From 43d50d818cef4fc05df0f0b11d580e6f7b77a929 Mon Sep 17 00:00:00 2001 From: Rod Vagg Date: Wed, 22 Jan 2020 14:38:11 +1100 Subject: [PATCH 1/3] build: macOS package notarization Ref: https://github.com/nodejs/node/issues/29216 Includes hardened-runtime patch from gdams from https://github.com/nodejs/node/issues/29216#issuecomment-546932966 --- .gitignore | 1 + Makefile | 1 + tools/osx-codesign.sh | 11 +++++++++- tools/osx-entitlements.plist | 16 +++++++++++++++ tools/osx-gon-config.json.tmpl | 12 +++++++++++ tools/osx-notarize.sh | 37 ++++++++++++++++++++++++++++++++++ 6 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 tools/osx-entitlements.plist create mode 100644 tools/osx-gon-config.json.tmpl create mode 100755 tools/osx-notarize.sh diff --git a/.gitignore b/.gitignore index 160b96f74a59ab..425a5ddbec0fca 100644 --- a/.gitignore +++ b/.gitignore @@ -33,6 +33,7 @@ /doc/api.xml /node /node_g +/gon-config.json /*.exe /*.swp /out diff --git a/Makefile b/Makefile index 4ebb16cdfd0672..3a97f15fc3c6a4 100644 --- a/Makefile +++ b/Makefile @@ -1003,6 +1003,7 @@ $(PKG): release-only --resources $(MACOSOUTDIR)/installer/productbuild/Resources \ --package-path $(MACOSOUTDIR)/pkgs ./$(PKG) SIGN="$(PRODUCTSIGN_CERT)" PKG="$(PKG)" bash tools/osx-productsign.sh + bash tools/osx-notarize.sh $(FULLVERSION) .PHONY: pkg # Builds the macOS installer for releases. diff --git a/tools/osx-codesign.sh b/tools/osx-codesign.sh index 6a954c737fa4c5..7ca80ca7462c3d 100644 --- a/tools/osx-codesign.sh +++ b/tools/osx-codesign.sh @@ -8,4 +8,13 @@ if [ "X$SIGN" == "X" ]; then exit 0 fi -codesign -s "$SIGN" "$PKGDIR"/bin/node +# All macOS executable binaries in the bundle must be codesigned with the +# hardened runtime enabled. +# See https://github.com/nodejs/node/pull/31459 + +codesign \ + --sign "$SIGN" \ + --entitlements tools/osx-entitlements.plist \ + --options runtime \ + --timestamp \ + "$PKGDIR"/bin/node diff --git a/tools/osx-entitlements.plist b/tools/osx-entitlements.plist new file mode 100644 index 00000000000000..555c10f7ff8607 --- /dev/null +++ b/tools/osx-entitlements.plist @@ -0,0 +1,16 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-executable-page-protection + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.cs.disable-library-validation + + + diff --git a/tools/osx-gon-config.json.tmpl b/tools/osx-gon-config.json.tmpl new file mode 100644 index 00000000000000..3ea16465fc1de5 --- /dev/null +++ b/tools/osx-gon-config.json.tmpl @@ -0,0 +1,12 @@ +{ + "notarize": [{ + "path": "node-{{pkgid}}.pkg", + "bundle_id": "org.nodejs.pkg.