Changeset 26744 for issm/trunk/packagers/mac/sign-issm-mac-binaries-python.sh

Timestamp:

12/22/21 10:39:44 (3 years ago)

Author:

Mathieu Morlighem

Message:

merged trunk-jpl and trunk for revision 26742

Location:

issm/trunk

Files:

• . (modified) (1 prop)
• packagers/mac/sign-issm-mac-binaries-python.sh (modified) (13 diffs)

issm/trunk/packagers/mac/sign-issm-mac-binaries-python.sh

@@ -5 +5 @@
 # Cybersecurity server for signing macOS applications. Polls SCM of the 
 # Subversion repository hosted at 
-# https://issm.ess.uci.edu/svn/issm-binaries/mac/python/unsigned to trigger new 
+# https://issm.ess.uci.edu/svn/issm-binaries/mac/matlab/unsigned to trigger new 
 # builds.
 #
@@ -17 +17 @@
 #       'Add Credentials' and enter the crendentials from above.
 # - From the 'Dashboard', select 'New Item' -> 'Freestyle project'.
-# - Under 'Source Code Management', select 'Subversion'. 
+# - Under 'Source Code Management', select 'Subversion'.
 #               - The 'Repository URL' text field should be set to 
-#               "https://issm.ess.uci.edu/svn/issm-binaries/mac/python/unsigned"
+#               "https://issm.ess.uci.edu/svn/issm-binaries/mac/matlab/unsigned".
 #               - The 'Credentials' select menu should be set to the new credentials 
 #               created previously.
+#               - The 'Local module directory' text field should be set to the same 
+#               value as the constant UNSIGNED_REPO_COPY (set below to './unsigned').
 # - Under 'Build Trigggers', check the box for 'Poll SCM' and set the 
 #       'Schedule' text area to "H/5 * * * *".
@@ -27 +29 @@
 #       file(s)', then under 'Bindings' click the 'Add...' button and select 
 #       'Username and password (separated)'.
-#               - Set 'Username Variable' to "issm-binaries-user”.
-#               - Set 'Password Variable' to "issm-binaries-pass”.
+#               - Set 'Username Variable' to "ISSM_BINARIES_USER".
+#               - Set 'Password Variable' to "ISSM_BINARIES_PASS".
 # - Under 'Credentials', select the same, new credentials that created 
 #       previously.
@@ -40 +42 @@
 #
 # NOTE:
-# - Assumes that 'issm-binaries-user' and 'issm-binaries-pass' are set up in 
+# - Assumes that "ISSM_BINARIES_USER" and "ISSM_BINARIES_PASS" are set up in 
 #       the 'Bindings' section under a 'Username and password (separated)' binding 
 #       (requires 'Credentials Binding Plugin').
@@ -47 +49 @@
 ################################################################################
 
+# Expand aliases within the context of this script
+shopt -s expand_aliases
+
 # From https://developer.apple.com/documentation/macos-release-notes/macos-catalina-10_15-release-notes,
 #
@@ -60 +65 @@
 # is available in PATH.
 #
-shopt -s expand_aliases
+# NOTE: May be able to remove this after updating macOS.
+#
 alias svn='/usr/local/bin/svn'
 
@@ -74 +80 @@
 ALTOOL_PASSWORD="@keychain:**********" # altool password (assumed to be stored in keychain)
 ASC_PROVIDER="**********"
-NOTARIZATION_CHECK_ATTEMPTS=60
+MAX_SVN_ATTEMPTS=10
+NOTARIZATION_CHECK_ATTEMPTS=20
 NOTARIZATION_CHECK_PERIOD=60
 NOTARIZATION_LOGFILE="notarization.log"
 NOTARIZATION_LOGFILE_PATH="."
+PASSWORD=${ISSM_BINARIES_PASS}
 PKG="ISSM-macOS-Python"
-PRIMARY_BUNDLE_ID="**********.issm.python" # Maybe "nasa.jpl.issm.matlab"?
-RETRIGGER_SIGNING_FILE="retrigger.txt"
+PRIMARY_BUNDLE_ID="gov.nasa.jpl.issm.python"
 SIGNED_REPO_COPY="./signed"
 SIGNED_REPO_URL="https://issm.ess.uci.edu/svn/issm-binaries/mac/python/signed"
@@ -87 +94 @@
 UNSIGNED_REPO_COPY="./unsigned"
 UNSIGNED_REPO_URL="https://issm.ess.uci.edu/svn/issm-binaries/mac/python/unsigned"
+USERNAME=${ISSM_BINARIES_USER}
 
