build: macOS package notarization

Includes hardened-runtime patch from gdams from https://github.com/nodejs/node/issues/29216#issuecomment-546932966 Backport-PR-URL: https://github.com/nodejs/node/pull/32528 PR-URL: https://github.com/nodejs/node/pull/31459 Refs: https://github.com/nodejs/node/issues/29216 Reviewed-By: Christian Clauss <cclauss@me.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ash Cripps <ashley.cripps@ibm.com> Signed-off-by: Rod Vagg <rod@vagg.org>
2025-12-06 12:20:27 +01:00 · 2020-01-22 14:38:11 +11:00 · 2020-01-22 14:38:11 +11:00 · 8a0ed8f1ff
commit 8a0ed8f1ff
parent 04cd67f85e
6 changed files with 77 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -31,6 +31,7 @@ iojs
 iojs_g
 node
 node_g
+gon-config.json
 *.swp
 icu_config.gypi
 node_trace.*.log
--- a/1
+++ b/1
@ -910,6 +910,7 @@ $(PKG): release-only
 		--resources $(MACOSOUTDIR)/installer/productbuild/Resources \
 		--package-path $(MACOSOUTDIR)/pkgs ./$(PKG)
 	SIGN="$(PRODUCTSIGN_CERT)" PKG="$(PKG)" bash tools/osx-productsign.sh
+	bash tools/osx-notarize.sh $(FULLVERSION)

 .PHONY: pkg
 # Builds the macOS installer for releases.
--- a/tools/osx-codesign.sh
+++ b/tools/osx-codesign.sh
@ -8,4 +8,13 @@ if [ "X$SIGN" == "X" ]; then
  exit 0
 fi

-codesign -s "$SIGN" "$PKGDIR"/bin/node
+# All macOS executable binaries in the bundle must be codesigned with the
+# hardened runtime enabled.
+# See https://github.com/nodejs/node/pull/31459
+
+codesign \
+  --sign "$SIGN" \
+  --entitlements tools/osx-entitlements.plist \
+  --options runtime \
+  --timestamp \
+  "$PKGDIR"/bin/node
--- a/tools/osx-entitlements.plist
+++ b/tools/osx-entitlements.plist
@ -0,0 +1,16 @@
+  <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>
--- a/tools/osx-gon-config.json.tmpl
+++ b/tools/osx-gon-config.json.tmpl
@ -0,0 +1,12 @@
+{
+  "notarize": [{
+    "path": "node-{{pkgid}}.pkg",
+    "bundle_id": "org.nodejs.pkg.{{pkgid}}",
+    "staple": true
+  }],
+
+  "apple_id": {
+     "username": "{{appleid}}",
+     "password": "@env:NOTARIZATION_PASSWORD"
+  }
+}
--- a/tools/osx-notarize.sh
+++ b/tools/osx-notarize.sh
@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Uses gon, from https://github.com/mitchellh/gon, to notarize a generated node-<version>.pkg file
+# with Apple for installation on macOS Catalina and later as validated by Gatekeeper.
+
+set -e
+
+gon_version="0.2.2"
+gon_exe="${HOME}/.gon/gon_${gon_version}"
+
+__dirname="$(CDPATH= cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+pkgid="$1"
+
+if [ "X${pkgid}" == "X" ]; then
+  echo "Usage: $0 <pkgid>"
+  exit 1
+fi
+
+if [ "X$NOTARIZATION_ID" == "X" ]; then
+  echo "No NOTARIZATION_ID environment var. Skipping notarization."
+  exit 0
+fi
+
+set -x
+
+mkdir -p "${HOME}/.gon/"
+
+if [ ! -f "${gon_exe}" ]; then
+  curl -sL "https://github.com/mitchellh/gon/releases/download/v${gon_version}/gon_${gon_version}_macos.zip" -o "${gon_exe}.zip"
+  (cd "${HOME}/.gon/" && rm -f gon && unzip "${gon_exe}.zip" && mv gon "${gon_exe}")
+fi
+
+cat tools/osx-gon-config.json.tmpl \
+  | sed -e "s/{{appleid}}/${NOTARIZATION_ID}/" -e "s/{{pkgid}}/${pkgid}/" \
+  > gon-config.json
+
+"${gon_exe}" -log-level=info gon-config.json