{{pkgid}}", + "staple": true + }], + + "apple_id": { + "username": "{{appleid}}", + "password": "@env:NOTARIZATION_PASSWORD" + } +} diff --git a/tools/osx-notarize.sh b/tools/osx-notarize.sh new file mode 100755 index 00000000000000..97bb0912722495 --- /dev/null +++ b/tools/osx-notarize.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +# Uses gon, from https://github.com/mitchellh/gon, to notarize a generated node-.pkg file +# with Apple for installation on macOS Catalina and later as validated by Gatekeeper. + +set -e + +gon_version="0.2.2" +gon_exe="${HOME}/.gon/gon_${gon_version}" + +__dirname="$(CDPATH= cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +pkgid="$1" + +if [ "X${pkgid}" == "X" ]; then + echo "Usage: $0 " + exit 1 +fi + +if [ "X$NOTARIZATION_ID" == "X" ]; then + echo "No NOTARIZATION_ID environment var. Skipping notarization." + exit 0 +fi + +set -x + +mkdir -p "${HOME}/.gon/" + +if [ ! -f "${gon_exe}" ]; then + curl -sL "https://github.com/mitchellh/gon/releases/download/v${gon_version}/gon_${gon_version}_macos.zip" -o "${gon_exe}.zip" + (cd "${HOME}/.gon/" && rm -f gon && unzip "${gon_exe}.zip" && mv gon "${gon_exe}") +fi + +cat tools/osx-gon-config.json.tmpl \ + | sed -e "s/{{appleid}}/${NOTARIZATION_ID}/" -e "s/{{pkgid}}/${pkgid}/" \ + > gon-config.json + +"${gon_exe}" -log-level=info gon-config.json From 7204e910b9bb4697c061d69b7467d91adc74bb00 Mon Sep 17 00:00:00 2001 From: Rod Vagg Date: Thu, 30 Jan 2020 21:29:43 +1100 Subject: [PATCH 2/3] deps: update term-size with signed version Ref: https://github.com/sindresorhus/macos-term-size/pull/3 --- .../term-size/vendor/macos/term-size | Bin 8760 -> 27264 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/deps/npm/node_modules/term-size/vendor/macos/term-size b/deps/npm/node_modules/term-size/vendor/macos/term-size index e383cc737f8e232aecd06a8492657b28d5fb9f1c..c32a1fdc1b073bb41e9ddbabbd694a741ed67abc 100755 GIT binary patch literal 27264 zcmeHNcUV(N*H1!dp-T}d5~@hc4Mn8)CRHgSh#@2qA|){i0ydhWC<>xjKoP~d0v155 