diff --git a/.circleci/config.yml b/.circleci/config.yml index 1358cc6c87..6fa24bf88f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -485,6 +485,7 @@ workflows: go_download_base_url: << pipeline.parameters.go_download_base_url >> executor: macos-arm64 install_deps_extension: macos-build + context: snyk-macos-signing requires: - prepare-build @@ -496,6 +497,7 @@ workflows: go_download_base_url: << pipeline.parameters.go_download_base_url >> executor: macos-arm64 install_deps_extension: macos-build + context: snyk-macos-signing requires: - prepare-build diff --git a/Makefile b/Makefile index 37ba1b5597..3db1e20537 100644 --- a/Makefile +++ b/Makefile @@ -133,10 +133,12 @@ $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-linux-arm64: prepack | $(BINARY_RELEASES_F $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI) $(PKG) -t node$(PKG_NODE_VERSION)-macos-x64 -o $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos + $(SHELL) $(WORKING_DIR)/cliv2/scripts/sign_darwin.sh $(BINARY_RELEASES_FOLDER_TS_CLI) snyk-macos skip-notarize $(MAKE) $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos.sha256 $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos-arm64: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI) $(PKG) -t node$(PKG_NODE_VERSION)-macos-arm64 -o $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos-arm64 --no-bytecode + $(SHELL) $(WORKING_DIR)/cliv2/scripts/sign_darwin.sh $(BINARY_RELEASES_FOLDER_TS_CLI) snyk-macos-arm64 skip-notarize $(MAKE) $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-macos-arm64.sha256 $(BINARY_RELEASES_FOLDER_TS_CLI)/snyk-win.exe: prepack | $(BINARY_RELEASES_FOLDER_TS_CLI) diff --git a/binary-releases/RELEASE_NOTES.md b/binary-releases/RELEASE_NOTES.md index 254c95ac63..11c5d7f035 100644 --- a/binary-releases/RELEASE_NOTES.md +++ b/binary-releases/RELEASE_NOTES.md @@ -1,4 +1,4 @@ -## [1.1292.2](https://github.com/snyk/snyk/compare/v1.1292.1...v1.1292.2) (2024-08-01) +## [1.1292.3](https://github.com/snyk/snyk/compare/v1.1292.2...v1.1292.3) (2024-08-12) The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see [this documentation](https://docs.snyk.io/snyk-cli/releases-and-channels-for-the-snyk-cli) @@ -6,6 +6,5 @@ The Snyk CLI is being deployed to different deployment channels, users can selec ### Bug Fixes -- **container test:** Improve the accuracy of identifying npm projects within docker images by removing the explicit folder ignore rules - ([#5384](https://github.com/snyk/snyk/issues/5384)) -- **container test:** Pass platform parameter when pulling an image from a container registry ([#5360](https://github.com/snyk/snyk/issues/5360)) +- **deployment:** Add digital signature for the bundled macOS binary + ([#5404](https://github.com/snyk/cli/pull/5404)) diff --git a/cliv2/scripts/sign_darwin.sh b/cliv2/scripts/sign_darwin.sh index 94a28c9395..1b13f699b4 100755 --- a/cliv2/scripts/sign_darwin.sh +++ b/cliv2/scripts/sign_darwin.sh @@ -11,6 +11,7 @@ set -euo pipefail EXPORT_PATH=${1:-./bin} PRODUCT_NAME=${2:-snyk_darwin_amd64} +SKIP_NOTARIZE=${3:-0} KEYCHAIN_PROFILE=AC_PASSWORD APP_PATH="$EXPORT_PATH/$PRODUCT_NAME" ZIP_PATH="$EXPORT_PATH/$PRODUCT_NAME.zip" @@ -30,6 +31,12 @@ if [[ "$OSTYPE" != *"darwin"* ]]; then exit 1 fi +# if the required secrets are not available we skip signing completely without an error to enable local builds on windows. A later issigned check will catch this error in the build pipeline +if [ -z "${APPLE_ID+x}" ]; then + echo "$LOG_PREFIX Skipping signing, since the required secrets are not available." + exit 0 +fi + # # signing # @@ -51,12 +58,16 @@ security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" sleep 10 echo "$LOG_PREFIX Signing binary $APP_PATH" -codesign -s "$APPLE_SIGNING_IDENTITY" -v "$APP_PATH" --timestamp --options runtime +codesign -f -s "$APPLE_SIGNING_IDENTITY" -v "$APP_PATH" --timestamp --options runtime # # notarization # +if [[ "$SKIP_NOTARIZE" = "skip-notarize" ]]; then + exit 0 +fi + # create a zip file echo "$LOG_PREFIX Creating zip file $ZIP_PATH" /usr/bin/ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"