mongodb/evergreen/macos_notary.py

import os
import platform
import shutil
import stat
import subprocess
import sys
import urllib.request
import zipfile

if platform.system().lower() != "darwin":
    print("Not a macos system, skipping macos signing.")
    sys.exit(0)

if len(sys.argv) < 2:
    print("Must provide at least 1 archive to sign.")
    sys.exit(1)

supported_archs = {"arm64": "arm64", "x86_64": "amd64"}
arch = platform.uname().machine.lower()

if arch not in supported_archs:
    print(f"Unsupported platform uname arch: {arch}, must be {supported_archs.keys()}")
    sys.exit(1)

macnotary_name = f"darwin_{supported_archs[arch]}"

if os.environ["project"] in ["mongodb-mongo-master-nightly", "mongo-release"]:
    signing_type = "notarizeAndSign"
else:
    signing_type = "sign"

macnotary_url = (
    f"https://macos-notary-1628249594.s3.amazonaws.com/releases/client/latest/{macnotary_name}.zip"
)
print(f"Fetching macnotary tool from: {macnotary_url}")
local_filename, headers = urllib.request.urlretrieve(macnotary_url, f"{macnotary_name}.zip")
with zipfile.ZipFile(f"{macnotary_name}.zip") as zipf:
    zipf.extractall()

st = os.stat(f"{macnotary_name}/macnotary")
os.chmod(f"{macnotary_name}/macnotary", st.st_mode | stat.S_IEXEC)

failed = False
archives = sys.argv[1:]

for archive in archives:
    archive_base, archive_ext = os.path.splitext(archive)
    unsigned_archive = f"{archive_base}_unsigned{archive_ext}"
    shutil.move(archive, unsigned_archive)

    signing_cmd = [
        f"./{macnotary_name}/macnotary",
        "-f",
        f"{unsigned_archive}",
        "-m",
        f"{signing_type}",
        "-u",
        "https://dev.macos-notary.build.10gen.cc/api",
        "-k",
        "server",
        "--entitlements",
        "etc/macos_entitlements.xml",
        "--verify",
        "--timeout",
        "30",
        "-b",
        "server.mongodb.com",
        "-i",
        f'{os.environ["task_id"]}',
        "-c",
        f'{os.environ["project"]}',
        "-o",
        f"{archive}",
    ]

    signing_env = os.environ.copy()
    signing_env["MACOS_NOTARY_SECRET"] = os.environ["macos_notarization_secret"]
    print(" ".join(signing_cmd))
    p = subprocess.Popen(
        signing_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=signing_env
    )

    print(f"Signing tool completed with exitcode: {p.returncode}")
    for line in iter(p.stdout.readline, b""):
        print(f'macnotary: {line.decode("utf-8").strip()}')
    p.wait()

    if p.returncode != 0:
        failed = True
        shutil.move(unsigned_archive, archive)
    else:
        os.unlink(unsigned_archive)

if failed:
    exit(1)
SERVER-66461 added macos signing at evergreen archive step 2022-07-07 21:51:03 +02:00			`import os`
			`import platform`
			`import shutil`
			`import stat`
SERVER-94077 Use isort in Ruff configs (#27865) GitOrigin-RevId: e793d662774ccd3ab6c3f356c2287cf1f7ff9805 2024-10-10 19:59:18 +02:00			`import subprocess`
SERVER-66461 added macos signing at evergreen archive step 2022-07-07 21:51:03 +02:00			`import sys`
SERVER-94077 Use isort in Ruff configs (#27865) GitOrigin-RevId: e793d662774ccd3ab6c3f356c2287cf1f7ff9805 2024-10-10 19:59:18 +02:00			`import urllib.request`
			`import zipfile`
SERVER-66461 added macos signing at evergreen archive step 2022-07-07 21:51:03 +02:00
SERVER-90572: Enable python formatting checks for evergreen directory (#22291) GitOrigin-RevId: ec4a2cefe8cafee7bc9a5e91756c2e65f1ecf307 2024-05-17 19:35:24 +02:00			`if platform.system().lower() != "darwin":`
SERVER-66461 added macos signing at evergreen archive step 2022-07-07 21:51:03 +02:00			`print("Not a macos system, skipping macos signing.")`
			`sys.exit(0)`

Revert "SERVER-75033 Capture core dumps from test failures on macOS" This reverts commit d6072dc2c6a08dca78ece915ad2868dcfb5c26ab. GitOrigin-RevId: 46a18f2bf208191c2e48357043a879de3f2435b6 2023-12-14 21:07:42 +01:00			`if len(sys.argv) < 2:`
			`print("Must provide at least 1 archive to sign.")`
			`sys.exit(1)`

