diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 0235015d3..2a9e513e9 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -51,7 +51,7 @@ builds: -X github.com/anchore/syft/internal/version.buildDate={{.Date}} -X github.com/anchore/syft/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}} hooks: - post: ./.github/scripts/mac-sign-and-notarize.sh "{{.IsSnapshot}}" "gon.hcl" "./dist/syft_{{.Tag}}_{{.Target}}.dmg" + post: ./.github/scripts/mac-sign-and-notarize.sh "{{.IsSnapshot}}" "gon.hcl" "./dist/syft_{{.Version}}_{{.Target}}.dmg" signs: - artifacts: checksum diff --git a/README.md b/README.md index 7d75ca079..df6201e8f 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ Where the `format`s available are: ## Installation -**Recommended** +**Recommended (macOS and Linux)** ```bash # install the latest version to /usr/local/bin curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin @@ -63,17 +63,12 @@ curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b ``` -**macOS** +**Homebrew (macOS)** ```bash brew tap anchore/syft brew install syft ``` -You may experience a "macOS cannot verify app is free from malware" error upon running Syft because it is not yet signed and notarized. You can override this using `xattr`. -```bash -xattr -rd com.apple.quarantine syft -``` - ## Configuration Configuration search paths: diff --git a/install.sh b/install.sh index f3d11bde3..984d49bfb 100755 --- a/install.sh +++ b/install.sh @@ -1,6 +1,6 @@ #!/bin/sh set -e -# Code generated by godownloader on 2020-08-10T20:55:46Z. DO NOT EDIT. +# Code generated by godownloader on 2020-08-10T20:55:46Z. # usage() { @@ -45,11 +45,16 @@ parse_args() { execute() { tmpdir=$(mktemp -d) log_debug "downloading files into ${tmpdir}" - http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}" + http_download "${tmpdir}/${ARCHIVE}" "${ARCHIVE_URL}" http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}" - hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}" + + # macOS has its own secure verification mechanism, and checksums.txt is not used. + if [ "$OS" != "darwin" ]; then + hash_sha256_verify "${tmpdir}/${ARCHIVE}" "${tmpdir}/${CHECKSUM}" + fi + srcdir="${tmpdir}" - (cd "${tmpdir}" && untar "${TARBALL}") + (cd "${tmpdir}" && unpack "${ARCHIVE}") test ! -d "${BINDIR}" && install -d "${BINDIR}" for binexe in $BINARIES; do if [ "$OS" = "windows" ]; then @@ -89,6 +94,7 @@ tag_to_version() { adjust_format() { # change format (tar.gz or zip) based on OS case ${OS} in + darwin) FORMAT=dmg ;; windows) FORMAT=zip ;; esac true @@ -221,18 +227,26 @@ uname_arch_check() { log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value. Please file bug report at https://github.com/client9/shlib" return 1 } -untar() { - tarball=$1 - case "${tarball}" in - *.tar.gz | *.tgz) tar --no-same-owner -xzf "${tarball}" ;; - *.tar) tar --no-same-owner -xf "${tarball}" ;; - *.zip) unzip "${tarball}" ;; +unpack() { + archive=$1 + case "${archive}" in + *.tar.gz | *.tgz) tar --no-same-owner -xzf "${archive}" ;; + *.tar) tar --no-same-owner -xf "${archive}" ;; + *.zip) unzip "${archive}" ;; + *.dmg) extract_from_dmg "${archive}" ;; *) - log_err "untar unknown archive format for ${tarball}" + log_err "unpack unknown archive format for ${archive}" return 1 ;; esac } +extract_from_dmg() { + dmg_file=$1 + mount_point="/Volumes/tmp-dmg" + hdiutil attach -quiet -mountpoint "${mount_point}" "${dmg_file}" + cp -fR "${mount_point}/" ./ + hdiutil detach -quiet -force "${mount_point}" +} http_download_curl() { local_file=$1 source_url=$2 @@ -366,8 +380,8 @@ adjust_arch log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}" NAME=${PROJECT_NAME}_${VERSION}_${OS}_${ARCH} -TARBALL=${NAME}.${FORMAT} -TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL} +ARCHIVE=${NAME}.${FORMAT} +ARCHIVE_URL=${GITHUB_DOWNLOAD}/${TAG}/${ARCHIVE} CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}