Class: Fastlane::Actions::NotarizeAction

Inherits:
Fastlane::Action show all
Defined in:
fastlane/lib/fastlane/actions/notarize.rb

Constant Summary

Constants inherited from Fastlane::Action

Fastlane::Action::AVAILABLE_CATEGORIES, Fastlane::Action::RETURN_TYPES

Class Method Summary collapse

Methods inherited from Fastlane::Action

action_name, author, deprecated_notes, details, example_code, lane_context, method_missing, other_action, output, return_type, return_value, sample_return_value, shell_out_should_use_bundle_exec?, step_text

Class Method Details

.altool(params, package_path, bundle_id, try_early_stapling, skip_stapling, print_log, verbose, api_key, compressed_package_path) ⇒ Object



111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
# File 'fastlane/lib/fastlane/actions/notarize.rb', line 111

def self.altool(params, package_path, bundle_id, try_early_stapling, skip_stapling, print_log, verbose, api_key, compressed_package_path)
  UI.message('Uploading package to notarization service, might take a while')

  notarization_upload_command = "xcrun altool --notarize-app -t osx -f \"#{compressed_package_path || package_path}\" --primary-bundle-id #{bundle_id} --output-format xml"

  notarization_info = {}
  with_notarize_authenticator(params, api_key) do |notarize_authenticator|
    notarization_upload_command << " --asc-provider \"#{params[:asc_provider]}\"" if params[:asc_provider] && api_key.nil?

    notarization_upload_response = Actions.sh(
      notarize_authenticator.call(notarization_upload_command),
      log: verbose
    )

    FileUtils.rm_rf(compressed_package_path) if compressed_package_path

    notarization_upload_plist = Plist.parse_xml(notarization_upload_response)

    if notarization_upload_plist.key?('product-errors') && notarization_upload_plist['product-errors'].any?
      UI.important("🚫 Could not upload package to notarization service! Here are the reasons:")
      notarization_upload_plist['product-errors'].each { |product_error| UI.error("#{product_error['message']} (#{product_error['code']})") }
      UI.user_error!("Package upload to notarization service cancelled. Please check the error messages above.")
    end

    notarization_request_id = notarization_upload_plist['notarization-upload']['RequestUUID']

    UI.success("Successfully uploaded package to notarization service with request identifier #{notarization_request_id}")

    while notarization_info.empty? || (notarization_info['Status'] == 'in progress')
      if notarization_info.empty?
        UI.message('Waiting to query request status')
      elsif try_early_stapling && !skip_stapling
        UI.message('Request in progress, trying early staple')

        begin
          self.staple(package_path, verbose)
          UI.message('Successfully notarized and early stapled package.')

          return
        rescue
          UI.message('Early staple failed, waiting to query again')
        end
      end

      sleep(30)

      UI.message('Querying request status')

      # As of July 2020, the request UUID might not be available for polling yet which returns an error code
      # This is now handled with the error_callback (which prevents an error from being raised)
      # Catching this error allows for polling to continue until the notarization is complete
      error = false
      notarization_info_response = Actions.sh(
        notarize_authenticator.call("xcrun altool --notarization-info #{notarization_request_id} --output-format xml"),
        log: verbose,
        error_callback: lambda { |msg|
          error = true
          UI.error("Error polling for notarization info: #{msg}")
        }
      )

      unless error
        notarization_info_plist = Plist.parse_xml(notarization_info_response)
        notarization_info = notarization_info_plist['notarization-info']
      end
    end
  end
  # rubocop:enable Metrics/PerceivedComplexity

  log_url = notarization_info['LogFileURL']
  ENV['FL_NOTARIZE_LOG_FILE_URL'] = log_url
  log_suffix = ''
  if log_url && print_log
    log_response = Net::HTTP.get(URI(log_url))
    log_json_object = JSON.parse(log_response)
    log_suffix = ", with log:\n#{JSON.pretty_generate(log_json_object)}"
  end

  case notarization_info['Status']
  when 'success'
    if skip_stapling
      UI.success("Successfully notarized artifact#{log_suffix}")
    else
      UI.message('Stapling package')

      self.staple(package_path, verbose)

