From 2c62651c8279f288d9668039da4a865e9a5d0b2a Mon Sep 17 00:00:00 2001
From: Alex Goodman <wagoodman@users.noreply.github.com>
Date: Mon, 7 Feb 2022 16:55:15 -0500
Subject: [PATCH] run signing as post-build step (#803)

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---
 .github/scripts/apple-signing/notarize.sh | 57 ++++----------------
 .github/scripts/apple-signing/sign.sh     | 63 ++++-------------------
 .goreleaser.yaml                          | 14 ++---
 Makefile                                  |  2 +-
 4 files changed, 27 insertions(+), 109 deletions(-)

diff --git a/.github/scripts/apple-signing/notarize.sh b/.github/scripts/apple-signing/notarize.sh
index bc6e70a4e..7f8ec9a97 100755
--- a/.github/scripts/apple-signing/notarize.sh
+++ b/.github/scripts/apple-signing/notarize.sh
@@ -1,5 +1,4 @@
 #!/usr/bin/env bash
-set -ue
 
 set +xu
 if [ -z "$AC_USERNAME" ]; then
@@ -11,58 +10,30 @@ if [ -z "$AC_PASSWORD" ]; then
 fi
 set -u
 
-# repackage [archive-path]
-#
-# returns an archive compatible for Apple's notarization process, repackaging the input archive as needed
-#
-repackage() {
-  archive=$1
-
-  case "$archive" in
-    *.tar.gz)
-      new_archive=${archive%.tar.gz}.zip
-      (
-        tmp_dir=$(mktemp -d)
-        cd "$tmp_dir"
-        # redirect stdout to stderr to preserve the return value
-        tar xzf "$archive" && zip "$new_archive" ./* 1>&2
-        rm -rf "$tmp_dir"
-      )
-      echo "$new_archive"
-      ;;
-    *.zip)
-      echo "$archive"
-      ;;
-    *) return 1
-      ;;
-  esac
-}
 
 # notarize [archive-path]
 #
 notarize() {
-  archive_path=$1
+  binary_path=$1
+  archive_path=${binary_path}-archive-for-notarization.zip
 
-  title "notarizing binaries found in the release archive"
+  title "archiving release binary into ${archive_path}"
 
-  payload_archive_path=$(repackage "$archive_path")
-  if [ "$?" != "0" ]; then
-    exit_with_error "cannot prepare payload for notarization: $archive_path"
-  fi
+  zip "${archive_path}" "${binary_path}"
 
-  if [ ! -f "$payload_archive_path" ]; then
-    exit_with_error "cannot find payload for notarization: $payload_archive_path"
+  if [ ! -f "$archive_path" ]; then
+    exit_with_error "cannot find payload for notarization: $archive_path"
   fi
 
   # install gon
   which gon || (brew tap mitchellh/gon && brew install mitchellh/gon/gon)
 
   # create config (note: json via stdin with gon is broken, can only use HCL from file)
-  tmp_file=$(mktemp).hcl
+  hcl_file=$(mktemp).hcl
 
-  cat <<EOF > "$tmp_file"
+  cat <<EOF > "$hcl_file"
 notarize {
-  path = "$payload_archive_path"
+  path = "$archive_path"
   bundle_id = "com.anchore.toolbox.syft"
 }
 
@@ -72,14 +43,8 @@ apple_id {
 }
 EOF
 
-  gon -log-level info "$tmp_file"
+  gon -log-level info "$hcl_file"
 
-  result="$?"
-
-  rm "$tmp_file"
-
-  if [ "$result" -ne "0" ]; then
-      exit_with_error "notarization failed"
-  fi
+  rm "${hcl_file}" "${archive_path}"
 }
 
diff --git a/.github/scripts/apple-signing/sign.sh b/.github/scripts/apple-signing/sign.sh
index 00caaee5f..9231c58a5 100755
--- a/.github/scripts/apple-signing/sign.sh
+++ b/.github/scripts/apple-signing/sign.sh
@@ -1,8 +1,9 @@
 #!/usr/bin/env bash
-set -eu
+set -eu -o pipefail
 
-ARCHIVE_PATH="$1"
+BINARY_PATH="$1"
 IS_SNAPSHOT="$2"
+TARGET_NAME="$3"
 