z*s!uH_Kt|af+#8$%A$NTA(6nkyYKV;vHO+Glesfz=FFM7zqxbf%$eLCeD_@(g+hy< zP#G8$3MCIBUKE8|iNb>%3N;BtZxBhOAQvx>2#;BTuykxdk0pOfK{<~BBZ(B^5gsy@ zh1(u>EEsq+7z&CXVKs@wp`~(08OO_$mjy2asvq-MAdMYmheU=TNg}a1$uaC7MdRgl z^5p69IQTTbfdo&U7_VSN9x0BNz@)K2*?4)GACRFFu?Nh$OsDv6#npTVWa&c_j+JUHhtKzh84k(!YwoY(2xd3ARQ zaS^Bi^EYN*`SZ(5!S{yZN7#x)N=hKH(-LDC2_z1}qyC9z&e?Sz@DF<_O~{^W4$AN#qCrH-0>nUs`4KE9V2nUsus=ia{!k8F=Yj$D zI~_z=2j2lb*ap-9dUPycJi%#f4lU8l)eMY_9s`&_FaQzCzlI;db1IL9c)_3vBCL1T z0g=B*V1+OU5fCCEL_mmu5CI_qLInPoA`t4G+wL;kB`i3|d!2(du)ONA87LI-eCIvz zLfQSp9G~1v9>lNS>q1-V<2Vw|xmQ8mQBdcSdo}lEX9>(@4-a#^z1NB!0nNSFPM50- zZI!F@Z}DDdWd%wA{}RB}O#&P_fc9I9bj||>YgIdE!(@7A5=a2^MaZQGxT1Mn(4GTa z#1SrNd;zZWAo0uX%YEvddjW{X1Jb1)G(frMe(=t2kcf1d=R%6QG^}q93WxPAxzB0b zCp@)Udl_TcHaPV*gX9z3l74WtEe;DPGu7#<#ugQu#l=P;)Mb9Z6R80N0Q92{6z zJQr02J{yPfqH#EohZ9G` zv+0Xzf8@}o;=m6G2g5|cA;2J*LK_#_z?L9|v5RL9!#uQ|r9n%1Zfg{Zj23}n{-dD5 zI}aN0QiPY<@=|wR8o*2cBcVbjAp$}Kga`-`5F#K%K!|`40U-iH1cV3(5fCCEMBpDq zKtTu3y*gHKCc&#~DviZrqGqxr3V1XlnZraCIK!Je?oBx<23#J4o9zPLC|P)JOVEq~ z3t5JMq$DudG)N$Tn9l^a*PQu~oDN7jgThIGgfk!*z&8T(-XITdx%oo4qR}L9?~frR z#*t{LG)gju2JY0!uxIT=GCc{U4;>yNr~0y8=Ssle2ZWVy4-o2MT$#G9LuSs9&=KTJIs(P$WKmOhU{>BFJ(ueR}8HE9FI)Z#H;E5jLgY9&j@fhw^F(~4O1^mokq-Ydw#L2~>u@X(8 z-wfp)Zf$L0<2Btg993H<_1@v5!az=`XZ?&<1$Wvia0$6-N!7DV7VaB(Wo7Xfg1J@K zpX}9pBatjw!musost3Nfuzn*|F0?`0blw}KH<2Fd$I2_Z zyH%_|h?(8gyskg=+1HJ;(E0Y(ly3_M=XRY-OYyxj7!j1o*jcXH7qfve=~Ng11wv5) zB1|E8N}voRsI4HvGWbovd6yi0K|qa^19uy@9wGpFaYi}bIeiqW7-sZe5HQDc1CG|C zWkBgjfOq~d;MmDA3uqLMSzsua=E@U*5;fQ?1akMMMD-I7OTblbJxn`y^4!hz5urER<5z94U08u{iYkbPAb6XC&cW zk~wh<7M+tuR6&#=pNOK&2;VFQgM)W-K_*X>A(|uR2+`b}Xil_>m?&dzEkGh^L{r3= z+frK3owkUU0CW@!@8gdDvyS)!lKz_k@!v*T@NER&7s*2F2qFTY6v;x%p+GqflZ8g3 zau)@PMHajC?A0~Kl#?E@oz7bwS-S$~B&L_XzsRXOP!Pf0(XrB$A%*Y zTAFW{9G+LUz`^Ta_ynR8evx6KrpA$r0Sa`3wT%y(6tb=d$bAgsG(C~nK|$4^YTxZn1`4_1}*FqL?6*D(=OA> z(TwA8n6?B0g_U4NhToqVg^@^LfzQYc6d|&ZUk>(w1s`<|A}=Pe0uyB z1P$GVrldQUH`e!*tYOl!cBs5olb@Jtdf?_a>C|u^X~T4j9@Jv>nne}IYflHhJfObg z+N3Qrq{3ne7afmRH)Pv>NJ->0nCZ^!Dc&o>i2l6Sd%xJl(-Ey&TAm)u+qQg}B43Bs z0Xz58D?!PZ9rW{~%28cAr{#Iur0gEgLG0!ufE8s(0uSYzC;baud%`e&tM*RLL+%~Znx!jID9hpF;u(u z{Z{Qs*(dWf9yU7E+E#v+lSLIu9o1Gb<2($Ihdj@p-&xr-c%2SIVaA zrXwpo3%wZVzD47fn%Ex~_oy=X>C*n&wV#EC8;vF&n}wDDJ%X(YjpFT06sjm1$?Qdp z#3YQx(4wN^7_`b{s2SKmHKe4Z2&e|GlAw?YNam#<%orr|xLRiQELsAcoJ67F!4}1d zqqFgpAG;O}ACrbBC#B(;WEKbH*zDv)8XHfhP-slfNSpcGdqHqFn1qLYfW0mT?1pSm zOC__YcxW7e21!