      UI.success("Successfully notarized and stapled package#{log_suffix}")
    end
  when 'invalid'
    UI.user_error!("Could not notarize package with message '#{notarization_info['Status Message']}'#{log_suffix}")
  else
    UI.crash!("Could not notarize package with status '#{notarization_info['Status']}'#{log_suffix}")
  end
ensure
  ENV.delete('FL_NOTARIZE_PASSWORD')
end

.authorsObject



248
249
250
# File 'fastlane/lib/fastlane/actions/notarize.rb', line 248

def self.authors
  ['zeplin']
end

.available_optionsObject



252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
# File 'fastlane/lib/fastlane/actions/notarize.rb', line 252

def self.available_options
  username = CredentialsManager::AppfileConfig.try_fetch_value(:apple_dev_portal_id)
  username ||= CredentialsManager::AppfileConfig.try_fetch_value(:apple_id)

  asc_provider = CredentialsManager::AppfileConfig.try_fetch_value(:itc_team_id)

  [
    FastlaneCore::ConfigItem.new(key: :package,
                                 env_name: 'FL_NOTARIZE_PACKAGE',
                                 description: 'Path to package to notarize, e.g. .app bundle or disk image',
                                 verify_block: proc do |value|
                                   UI.user_error!("Could not find package at '#{value}'") unless File.exist?(value)
                                 end),
    FastlaneCore::ConfigItem.new(key: :use_notarytool,
                                 env_name: 'FL_NOTARIZE_USE_NOTARYTOOL',
                                 description: 'Whether to `xcrun notarytool` or `xcrun altool`',
                                 default_value: Helper.mac? && Helper.xcode_at_least?("13.0"), # Notary tool added in Xcode 13
                                 default_value_dynamic: true,
                                 type: Boolean),
    FastlaneCore::ConfigItem.new(key: :try_early_stapling,
                                 env_name: 'FL_NOTARIZE_TRY_EARLY_STAPLING',
                                 description: 'Whether to try early stapling while the notarization request is in progress',
                                 optional: true,
                                 conflicting_options: [:skip_stapling],
                                 default_value: false,
                                 type: Boolean),
    FastlaneCore::ConfigItem.new(key: :skip_stapling,
                                 env_name: 'FL_NOTARIZE_SKIP_STAPLING',
                                 description: 'Do not staple the notarization ticket to the artifact; useful for single file executables and ZIP archives',
                                 optional: true,
                                 conflicting_options: [:try_early_stapling],
                                 default_value: false,
                                 type: Boolean),
    FastlaneCore::ConfigItem.new(key: :bundle_id,
                                 env_name: 'FL_NOTARIZE_BUNDLE_ID',
                                 description: 'Bundle identifier to uniquely identify the package',
                                 optional: true),
    FastlaneCore::ConfigItem.new(key: :username,
                                 env_name: 'FL_NOTARIZE_USERNAME',
                                 description: 'Apple ID username',
                                 default_value: username,
                                 optional: true,
                                 conflicting_options: [:api_key_path, :api_key],
                                 default_value_dynamic: true),
    FastlaneCore::ConfigItem.new(key: :asc_provider,
                                 env_name: 'FL_NOTARIZE_ASC_PROVIDER',
                                 description: 'Provider short name for accounts associated with multiple providers',
                                 optional: true,
                                 default_value: asc_provider),
    FastlaneCore::ConfigItem.new(key: :print_log,
                                 env_name: 'FL_NOTARIZE_PRINT_LOG',
                                 description: 'Whether to print notarization log file, listing issues on failure and warnings on success',
                                 optional: true,
                                 default_value: false,
                                 type: Boolean),
    FastlaneCore::ConfigItem.new(key: :verbose,
                                 env_name: 'FL_NOTARIZE_VERBOSE',
                                 description: 'Whether to log requests',
                                 optional: true,
                                 default_value: false,
                                 type: Boolean),
    FastlaneCore::ConfigItem.new(key: :api_key_path,
                                 env_names: ['FL_NOTARIZE_API_KEY_PATH', "APP_STORE_CONNECT_API_KEY_PATH"],
                                 description: "Path to your App Store Connect API Key JSON file (https://docs.fastlane.tools/app-store-connect-api/#using-fastlane-api-key-json-file)",
                                 optional: true,
                                 conflicting_options: [:username, :api_key],
                                 verify_block: proc do |value|
                                   UI.user_error!("API Key not found at '#{value}'") unless File.exist?(value)
                                 end),
    FastlaneCore::ConfigItem.new(key: :api_key,
                                 env_names: ['FL_NOTARIZE_API_KEY', "APP_STORE_CONNECT_API_KEY"],
                                 description: "Your App Store Connect API Key information (https://docs.fastlane.tools/app-store-connect-api/#using-fastlane-api-key-hash-option)",
                                 optional: true,
                                 conflicting_options: [:username, :api_key_path],
                                 sensitive: true,
                                 type: Hash)
  ]
end