 ## grab utilities
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
@@ -39,58 +40,14 @@ sign_binary() {
   fi
 
   codesign --verify "$exe_path"  --verbose=4
-
-  if [ $? -ne 0 ]; then
-      exit_with_error "signing verification failed"
-  fi
-}
-
-# sign_binaries_in_archive [archive-abs-path] [signing-identity]
-#
-# signs all binaries within an archive (there must be at least one)
-#
-sign_binaries_in_archive() {
-  archive_abs_path=$1
-  identity=$2
-
-  scratch_path=$(mktemp -d)
-  trap "rm -rf -- $scratch_path" EXIT
-
-  title "getting contents from the release archive: $archive_abs_path"
-  tar -C "$scratch_path" -xvf "$archive_abs_path"
-
-  # invalidate the current archive, we only want an asset with signed binaries from this point forward
-  rm "$archive_abs_path"
-
-  title "signing binaries found in the release archive"
-
-  discovered_binaries=0
-  tmp_pipe=$(mktemp -ut pipe.XXX)
-  mkfifo "$tmp_pipe"
-
-  find "$scratch_path" -perm +111 -type f > "$tmp_pipe" &
-
-  while IFS= read -r binary; do
-    sign_binary "$binary" "$identity"
-    ((discovered_binaries++))
-  done < "$tmp_pipe"
-
-  rm "$tmp_pipe"
-
-  if [ "$discovered_binaries" = "0" ]; then
-      exit_with_error "found no binaries to sign"
-  fi
-
-  title "recreating the release archive: $archive_abs_path"
-  (cd "$scratch_path" && tar -czvf "$archive_abs_path" .)
 }
 
 
 main() {
-  archive_abs_path=$(realpath "$ARCHIVE_PATH")
+  binary_abs_path=$(realpath "$BINARY_PATH")
 
-  if [ ! -f "$archive_abs_path" ]; then
-      echo "archive does not exist: $archive_abs_path"
+  if [ ! -f "$binary_abs_path" ]; then
+      echo "archive does not exist: $binary_abs_path"
   fi
 
   case "$IS_SNAPSHOT" in
@@ -115,11 +72,11 @@ main() {
   MAC_SIGNING_IDENTITY=$(cat "$SCRIPT_DIR/$SIGNING_IDENTITY_FILENAME")
 
   # sign all of the binaries in the archive and recreate the input archive with the signed binaries
-  sign_binaries_in_archive "$archive_abs_path" "$MAC_SIGNING_IDENTITY"
+  sign_binary "$binary_abs_path" "$MAC_SIGNING_IDENTITY"
 
   # send all of the binaries off to apple to bless
   if $perform_notarization ; then
-    notarize "$archive_abs_path"
+    notarize "$binary_abs_path"
   else
     commentary "skipping notarization..."
   fi
@@ -129,9 +86,9 @@ main() {
 ( (
   set +u
   if [ -n "$SKIP_SIGNING" ]; then
-      commentary "skipping signing setup..."
+      commentary "skipping signing..."
   else
     set -u
     main
   fi
-) 2>&1) | tee "$SCRIPT_DIR/log/signing-$(basename $ARCHIVE_PATH).txt"
\ No newline at end of file
+) 2>&1) | tee "$SCRIPT_DIR/log/signing-$(basename $BINARY_PATH)-$TARGET_NAME.txt"
\ No newline at end of file
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index e798c9ddb..cb9093681 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -41,6 +41,11 @@ builds:
     mod_timestamp: *build-timestamp
     env: *build-env
     ldflags: *build-ldflags
+    hooks:
+      post:
+        # we must have signing as a build hook instead of the signs section. The signs section must register a new asset, where we want to replace an existing asset.
+        # a post-build hook has the advantage of not needing to unpackage and repackage a tar.gz with a signed binary
+        - ./.github/scripts/apple-signing/sign.sh "{{ .Path }}" "{{ .IsSnapshot }}" "{{ .Target }}"
 
   - id: windows-build
     binary: syft
@@ -67,15 +72,6 @@ archives:
     builds:
       - windows-build
 
-signs:
-  - artifacts: archive
-    ids:
-      - darwin-archives
-    cmd: ./.github/scripts/apple-signing/sign.sh
-    args:
-      - "${artifact}"
-      - "{{ .IsSnapshot }}"
-
 nfpms:
   - license: "Apache 2.0"
     maintainer: "Anchore, Inc"
diff --git a/Makefile b/Makefile
index a38314d46..9622b5086 100644
--- a/Makefile
+++ b/Makefile
@@ -104,7 +104,7 @@ bootstrap-tools: $(TEMPDIR)
 	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(TEMPDIR)/ v1.42.1
 	curl -sSfL https://raw.githubusercontent.com/wagoodman/go-bouncer/master/bouncer.sh | sh -s -- -b $(TEMPDIR)/ v0.3.0
 	curl -sSfL https://raw.githubusercontent.com/anchore/chronicle/main/install.sh | sh -s -- -b $(TEMPDIR)/ v0.3.0
-	.github/scripts/goreleaser-install.sh -d -b $(TEMPDIR)/ v1.3.1
+	.github/scripts/goreleaser-install.sh -d -b $(TEMPDIR)/ v1.4.1
 	GOBIN="$(shell realpath $(TEMPDIR))" go install github.com/neilpa/yajsv@v1.4.0
 
 .PHONY: bootstrap-go