Merge pull request #4 from etter-tanium/support-entitlements

Add support for signing with an Entitlements file

README.md

@@ -215,6 +215,8 @@ Supported configurations:
       flag for the `codesign` binary on macOS. See `man codesign` for detailed
       documentation on accepted values.
 
+    * `entitlements_file` (`string` _optional_) - The full path to a plist format .entitlements file, used for the `--entitlements` argument to `codesign` 
+
   * `dmg` (_optional_) - Settings related to creating a disk image (dmg) as output.
     This will only be created if this is specified. The dmg will also have the
     notarization ticket stapled so that it can be verified offline and
@@ -378,5 +380,3 @@ These are some things I'd love to see but aren't currently implemented.
     - The underlying script we use already supports this.
   * Support adding additional files to the zip, dmg packages
   * Support the creation of '.app' bundles for CLI applications
-  * Support entitlements for codesigning
-

cmd/gon/main.go

@@ -146,9 +146,10 @@ func realMain() int {
 			// Perform codesigning
 			color.New(color.Bold).Fprintf(os.Stdout, "==> %s  Signing files...\n", iconSign)
 			err = sign.Sign(context.Background(), &sign.Options{
-				Files:    cfg.Source,
-				Identity: cfg.Sign.ApplicationIdentity,
-				Logger:   logger.Named("sign"),
+				Files:        cfg.Source,
+				Identity:     cfg.Sign.ApplicationIdentity,
+				Entitlements: cfg.Sign.EntitlementsFile,
+				Logger:       logger.Named("sign"),
 			})
 			if err != nil {
 				fmt.Fprintf(os.Stdout, color.RedString("❗️ Error signing files:\n\n%s\n", err))

internal/config/config.go

@@ -47,7 +47,7 @@ type AppleId struct {
 	Provider string `hcl:"provider,optional"`
 }
 
-// NOtarize are the options for notarizing a pre-built file.
+// Notarize are the options for notarizing a pre-built file.
 type Notarize struct {
 	// Path is the path to the file to notarize. This can be any supported
 	// filetype (dmg, pkg, app, zip).
@@ -66,6 +66,8 @@ type Sign struct {
 	// ApplicationIdentity is the ID or name of the certificate to
 	// use for signing binaries. This is used for all binaries in "source".
 	ApplicationIdentity string `hcl:"application_identity"`
+	// Specify a path to an entitlements file in plist format
+	EntitlementsFile string `hcl:"entitlements_file,optional"`
 }
 
 // Dmg are the options for a dmg file as output.

internal/config/testdata/entitle.hcl

@@ -0,0 +1,12 @@
+source = ["./terraform"]
+bundle_id = "com.mitchellh.test.terraform"
+
+apple_id {
+  username = "mitchellh@example.com"
+  password = "hello"
+}
+
+sign {
+  application_identity = "foo"
+  entitlements_file = "/path/to/example.entitlements"
+}

internal/config/testdata/notarize.hcl

@@ -2,8 +2,8 @@ source = []
 bundle_id = "com.example.terraform"
 
 notarize {
-	path = "/path/to/terraform.pkg"
-    bundle_id = "foo.bar"
+  path = "/path/to/terraform.pkg"
+  bundle_id = "foo.bar"
 }
 
 apple_id {

internal/config/testdata/notarize_multiple.hcl

@@ -2,14 +2,14 @@ source = []
 bundle_id = ""
 
 notarize {
-	path = "/path/to/terraform.pkg"
-    bundle_id = "foo.bar"
+  path = "/path/to/terraform.pkg"
+  bundle_id = "foo.bar"
 }
 
 notarize {
-	path = "/path/to/terraform.pkg"
-    bundle_id = "foo.bar"
-    staple = true
+  path = "/path/to/terraform.pkg"
+  bundle_id = "foo.bar"
+  staple = true
 }
 
 apple_id {

sign/sign.go

@@ -23,6 +23,9 @@ type Options struct {
 	// be in a variety of forms.
 	Identity string
 
+	// Entitlements is an (optional) path to a plist format .entitlements file
+	Entitlements string
+
 	// Output is an io.Writer where the output of the command will be written.
 	// If this is nil then the output will only be sent to the log (if set)
 	// or in the error result value if signing failed.
@@ -68,6 +71,10 @@ func Sign(ctx context.Context, opts *Options) error {
 		"--options", "runtime",
 	}
 
+	if len(opts.Entitlements) > 0 {
+		cmd.Args = append(cmd.Args, "--entitlements", opts.Entitlements)
+	}
+
 	// Append the files that we want to sign
 	cmd.Args = append(cmd.Args, opts.Files...)