.categoryObject



335
336
337
# File 'fastlane/lib/fastlane/actions/notarize.rb', line 335

def self.category
  :code_signing
end

.descriptionObject



244
245
246
# File 'fastlane/lib/fastlane/actions/notarize.rb', line 244

def self.description
  'Notarizes a macOS app'
end

.is_supported?(platform) ⇒ Boolean

Returns:



331
332
333
# File 'fastlane/lib/fastlane/actions/notarize.rb', line 331

def self.is_supported?(platform)
  platform == :mac
end

.notarytool(params, package_path, bundle_id, skip_stapling, print_log, verbose, api_key, compressed_package_path) ⇒ Object



48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# File 'fastlane/lib/fastlane/actions/notarize.rb', line 48

def self.notarytool(params, package_path, bundle_id, skip_stapling, print_log, verbose, api_key, compressed_package_path)
  temp_file = nil

  # Create authorization part of command with either API Key or Apple ID
  auth_parts = []
  if api_key
    # Writes key contents to temporary file for command
    require 'tempfile'
    temp_file = Tempfile.new
    api_key.write_key_to_file(temp_file.path)

    auth_parts << "--key #{temp_file.path}"
    auth_parts << "--key-id #{api_key.key_id}"
    auth_parts << "--issuer #{api_key.issuer_id}"
  else
    auth_parts << "--apple-id #{params[:username]}"
    auth_parts << "--password #{ENV['FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD']}"
    auth_parts << "--team-id #{params[:asc_provider]}"
  end

  # Submits package and waits for processing using `xcrun notarytool submit --wait`
  submit_parts = [
    "xcrun notarytool submit",
    (compressed_package_path || package_path).shellescape,
    "--output-format json",
    "--wait"
  ] + auth_parts

  submit_command = submit_parts.join(' ')
  submit_response = Actions.sh(
    submit_command,
    log: verbose,
    error_callback: lambda { |msg|
      UI.error("Error polling for notarization info: #{msg}")
    }
  )

  notarization_info = JSON.parse(submit_response)

  # Staple
  case notarization_info['status']
  when 'Accepted'
    submission_id = notarization_info["id"]
    UI.success("Successfully uploaded package to notarization service with request identifier #{submission_id}")

    if skip_stapling
      UI.success("Successfully notarized artifact")
    else
      UI.message('Stapling package')

      self.staple(package_path, verbose)

      UI.success("Successfully notarized and stapled package")
    end
  when 'Invalid'
    UI.user_error!("Could not notarize package with message '#{notarization_info['statusSummary']}'")
  else
    UI.crash!("Could not notarize package with status '#{notarization_info['status']}'")
  end
ensure
  temp_file.delete if temp_file
end

