From 014b65e9b7950e88036829aa205a9b968fb9cc10 Mon Sep 17 00:00:00 2001
From: Ulises Gascon <ulisesgascongonzalez@gmail.com>
Date: Sat, 8 Jul 2023 13:26:00 +0200
Subject: [PATCH] tools: use osx notarytool for future releases

Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>

Refs: https://github.com/nodejs/build/issues/3385
PR-URL: https://github.com/nodejs/node/pull/48701
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
---
 tools/osx-notarize.sh | 91 ++++++++++++++++++++++++++++++++++---------
 1 file changed, 72 insertions(+), 19 deletions(-)

diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh
index 31c92c2ca426f3..beea7041793cdf 100755
--- a/tools/osx-notarize.sh
+++ b/tools/osx-notarize.sh
@@ -1,34 +1,87 @@
 #!/bin/sh
 
-# Uses gon, from https://github.com/mitchellh/gon, to notarize a generated node-<version>.pkg file
-# with Apple for installation on macOS Catalina and later as validated by Gatekeeper.
+# Notarize a generated node-<version>.pkg file as an Apple requirement for installation on macOS Catalina and later, as validated by Gatekeeper.
+# Uses gon (Xcode version < 13.0) or notarytool (Xcode >= 13.0).
 
-set -e
-
-gon_version="0.2.2"
-gon_exe="${HOME}/.gon/gon_${gon_version}"
+version() {
+  echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }' || echo "0"
+}
 
+xcode_version=$(xcodebuild -version | awk '/Xcode/ {print $2}')
+xcode_version_result=$(version "$xcode_version")
+xcode_version_threshold=$(version "13.0")
 pkgid="$1"
 
-[ -z "$pkgid" ] && \
-  echo "Usage: $0 <pkgid>" \
+if [ -z "$pkgid" ]; then
+  echo "Usage: $0 <pkgid>"
   exit 1
+fi
 
 # shellcheck disable=SC2154
-[ -z "$NOTARIZATION_ID" ] && \
-  echo "No NOTARIZATION_ID environment var. Skipping notarization." \
+if [ -z "$NOTARIZATION_ID" ]; then
+  echo "No NOTARIZATION_ID environment variable. Skipping notarization."
   exit 0
+fi
 
-set -x
-
-mkdir -p "${HOME}/.gon/"
+if [ -z "$NOTARIZATION_PASSWORD" ]; then
+  echo "No NOTARIZATION_PASSWORD environment variable. Skipping notarization."
+  exit 0
+fi
 
-if [ ! -f "${gon_exe}" ]; then
-  curl -sL "https://github.com/mitchellh/gon/releases/download/v${gon_version}/gon_${gon_version}_macos.zip" -o "${gon_exe}.zip"
-  (cd "${HOME}/.gon/" && rm -f gon && unzip "${gon_exe}.zip" && mv gon "${gon_exe}")
+if [ -z "$NOTARIZATION_TEAM_ID" ]; then
+  echo "No NOTARIZATION_TEAM_ID environment variable. Skipping notarization."
+  exit 0
 fi
 
-sed -e "s/{{appleid}}/${NOTARIZATION_ID}/" -e "s/{{pkgid}}/${pkgid}/" tools/osx-gon-config.json.tmpl \
-  > gon-config.json
+# TODO(@ulisesGascon): remove support for gon
+# when https://github.com/nodejs/build/issues/3385#issuecomment-1729281269 is ready
+if [ "$xcode_version_result" -lt "$xcode_version_threshold" ]; then
+  echo "Notarization process is done with gon."
+  set -x
+
+  gon_version="0.2.2"
+  gon_exe="${HOME}/.gon/gon_${gon_version}"
 
-"${gon_exe}" -log-level=info gon-config.json
+  mkdir -p "${HOME}/.gon/"
+
+  if [ ! -f "${gon_exe}" ]; then
+    curl -sL "https://github.com/mitchellh/gon/releases/download/v${gon_version}/gon_${gon_version}_macos.zip" -o "${gon_exe}.zip"
+    (cd "${HOME}/.gon/" && rm -f gon && unzip "${gon_exe}.zip" && mv gon "${gon_exe}")
+  fi
+
+  sed -e "s/{{appleid}}/${NOTARIZATION_ID}/" -e "s/{{pkgid}}/${pkgid}/" tools/osx-gon-config.json.tmpl \
+    > gon-config.json
+
+  "${gon_exe}" -log-level=info gon-config.json
+
+else
+  echo "Notarization process is done with Notarytool."
+
+  if ! command -v xcrun notarytool > /dev/null
+  then
+      echo "Notarytool is not present in the system. Notarization has failed."
+      exit 1
+  fi
+
+  # Submit the package for notarization
+  # TODO(@ulisesGascon): refactor to use --keychain-profile
+  # when https://github.com/nodejs/build/issues/3385#issuecomment-1729281269 is ready
+  notarization_output=$(
+    xcrun notarytool submit \
+      --apple-id "$NOTARIZATION_ID" \
+      --password "$NOTARIZATION_PASSWORD" \
+      --team-id "$NOTARIZATION_TEAM_ID" \
+      --wait \
+      "node-$pkgid.pkg" 2>&1
+  )
+
+  if [ $? -eq 0 ]; then
+    # Extract the operation ID from the output
+    operation_id=$(echo "$notarization_output" | awk '/RequestUUID/ {print $NF}')
+    echo "Notarization submitted. Operation ID: $operation_id"
+    exit 0
+  else
+    echo "Notarization failed. Error: $notarization_output"
+    exit 1
+  fi
+fi