Notarize MacOS DMG on GHA and Azure - Azure Python to 3.8 (#595)

* Attempt to Notarize .dmg on GHA and Azure

* Add missing env vars

* Better ci mgmt 

* Try Python 3.8 on Mojave

* Fix dmg filename

.github/workflows/build-macos-installer.yml

@@ -89,6 +89,10 @@ jobs:
         node-version: '12.x'
 
     - name: Build MacOS DMG in Catalina
+      env:
+        NOTARIZE: ${{ steps.check_secrets.outputs.HAS_SECRET }}
+        APPLE_NOTARIZE_USERNAME: "${{ secrets.APPLE_NOTARIZE_USERNAME }}"
+        APPLE_NOTARIZE_PASSWORD: "${{ secrets.APPLE_NOTARIZE_PASSWORD }}"
       run: |
         . ./activate
         clang --version

azure-pipelines.yml

@@ -12,15 +12,18 @@ trigger:
     - "*"
 
 pool:
-  vmImage: "macOS-10.14"
+  vmImage: "macOS-10.15"
 strategy:
   matrix:
     Mojave DMG:
-      python.version: "3.7"
+      python.version: "3.8"
 #    Python38:
 #      python.version: '3.8'  # Disabled 3.8 because artifact names conflict
 #                               Also, installer can target one verison
 
+variables:
+  - group: Apple-Notarize-Variables
+
 steps:
   - task: UsePythonVersion@0
     inputs:
@@ -85,11 +88,13 @@ steps:
 #      py.test tests -s -v
 #    displayName: "pytest"
 
-  - script: |
+  - bash: |
       . ./activate
+      export NOTARIZE="true"
+      export APPLE_NOTARIZE_USERNAME="$(APPLE_NOTARIZE_USERNAME)"
+      export APPLE_NOTARIZE_PASSWORD="$(APPLE_NOTARIZE_PASSWORD)"
       cd build_scripts
       sh build_macos.sh
-      ls -l final_installer
     displayName: "Build DMG with build_scripts/build_macos.sh"
 
   - task: PublishPipelineArtifact@1

build_scripts/build_macos.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
 pip install setuptools_scm
 # The environment variable CHIA_INSTALLER_VERSION needs to be defined
+# If the env variable NOTARIZE and the username and password variables are
+# set, this will attempt to Notarize the signed DMG
 CHIA_INSTALLER_VERSION=$(python installer-version.py)
 
 if [ ! "$CHIA_INSTALLER_VERSION" ]; then
@@ -13,6 +15,7 @@ echo "Installing npm and electron packagers"
 npm install electron-installer-dmg -g
 npm install electron-packager -g
 npm install electron/electron-osx-sign -g
+npm install notarize-cli -g
 
 echo "Create dist/"
 sudo rm -rf dist
@@ -33,13 +36,47 @@ if [ "$LAST_EXIT_CODE" -ne 0 ]; then
 	echo >&2 "npm run build failed!"
 	exit $LAST_EXIT_CODE
 fi
-electron-packager . Chia --asar.unpack="**/daemon/**" --platform=darwin --icon=src/assets/img/Chia.icns --overwrite --app-bundle-id=net.chia.blockchain --appVersion=$CHIA_INSTALLER_VERSION
-electron-osx-sign Chia-darwin-x64/Chia.app --platform=darwin --hardened-runtime=true --provisioning-profile=chiablockchain.provisionprofile --entitlements=entitlements.mac.plist --entitlements-inherit=entitlements.mac.plist --no-gatekeeper-assess
+electron-packager . Chia --asar.unpack="**/daemon/**" --platform=darwin \
+--icon=src/assets/img/Chia.icns --overwrite --app-bundle-id=net.chia.blockchain \
+--appVersion=$CHIA_INSTALLER_VERSION
+
+electron-osx-sign Chia-darwin-x64/Chia.app --platform=darwin \
+--hardened-runtime=true --provisioning-profile=chiablockchain.provisionprofile \
+--entitlements=entitlements.mac.plist --entitlements-inherit=entitlements.mac.plist \
+--no-gatekeeper-assess
+
 mv Chia-darwin-x64 ../build_scripts/dist/
 cd ../build_scripts || exit
 
-echo "Create .dmg"
+DMG_NAME="Chia-$CHIA_INSTALLER_VERSION.dmg"
+echo "Create $DMG_NAME"
 mkdir final_installer
-electron-installer-dmg dist/Chia-darwin-x64/Chia.app Chia-$CHIA_INSTALLER_VERSION --overwrite --out final_installer
-echo "ls -l"
-ls -l
+electron-installer-dmg dist/Chia-darwin-x64/Chia.app Chia-$CHIA_INSTALLER_VERSION \
+--overwrite --out final_installer
+
+if [ "$NOTARIZE" ]; then
+	echo "Notarize $DMG_NAME on ci"
+	cd final_installer
+  notarize-cli --file=$DMG_NAME --bundle-id net.chia.blockchain \
+	--username $APPLE_NOTARIZE_USERNAME --password $APPLE_NOTARIZE_PASSWORD
+  echo "Notarization step complete"
+else
+	echo "Not on ci so skipping Notarize"
+fi
+
+# Notes on how to manually notarize
+#
+# Ask for username and password - password should be an app specific password
+# Generate app specific password https://support.apple.com/en-us/HT204397
+# xcrun altool --notarize-app -f Chia-0.1.X.dmg --primary-bundle-id net.chia.blockchain -u username -p password
+# xcrun altool --notarize-app; -should return REQUEST-ID, use it in next command
+#
+# Wait until following command return a success message"
+# watch -n 20 'xcrun altool --notarization-info  {REQUEST-ID} -u username -p password'
+# It can take a while, run it every few minutes
+#
+# Once that is successful, execute the following command"
+# xcrun stapler staple Chia-0.1.X.dmg
+#
+# Validate DMG
+# xcrun stapler validate Chia-0.1.X.dmg

build_scripts/macos_notarize_build.txt

@@ -1,18 +0,0 @@
-#!/bin/bash
-# How to notarize
-
-echo "Ask for username and password - password should be an app specific password"
-# Generate app specific password https://support.apple.com/en-us/HT204397
-xcrun altool --notarize-app -f Chia-0.1.X.dmg --primary-bundle-id net.chia.blockchain -u username -p password
-echo "xcrun altool --notarize-app; -should return REQUEST-ID, use it in next command"
-
-echo "Wait until following command return a success message"
-watch -n 20 'xcrun altool --notarization-info  {REQUEST-ID} -u username -p password'
-echo "It can take a while, run it every few minutes"
-
-
-echo "Once that is successful, execute the following command"
-xcrun stapler staple Chia-0.1.X.dmg
-
-echo "Validate DMG"
-xcrun stapler validate Chia-0.1.X.dmg