.run(params) ⇒ Object

rubocop:disable Metrics/PerceivedComplexity



5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# File 'fastlane/lib/fastlane/actions/notarize.rb', line 5

def self.run(params)
  package_path = params[:package]
  bundle_id = params[:bundle_id]
  skip_stapling = params[:skip_stapling]
  try_early_stapling = params[:try_early_stapling]
  print_log = params[:print_log]
  verbose = params[:verbose]

  # Only set :api_key from SharedValues if :api_key_path isn't set (conflicting options)
  unless params[:api_key_path]
    params[:api_key] ||= Actions.lane_context[SharedValues::APP_STORE_CONNECT_API_KEY]
  end
  api_key = Spaceship::ConnectAPI::Token.from(hash: params[:api_key], filepath: params[:api_key_path])

  use_notarytool = params[:use_notarytool]

  # Compress and read bundle identifier only for .app bundle.
  compressed_package_path = nil
  if File.extname(package_path) == '.app'
    compressed_package_path = "#{package_path}.zip"
    Actions.sh(
      "ditto -c -k --rsrc --keepParent \"#{package_path}\" \"#{compressed_package_path}\"",
      log: verbose
    )

    unless bundle_id
      info_plist_path = File.join(package_path, 'Contents', 'Info.plist')
      bundle_id = Actions.sh(
        "/usr/libexec/PlistBuddy -c \"Print :CFBundleIdentifier\" \"#{info_plist_path}\"",
        log: verbose
      ).strip
    end
  end

  UI.user_error!('Could not read bundle identifier, provide as a parameter') unless bundle_id

  if use_notarytool
    notarytool(params, package_path, bundle_id, skip_stapling, print_log, verbose, api_key, compressed_package_path)
  else
    altool(params, package_path, bundle_id, try_early_stapling, skip_stapling, print_log, verbose, api_key, compressed_package_path)
  end
end

.staple(package_path, verbose) ⇒ Object



209
210
211
212
213
214
# File 'fastlane/lib/fastlane/actions/notarize.rb', line 209

def self.staple(package_path, verbose)
  Actions.sh(
    "xcrun stapler staple #{package_path.shellescape}",
    log: verbose
  )
end

.with_notarize_authenticator(params, api_key) ⇒ Object



216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
# File 'fastlane/lib/fastlane/actions/notarize.rb', line 216

def self.with_notarize_authenticator(params, api_key)
  if api_key
    # From xcrun altool for --apiKey:
    # This option will search the following directories in sequence for a private key file with the name of 'AuthKey_<api_key>.p8':  './private_keys', '~/private_keys', '~/.private_keys', and '~/.appstoreconnect/private_keys'.
    api_key_folder_path = File.expand_path('~/.appstoreconnect/private_keys')
    api_key_file_path = File.join(api_key_folder_path, "AuthKey_#{api_key.key_id}.p8")
    directory_exists = File.directory?(api_key_folder_path)
    file_exists = File.exist?(api_key_file_path)
    begin
      FileUtils.mkdir_p(api_key_folder_path) unless directory_exists
      api_key.write_key_to_file(api_key_file_path) unless file_exists

      yield(proc { |command| "#{command} --apiKey #{api_key.key_id} --apiIssuer #{api_key.issuer_id}" })
    ensure
      FileUtils.rm(api_key_file_path) unless file_exists
      FileUtils.rm_r(api_key_folder_path) unless directory_exists
    end
  else
     = CredentialsManager::AccountManager.new(user: params[:username])

    # Add password as a temporary environment variable for altool.
    # Use app specific password if specified.
    ENV['FL_NOTARIZE_PASSWORD'] = ENV['FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD'] || .password

    yield(proc { |command| "#{command} -u #{.user} -p @env:FL_NOTARIZE_PASSWORD" })
  end
end