 +1,40 @@
+package buildpkg
+
+import (
+	"log"
+	"os"
+	"testing"
+
+	qt "github.com/frankban/quicktest"
+)
+
+func TestBuild(t *testing.T) {
+	if os.Getenv("CI") != "" {
+		t.Skip("Skipping test on CI")
+	}
+	c := qt.New(t)
+
+	opts := Options{
+		Infof: func(format string, args ...interface{}) {
+			log.Printf(format, args...)
+		},
+		Dir:                  "./testdata",
+		SigningIdentity:      "ZYSJUFSYL4",
+		StagingDirectory:     "./staging",
+		Identifier:           "is.bep.helloworld",
+		Version:              "0.0.13",
+		InstallLocation:      "/usr/local/bin",
+		PackageOutputPath:    "./helloworld.pkg",
+		SkipCodeSigning:      false,
+		SkipNotarization:     false,
+		SkipInstallerSigning: false,
+		//ScriptsDirectory: "./testdata/scripts",
+	}
+
+	builder, err := New(opts)
+	c.Assert(err, qt.IsNil)
+	c.Assert(builder.runCommand("./prepare.sh", builder.Version), qt.IsNil)
+	err = builder.Build()
+	c.Assert(err, qt.IsNil)
+
+}

go.mod

@@ -1,10 +1,17 @@
-module github.com/bep/golibtemplate
+module github.com/bep/buildpkg
 
 go 1.18
 
 require (
-	github.com/frankban/quicktest v1.14.2 // indirect
+	github.com/bep/macosnotarylib v0.1.0
+	github.com/frankban/quicktest v1.14.2
+	github.com/golang-jwt/jwt/v4 v4.4.3-0.20220820150458-bfea432b1a9d
+)
+
+require (
+	github.com/aws/aws-sdk-go v1.44.86 // indirect
 	github.com/google/go-cmp v0.5.7 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/rogpeppe/go-internal v1.6.1 // indirect

go.sum

@@ -1,18 +1,45 @@
+github.com/aws/aws-sdk-go v1.44.86 h1:Zls97WY9N2c2H85//B88CmSlYYNxS3Zf3k4ds5zAf5A=
+github.com/aws/aws-sdk-go v1.44.86/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/bep/macosnotarylib v0.1.0 h1:3Kl63q2qVx8oyzMKK5UOABlY1EOTW3OHBI3KnPsDwYM=
+github.com/bep/macosnotarylib v0.1.0/go.mod h1:oAZa21+u4m1EwFguFx2YmHNkkLrhy1J0kHiNEfdfGPs=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/frankban/quicktest v1.14.2 h1:SPb1KFFmM+ybpEjPUhCCkZOM5xlovT5UbrMvWnXyBns=
 github.com/frankban/quicktest v1.14.2/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
+github.com/golang-jwt/jwt/v4 v4.4.3-0.20220820150458-bfea432b1a9d h1:g83sVsMB9c5zW6RG7a767AkmCkAIbQEX6Z7UvEKgTjU=
+github.com/golang-jwt/jwt/v4 v4.4.3-0.20220820150458-bfea432b1a9d/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=