SERVER-90572: Enable python formatting checks for evergreen directory (#22291) GitOrigin-RevId: ec4a2cefe8cafee7bc9a5e91756c2e65f1ecf307 2024-05-17 19:35:24 +02:00			`supported_archs = {"arm64": "arm64", "x86_64": "amd64"}`
SERVER-66461 added macos signing at evergreen archive step 2022-07-07 21:51:03 +02:00			`arch = platform.uname().machine.lower()`

			`if arch not in supported_archs:`
			`print(f"Unsupported platform uname arch: {arch}, must be {supported_archs.keys()}")`
			`sys.exit(1)`

SERVER-90572: Enable python formatting checks for evergreen directory (#22291) GitOrigin-RevId: ec4a2cefe8cafee7bc9a5e91756c2e65f1ecf307 2024-05-17 19:35:24 +02:00			`macnotary_name = f"darwin_{supported_archs[arch]}"`
SERVER-66461 added macos signing at evergreen archive step 2022-07-07 21:51:03 +02:00
SERVER-90725 notarizeAndSign macos release builds (#22428) GitOrigin-RevId: c1f23bd267ed8c4e97cf3424e1e3926a99c3720f 2024-05-22 22:21:53 +02:00			`if os.environ["project"] in ["mongodb-mongo-master-nightly", "mongo-release"]:`
SERVER-90572: Enable python formatting checks for evergreen directory (#22291) GitOrigin-RevId: ec4a2cefe8cafee7bc9a5e91756c2e65f1ecf307 2024-05-17 19:35:24 +02:00			`signing_type = "notarizeAndSign"`
Revert "SERVER-75033 Capture core dumps from test failures on macOS" This reverts commit d6072dc2c6a08dca78ece915ad2868dcfb5c26ab. GitOrigin-RevId: 46a18f2bf208191c2e48357043a879de3f2435b6 2023-12-14 21:07:42 +01:00			`else:`
SERVER-90572: Enable python formatting checks for evergreen directory (#22291) GitOrigin-RevId: ec4a2cefe8cafee7bc9a5e91756c2e65f1ecf307 2024-05-17 19:35:24 +02:00			`signing_type = "sign"`
Revert "SERVER-75033 Capture core dumps from test failures on macOS" This reverts commit d6072dc2c6a08dca78ece915ad2868dcfb5c26ab. GitOrigin-RevId: 46a18f2bf208191c2e48357043a879de3f2435b6 2023-12-14 21:07:42 +01:00
SERVER-90572: Enable python formatting checks for evergreen directory (#22291) GitOrigin-RevId: ec4a2cefe8cafee7bc9a5e91756c2e65f1ecf307 2024-05-17 19:35:24 +02:00			`macnotary_url = (`
			`f"https://macos-notary-1628249594.s3.amazonaws.com/releases/client/latest/{macnotary_name}.zip"`
			`)`
			`print(f"Fetching macnotary tool from: {macnotary_url}")`
			`local_filename, headers = urllib.request.urlretrieve(macnotary_url, f"{macnotary_name}.zip")`
			`with zipfile.ZipFile(f"{macnotary_name}.zip") as zipf:`
SERVER-66461 added macos signing at evergreen archive step 2022-07-07 21:51:03 +02:00			`zipf.extractall()`

SERVER-90572: Enable python formatting checks for evergreen directory (#22291) GitOrigin-RevId: ec4a2cefe8cafee7bc9a5e91756c2e65f1ecf307 2024-05-17 19:35:24 +02:00			`st = os.stat(f"{macnotary_name}/macnotary")`
			`os.chmod(f"{macnotary_name}/macnotary", st.st_mode \| stat.S_IEXEC)`
SERVER-66461 added macos signing at evergreen archive step 2022-07-07 21:51:03 +02:00
			`failed = False`
Revert "SERVER-75033 Capture core dumps from test failures on macOS" This reverts commit d6072dc2c6a08dca78ece915ad2868dcfb5c26ab. GitOrigin-RevId: 46a18f2bf208191c2e48357043a879de3f2435b6 2023-12-14 21:07:42 +01:00			`archives = sys.argv[1:]`

			`for archive in archives:`
			`archive_base, archive_ext = os.path.splitext(archive)`
SERVER-90572: Enable python formatting checks for evergreen directory (#22291) GitOrigin-RevId: ec4a2cefe8cafee7bc9a5e91756c2e65f1ecf307 2024-05-17 19:35:24 +02:00			`unsigned_archive = f"{archive_base}_unsigned{archive_ext}"`
Revert "SERVER-75033 Capture core dumps from test failures on macOS" This reverts commit d6072dc2c6a08dca78ece915ad2868dcfb5c26ab. GitOrigin-RevId: 46a18f2bf208191c2e48357043a879de3f2435b6 2023-12-14 21:07:42 +01:00			`shutil.move(archive, unsigned_archive)`

