Sign bundle for TextMate 2.x & update EditorConfig-Core (#39)

The final (non-beta) release of TextMate 2.0 added runtime hardening, which broke plugins. In TextMate 2.0.3 adds an exception for plugin bundles, though runtim hardening means they still must be signed. This adds proper signing and notarization (required in MacOS 10.15+) for the bundle. While I was at it, I also updated EditorConfig-Core to v0.12.3 (the latest) and the Xcode project for Xcode 11 compatibility. The new project configuration here is not really ideal -- it generates lots of warnings when building and uses an old format, but I want to get something working out the door without changing it too much. This already required a fair amount of weird finagling to get code signing to work right and to get PCRE2 (required for updated EditorConfig-Core) linking correctly. Also updates version to v0.4.0. Fixes #38.
Mr0grog · Nov 12, 2019 · e93ba78 · e93ba78
1 parent 890dc31
commit e93ba78
Show file tree

Hide file tree

Showing 17 changed files with 1,330 additions and 2,117 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,6 @@
 *.DS_Store
+scratch.*
+.env
 
 # Xcode
 *.pbxuser

diff --git a/LICENSE b/LICENSE
@@ -1,9 +1,9 @@
-Copyright (c) 2012-2017 Rob Brackett
+Copyright (c) 2012-2019 Rob Brackett
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 
 The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
-This code relies on the "editorconfig-core" and "pcre" libraries. Their licenses can be found in the files "LICENSE-editorconfig-core" and "LICENSE-pcre".
+This code relies on the "editorconfig-core" and "pcre" libraries. Their licenses can be found in the files "LICENSE-editorconfig-core" and "LICENSE-pcre".
diff --git a/README.md b/README.md
@@ -36,6 +36,7 @@ Un-tar it and double-click the `editorconfig-textmate.tmplugin` file to install.
 **Note:** the plug-in will be loaded automatically after restarting TextMate.
 It will not be listed in the bundles list, since bundles and plug-ins are different things in TextMate.
 
+
 Issues
 ------
 
@@ -57,7 +58,97 @@ The current version of this plugin only supports TextMate 2, but [version 0.2.6]
 You can find older versions on the [releases page](https://github.com/Mr0grog/editorconfig-textmate/releases).
 
 
+Release Process
+---------------
+
+As of the final, non-beta TextMate 2.0 release, TextMate uses MacOS’s runtime hardening feature. That means any loaded bundles (like this plugin) must be properly signed. As of MacOS 10.15, they must also be notarized by Apple. Xcode is set up to automatically sign the bundle, but it will only automatically notarize *apps.* That means notarization is a manual process for this project.
+
+You can find some general info about notarization at: https://developer.apple.com/documentation/xcode/notarizing_your_app_before_distribution
+
+And much more detailed info about the manual notarization process at: https://developer.apple.com/documentation/xcode/notarizing_your_app_before_distribution/customizing_the_notarization_workflow
+
+In practice, the process is:
+
+1. Build a release bundle via the “archive” command in Xcode.
+
+2. Use the organizer to export the bundle from the archive.
+
+3. Open a command-line prompt wherever the bundle is and make a zip of it:
+
+    ```sh
+    $ ditto -c -k --keepParent editorconfig-textmate.tmplugin editorconfig-textmate.tmplugin.zip
+    ```
+
+4. Send the zip off to Apple for notarization:
+
+    ```sh
+    # This uploads the zip to Apple and might take a minute.
+    $ xcrun altool \
+        --notarize-app \
+        --primary-bundle-id 'org.robbrackett.editorconfig-textmate' \
+        --username $NOTARIZE_USERNAME \
+        --password $NOTARIZE_PASSWORD \
+        --asc-provider $NOTARIZE_PROVIDER_SHORTNAME \
+        --file editorconfig-textmate.tmplugin.zip
+    # Should result in something like:
+    # No errors uploading 'editorconfig-textmate.tmplugin.zip'.
+    # RequestUUID = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+    ```
+
+    NOTE: you’ll need to have an app-specific password for the AppleID account you are notarizing with. You can set one up on the AppleID profile page.
+
+    The above command also assumes you have some environment variables with the appropriate values.
+
+5. Wait for an e-mail indicating that notarization is complete. You can also poll for the status on the command line:
+
+    ```sh
+    $ xcrun altool \
+        --notarization-history 0 \
+        --username $NOTARIZE_USERNAME \
+        --password $NOTARIZE_PASSWORD
+    # Should result in something like:
+    # Notarization History - page 0
+    #
+    # Date                      RequestUUID                          Status  Status Code Status Message
+    # ------------------------- ------------------------------------ ------- ----------- ----------------
+    # 2019-11-12 01:04:43 +0000 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx success 0           Package Approved
+    #
+    # Next page value: abcxyz
+    ```
+
+    For troubleshooting help here, see the [“Check the Status of Your Request”](https://developer.apple.com/documentation/xcode/notarizing_your_app_before_distribution/customizing_the_notarization_workflow?language=objc#3087732) section of Apple’s docs.
+
+6. “Staple” the notarization to the bundle:
+
+    ```sh
+    # Note this runs against the actual bundle, NOT the zip
+    # we uploaded when notarizing.
+    $ xcrun stapler staple editorconfig-textmate.tmplugin
+    ```
+
+7. Finally, zip up the notarized & stapled bundle and upload that to GitHub releases. Whew!
+
+You can verify the code signature with:
+
+```sh
+$ codesign --verify --deep --strict --verbose=2 editorconfig-textmate.tmplugin
+# Results in:
+# editorconfig-textmate.tmplugin: valid on disk
+# editorconfig-textmate.tmplugin: satisfies its Designated Requirement
+```
+
+And then verify that it is properly notarized for GateKeeper with:
+
+```sh
+$ spctl -a -t install -vv editorconfig-textmate.tmplugin
+# Results in:
+# editorconfig-textmate.tmplugin: accepted
+# source=Notarized Developer ID
+# origin=Developer ID Application: Rob Brackett (ABCXYZ)
+```
+
+
 License
 -------
 
-This plug-in is open source. It is copyright (c) 2012-2017 Rob Brackett and licensed under the MIT license. The full license text is in the `LICENSE` file.
+This plug-in is open source. It is copyright (c) 2012-2019 Rob Brackett and licensed under the MIT license. The full license text is in the `LICENSE` file.