darwin: Use notarytool to notarize instead of altool (gravitational#2…

…5407)

Switch to using the newer `notarytool` to notarize MacOS binaries
instead of the older `altool`, as `altool` is deprecated and will no
longer work come Fall 2023. This also makes for a quieter build as
altool's output was quite verbose, and anecdotally, it seems to be more
reliable - I haven't had a single notarization failure this way as
opposed to the many we see in CI with `altool`.

We used to use `gon` as part of our notarizing tool. `gon` still has an
open issue to upgrade to `notarytool`, so we've switched away from it
and used the Apple CLI tools instead to do the notarization. This is
available now that we have moved to GitHub Actions for builds as it has
a newer Xcode that contains notarytool.

Update the Teleport Connect notarization, which was quite a bit simpler,
although we do need an extra `$TEAMID` input, so handle it when that is
not supplied and document in the README that it is needed.

darwin-signing.mk

@@ -41,7 +41,8 @@ CSC_NAME = $(DEVELOPER_ID_APPLICATION)
 
 # Don't export DEVELOPER_ID_APPLICATION, DEVELOPER_ID_INSTALLER or CSC_NAME as
 # it causes them to be evaluated, which shells out to the `security` command.
-# They should only be evaluated if used.
+# They should only be evaluated if used. Any variables below that reference
+# these are also unexported for the same reason.
 unexport CSC_NAME DEVELOPER_ID_APPLICATION DEVELOPER_ID_INSTALLER
 
 # Bundle IDs identify packages/images. We use different bundle IDs for
@@ -94,18 +95,33 @@ SHOULD_NOTARIZE = $(if $(and $(APPLE_USERNAME),$(APPLE_PASSWORD)),true)
 # to not evaluate its arguments (DEVELOPER_ID_APPLICATION) if we are not
 # goint to use them, preventing a missing key error defined above.
 NOTARIZE_BINARIES = $(if $(SHOULD_NOTARIZE),$(notarize_binaries_cmd),$(not_notarizing_cmd))
-
-define notarize_binaries_cmd
-	cd build.assets/tooling && \
-	go run ./cmd/notarize-apple-binaries \
-		--developer-id=$(DEVELOPER_ID_APPLICATION) \
-		--bundle-id=$(TELEPORT_BUNDLEID) \
-		--log-level=debug \
-		$(ABSOLUTE_BINARY_PATHS)
-endef
+unexport NOTARIZE_BINARIES
 
 not_notarizing_cmd = echo Not notarizing binaries. APPLE_USERNAME or APPLE_PASSWORD not set.
 
-# Dont export not_notarizing_cmd since it contains DEVELOPER_ID_APPLICATION
-# and we do not want that evaluated.
+notary_dir = $(BUILDDIR)/notarize
+notary_file = $(BUILDDIR)/notarize.zip
+
+# notarize_binaries_cmd must be a single command - multiple commands must be
+# joined with "&& \". This is so the command can be prefixed with "cd .. &&"
+# for the enterprise invocation.
+define notarize_binaries_cmd
+	codesign \
+		--sign $(DEVELOPER_ID_APPLICATION) \
+		--force \
+		--verbose \
+		--timestamp \
+		--options runtime \
+		$(ABSOLUTE_BINARY_PATHS) && \
+	rm -rf $(notary_dir) && \
+	mkdir $(notary_dir) && \
+	ditto $(ABSOLUTE_BINARY_PATHS) $(notary_dir) && \
+	ditto -c -k $(notary_dir) $(notary_file) && \
+	xcrun notarytool submit $(notary_file) \
+		--team-id="$(TEAMID)" \
+		--apple-id="$(APPLE_USERNAME)" \
+		--password="$(APPLE_PASSWORD)" \
+		--wait && \
+	rm -rf $(notary_dir) $(notary_file)
+endef
 unexport notarize_binaries_cmd

web/packages/teleterm/README.md

@@ -115,6 +115,7 @@ When running `yarn package-term`, you need to provide these environment variable
 - `APPLE_PASSWORD`
 - `CONNECT_TSH_APP_PATH`
 - `CSC_NAME` (optional, developer certificate ID)
+- `TEAMID`
 
 The details behind those vars are described below.
 
@@ -151,6 +152,11 @@ On top of that, you must provide env vars that will be used for notarization. `A
 be set to the account email address associated with the developer ID. `APPLE_PASSWORD` must be [an
 app-specific password](https://support.apple.com/en-us/HT204397), not the account password.
 
+The Team ID needed as an input for notarization must be provided via the `TEAMID` environment
+variable. The top-level `Makefile` exports this when `yarm package-term` is called from `make
+release-connect` with either the developer or production Team ID depending on the `ENVIRONMENT_NAME`
+environment variable. See the top-level `darwin-signing.mk` for details.
+
 ## Architecture
 
 ### Resource lifecycle

web/packages/teleterm/notarize.js

@@ -13,6 +13,13 @@ exports.default = async function notarizing(context) {
     return;
   }
 
+  if (!process.env.TEAMID) {
+    console.warn(
+      'missing $TEAMID: notarization will be skipped. Run `make release-connect` instead'
+    );
+    return;
+  }
+
   const appName = context.packager.appInfo.productFilename;
   const appBundleId = context.packager.appInfo.macBundleIdentifier;
 
@@ -21,5 +28,7 @@ exports.default = async function notarizing(context) {
     appPath: `${appOutDir}/${appName}.app`,
     appleId: process.env.APPLE_USERNAME,
     appleIdPassword: process.env.APPLE_PASSWORD,
+    tool: 'notarytool',
+    teamId: process.env.TEAMID,
   });
 };