&rg^@(1!+nsAXUxYZvuP${I$|h{b zc2(rFGo!DlM@kY3kM+BIe~6x5s{F;lAQr#IVnLrw*6rr*a>79Hf=KFlibYDFt++{8 z_ft7-*{7%2lLBj>OiRD8D)h0bWNjo%^axO4TX|-TQexGV`8~fe1fhav%)e+t0PDsafwm1| zVTmAI>&8leL^5|0)eu!NoMfRv?#5mdDjF?~8#VNZu81>O2v`wmn=z&jw4itvmMuPj zL8X~3VB96rT3v>tBBt`KHmNa!)sab1Fiv{HADfRc`oPlrYa^(RINLBy+QZo7 zO4C`=j(+*h0r|tIm#d5y-_$_SD~Y64B2c z9++8Zy!Q3^)2ns5cQj^q#G&X#6*BYX%U18bm8Y+>1l#!S#=N41Mjg+>3MoksA6tDt z)nRQ}L|i#{#j6+opPBVuLq|N0Y8#?lC0Hx6mp&Ayi7UTyZ5ax^?vkdQS3mfo>~{79 zvc)yI)OM3^N7Edw-ZQN~EM@GTe)RC?Ck7=>HMXB9*C>4zXjhKhRLZNO;+%XUo4jco zO}sK^Pp|KwjhLVB@|pQtGz?yyY}L_TrYe2)KISuKgYDh3YNEyS%?IgE6ff{pBSsO} z({hM3)LUFT2ZNx-7&$*Ri=6q235~{Df=v(M(+E08k7w^NC~T&HR)ZvBVG91uK&OIz zGYidCwop|n0YV-`=`pJE`*`&y{l8QFP2)oY6uuD;nz8zRREN^Y{9^|JQGqj}5A8x} z1jm;lA|hb0uCn;HE@dORVhe48XGe7R4e9dgaeJJ22AIkp<|JAhs~{~0PApc)baNYo z8zK-z0R|b^-Jh788SnF*q<@phpq6z<`0Eq>v9fB1=_Ld@idz}Yn$Dpyr` z-slb4mL0#USiQFDWWWluNowy8#vAmNlq-6Y(eqjt4)5}tu_kX&M2m(ZVumHVLs`513G1jA1f-iu&DOJiot=JoU^gA9h4dCBqn%1Dflizs9v|S zYR~CeAQn8EbJF~PFjLULjLMXL$e=sxq@|M$P+et3o8H z+G|ORQUW}DSZ5T2?^lGyon2=2bcNB}M(y`2B8KL#JH*g7&e-x`L+#C5_bMZv^m;K8 zzD`WKtD$7~2A@)-S>NK+aAA%au|iDwlxnlt&X_X0xho6hBi^tVz3WnFF_~FHc;C5Y z19CIW^MH{qW8;%`uY*gsQl2GVXsi3SuN&un>YS_EiqDE#K~j~p?yO>R!R-0lRPKc< z7q&<4{h|?Sb8BhDSGiI<8=PY!YyE%?b!K=bLc2|Gum0=FDo#zF5Zu?Fac0WYnYUr*7_v8Cumksq~Et z#p%h7884bq{TrvNh*o~1z6!Y9lpLLXzFaN4@L<%epy&P0Rp+~P6TkT1Rc#ACId$`G zv-c)n28Ys24{Kd&E$ziD-JzKk^u%tKkBZsu{^Fd{M;v;6%rDt{e*f5c*JIzC;EO8H z-fA9lYCZ8(6?G+j3UO84fXu^*%R^JvS3GcC)Uwg%kYDlM^WtB=8Wg+Tc6hmDFS!fr zwdvMkc{P7E&l#c`sgA1V4jzF!ruE#bwN&VTtx-D7?;2;+&So&5_d&GM#xz|CgsmD6{H z8}tvfPHpbh*a(_%olDTh5(NaSy6`mm0Wsto7Qi^s_^E<~2Spl%{C~t4`?*mi zfmlFeOABj)7$Jsb24#9V{M}-#(~iSmeO%AosJ9^G#k0V~k8>X$D)K&1ay!__W&6=( zW4#T)5*zEI=AMJ)KKI)GT5_SGG*3nM3eINBim8^KKFznH6g?OJe!xaGfAZVL{*u@$ zTOwmB({B~VUa;sitDNta6Qy(L%U$DmQ)#0x?eJ#UY`b)?tLK88qfnxV^FpJ<_X{@mhf z@>$&u|BB0UbtTQ)s~cp$cJ*jinNG<2TJ~$gOBHh3s@+qi&em-vuqHP~D~DyoI@}Bh zYMQ0n$2_mTAU3p7v`BaR$^g?$<-IAF?AL_ct6gELu5$VPq%-%~;-PN~EK6dV1v(gj!y0MN!uC0>GaBEJe4zZmHXB!>|U7m97`w2^C znT(?SS&4w+jSL&>r=_$nHI&Z<*L)JA@b_%KNuK&_`{~vUI#qO=XUkKo2Ab;RD=Os^ z$TenPKIF>eJ$LvjcAJr-?U9@%PMp$KEVy?JLQ?nzYllh z`Lx;L2ITj#EKZv=%!pv&Y=Ss143pAG%l98px*b*>maw<$LqpZT8~l3JtA?Cb3IALJ z*R*+GqhEW3@A`eF&%DAJ{wLqxXV*T(E_pp`XJh%KsEYWl38k%XIi~K8Eo4V=kL8xh z23ws=l1r~4?