			`signing_cmd = [`
SERVER-90572: Enable python formatting checks for evergreen directory (#22291) GitOrigin-RevId: ec4a2cefe8cafee7bc9a5e91756c2e65f1ecf307 2024-05-17 19:35:24 +02:00			`f"./{macnotary_name}/macnotary",`
			`"-f",`
			`f"{unsigned_archive}",`
			`"-m",`
			`f"{signing_type}",`
			`"-u",`
			`"https://dev.macos-notary.build.10gen.cc/api",`
			`"-k",`
			`"server",`
			`"--entitlements",`
			`"etc/macos_entitlements.xml",`
			`"--verify",`
SERVER-96000: increase macnotary timeout to 30 minutes (#28193) GitOrigin-RevId: ab5a660466a51899289338dad3b5f7968aaff377 2024-10-18 23:34:23 +02:00			`"--timeout",`
			`"30",`
SERVER-90572: Enable python formatting checks for evergreen directory (#22291) GitOrigin-RevId: ec4a2cefe8cafee7bc9a5e91756c2e65f1ecf307 2024-05-17 19:35:24 +02:00			`"-b",`
			`"server.mongodb.com",`
			`"-i",`
SERVER-88027 Add coverage to pylinters to lint the evergreen subdirectory (#20845) GitOrigin-RevId: 637f7178c437d234ccfbd1fbf8d5d2ea977a4a91 2024-04-06 00:45:32 +02:00			`f'{os.environ["task_id"]}',`
SERVER-90572: Enable python formatting checks for evergreen directory (#22291) GitOrigin-RevId: ec4a2cefe8cafee7bc9a5e91756c2e65f1ecf307 2024-05-17 19:35:24 +02:00			`"-c",`
SERVER-88027 Add coverage to pylinters to lint the evergreen subdirectory (#20845) GitOrigin-RevId: 637f7178c437d234ccfbd1fbf8d5d2ea977a4a91 2024-04-06 00:45:32 +02:00			`f'{os.environ["project"]}',`
SERVER-90572: Enable python formatting checks for evergreen directory (#22291) GitOrigin-RevId: ec4a2cefe8cafee7bc9a5e91756c2e65f1ecf307 2024-05-17 19:35:24 +02:00			`"-o",`
			`f"{archive}",`
Revert "SERVER-75033 Capture core dumps from test failures on macOS" This reverts commit d6072dc2c6a08dca78ece915ad2868dcfb5c26ab. GitOrigin-RevId: 46a18f2bf208191c2e48357043a879de3f2435b6 2023-12-14 21:07:42 +01:00			`]`

			`signing_env = os.environ.copy()`
SERVER-90572: Enable python formatting checks for evergreen directory (#22291) GitOrigin-RevId: ec4a2cefe8cafee7bc9a5e91756c2e65f1ecf307 2024-05-17 19:35:24 +02:00			`signing_env["MACOS_NOTARY_SECRET"] = os.environ["macos_notarization_secret"]`
			`print(" ".join(signing_cmd))`
			`p = subprocess.Popen(`
			`signing_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=signing_env`
			`)`
Revert "SERVER-75033 Capture core dumps from test failures on macOS" This reverts commit d6072dc2c6a08dca78ece915ad2868dcfb5c26ab. GitOrigin-RevId: 46a18f2bf208191c2e48357043a879de3f2435b6 2023-12-14 21:07:42 +01:00
			`print(f"Signing tool completed with exitcode: {p.returncode}")`
SERVER-90572: Enable python formatting checks for evergreen directory (#22291) GitOrigin-RevId: ec4a2cefe8cafee7bc9a5e91756c2e65f1ecf307 2024-05-17 19:35:24 +02:00			`for line in iter(p.stdout.readline, b""):`
Revert "SERVER-75033 Capture core dumps from test failures on macOS" This reverts commit d6072dc2c6a08dca78ece915ad2868dcfb5c26ab. GitOrigin-RevId: 46a18f2bf208191c2e48357043a879de3f2435b6 2023-12-14 21:07:42 +01:00			`print(f'macnotary: {line.decode("utf-8").strip()}')`
			`p.wait()`

			`if p.returncode != 0:`
			`failed = True`
			`shutil.move(unsigned_archive, archive)`
			`else:`
			`os.unlink(unsigned_archive)`
SERVER-66461 added macos signing at evergreen archive step 2022-07-07 21:51:03 +02:00
			`if failed:`
			`exit(1)`