|jdt(s33+J4WYG0CZY{fQyZ2Xn6~%Z-4(a`%`C_3pYL}JI_+sQ z$f&iAe|V{Vz&!Js`EKu5>&40^wN*FT`MzxVRrc87t#`789{rJP#lKtWLXSSYyAyi! zg&zI?Q67C_7RCu!GIm_=(CUBJTEIyBI8TnAc*`>L5VapCW8fQ-8FK>u8}E?rXiF>+ z+?BuDxjIo^?{fZS5$x35%y8`&cq9<~+d<$oE=|-xzzqQcn9~E=`kLF-y_Y>cAv?cD zp?aHa(HTJ#kLS}kU3T?5{%o+8Ixed6`+=^gq2&buloA!BLrlF%wItF(6?^O!>(u)I zgWvWs)Rf4PSNb0obluHWvb*Hn@px{m*g=ABm)Ep&)j?b9Hx?|6oe~~jY}M(zwIQk9 zBV%cy+wA1sR>w%@MooV8GI{~W&_@QgCV0QY>F2$cJJ~G96uW$~g>ia)#R6(+mC4-Q zS53d-kP?^5$ENS^&)v7jX`fAPOV2{L4<(c%hj$#F7HSlxP$llYN2|$3uWHDyILfy% zKFz!*EqktKu^}SbF%6BeaaZwL=&>Jn!MXL~0-q~(j^WSSWsUF5NtpZGwMgn_QId`L zx%X06v`=KVcdvN1HhmxWA2Y&-5CI_qLIi{e2oVq>AVffjfDi#80zw3Y2nZ1nA|OOS uh=33QAp$}Kga`-`5F#K%K!|`40U-iH1cV3(5fCCEL_mmu5P|=n2>chn&~6a` delta 581 zcmZp;%DBTt^!%^4|JWHA7?~Lu8kiUu82EvhVWMa^Bm2aK=8U%|-gFmy!v~ZHimHI5 zfZ)w!Lq>Z+0ia5ds1I0-fk9w$BTzI3DjEb8jhTFraXBZ@0tTQ349t@+GO2Si2tafS zOy0<(Ik}5TPE`OV0y7K92dRevHXwszvMh6r1W*DD6d;rZ$jLy!K6xYad4=^_EX&;` z&8_yd3eT7OY#|A9FjxZ*7Xt$jPu{>{$z*(O@@p2?&EWzcI3^45@j6%oJ+Y6afq}vB zz>DiZ4V{OZfB!FWcQyRx(Hr_;Uq%UsgW-YB`!BWvOh5|P=%Hdg+>sC zo^XZxfGooUKAqn?Z@o~Qe34JwaKe98J)oxlss>=v2uzxQNi#5M0VI8TWf_5#WAJ~~ zkCP?%OD9j{cV~Pv`6j=+t^zb_w4k&Jl(vJ?9#A?6L~nL<-^@QrL7b6cvxGteqW~y2 USb!K9kRaeNxj|84@&UyP02%;+;{X5v From 8b5a1415f7bde2b135dde5f07dbd57f4b9bdabde Mon Sep 17 00:00:00 2001 From: Rod Vagg Date: Wed, 4 Mar 2020 12:14:43 +1100 Subject: [PATCH 3/3] doc: official macOS builds now on 10.15 + Xcode 11 --- BUILDING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BUILDING.md b/BUILDING.md index 7a923850e6e178..5c3923f2157c73 100644 --- a/BUILDING.md +++ b/BUILDING.md @@ -168,7 +168,7 @@ Binaries at are produced on: | Binary package | Platform and Toolchain | | --------------------- | ------------------------------------------------------------------------ | | aix-ppc64 | AIX 7.1 TL05 on PPC64BE with GCC 6 | -| darwin-x64 (and .pkg) | macOS 10.11, Xcode Command Line Tools 10 with -mmacosx-version-min=10.10 | +| darwin-x64 (and .pkg) | macOS 10.15, Xcode Command Line Tools 11 with -mmacosx-version-min=10.10 | | linux-arm64 | CentOS 7 with devtoolset-6 / GCC 6 | | linux-armv7l | Cross-compiled on Ubuntu 16.04 x64 with [custom GCC toolchain](https://github.com/rvagg/rpi-newer-crosstools) | | linux-ppc64le | CentOS 7 with devtoolset-6 / GCC 6 [7](#fn7) |