 COMPRESSED_PKG="${PKG}.zip"
 EXE_ENTITLEMENTS_PLIST="${PKG}/bin/entitlements.plist"
 
-# Clean up from previous packaging (not necessary for single builds on Jenkins, 
-# but useful when testing packaging locally)
-echo "Cleaning up existing assets"
-rm -rf ${PKG} ${COMPRESSED_PKG} ${NOTARIZATION_LOGFILE_PATH}/${NOTARIZATION_LOGFILE} ${SIGNED_REPO_COPY} ${UNSIGNED_REPO_COPY}
-mkdir ${PKG}
-
-# Check out copy of repository for unsigned packages
-echo "Checking out copy of respository for unsigned packages"
-svn co \
-        --username ${USERNAME} \
-        --password ${PASSWORD} \
-        ${UNSIGNED_REPO_URL} \
-        ${UNSIGNED_REPO_COPY} > /dev/null 2>&1
+# NOTE: Uncomment the following for local testing (Jenkins checks out copy of 
+#               repository for unsigned packages to working directory)
+#
+
+# # Clean up from previous packaging (not necessary for single builds on Jenkins, 
+# # but useful when testing packaging locally)
+# echo "Cleaning up existing assets"
+# rm -rf ${COMPRESSED_PKG} ${NOTARIZATION_LOGFILE_PATH}/${NOTARIZATION_LOGFILE} ${UNSIGNED_REPO_COPY}
+
+# # Check out copy of repository for unsigned packages
+# echo "Checking out copy of respository for unsigned packages"
+# svn checkout \
+#       --trust-server-cert \
+#       --non-interactive \
+#       --username ${USERNAME} \
+#       --password ${PASSWORD} \
+#       ${UNSIGNED_REPO_URL} \
+#       ${UNSIGNED_REPO_COPY}
+
+rm -rf ${PKG} ${SIGNED_REPO_COPY}
+
 
 # Extract package contents
@@ -163 +179 @@
 # Check if UUID exists in response
 HAS_UUID=$(grep 'RequestUUID = ' ${NOTARIZATION_LOGFILE_PATH}/${NOTARIZATION_LOGFILE}) # NOTE: Checking for "RequestUUID = " because "RequestUUID" shows up in some error messages
-if [[ -z "${HAS_UUID}" ]]; then
+if [ -z "${HAS_UUID}" ]; then
         echo "Notarization failed!"
         echo "----------------------- Contents of notarization logfile -----------------------"
@@ -195 +211 @@
                 # First, check if there is an error
                 ERROR_CHECK=$(grep 'Error' ${NOTARIZATION_LOGFILE_PATH}/${NOTARIZATION_LOGFILE})
-                if [[ ! -z "${ERROR_CHECK}" ]]; then
+                if [ ! -z "${ERROR_CHECK}" ]; then
                         break
                 fi
@@ -242 +258 @@
 fi
 
-# Remove dummy file for retriggering signing/notarization (if it exists)
-svn delete ${UNSIGNED_REPO_COPY}/${RETRIGGER_SIGNING_FILE} > /dev/null 2>&1
-svn commit --message "DEL: Removing dummy file for retriggering signing of same package" ${UNSIGNED_REPO_COPY} > /dev/null 2>&1
-
 # Check out copy of repository for signed packages
 echo "Checking out copy of respository for signed packages"
-svn co \
-        --username ${USERNAME} \
-        --password ${PASSWORD} \
-        ${SIGNED_REPO_URL} \
-        ${SIGNED_REPO_COPY} > /dev/null 2>&1
+SVN_ATTEMPT=0
+SVN_SUCCESS=0
+while [[ ${SVN_ATTEMPT} -lt ${MAX_SVN_ATTEMPTS} && ${SVN_SUCCESS} -eq 0 ]]; do
+        rm -rf ${SIGNED_REPO_COPY}
+        svn checkout \
+                --trust-server-cert \
+                --non-interactive \
+                --username ${USERNAME} \
+                --password ${PASSWORD} \
+                ${SIGNED_REPO_URL} \
+                ${SIGNED_REPO_COPY} > /dev/null 2>&1
+        if [ $? -eq 0 ]; then
+                SVN_SUCCESS=1
+                break
+        else
+                ((++SVN_ATTEMPT))
+                sleep 5
+        fi
+done
+
+if [ ${SVN_SUCCESS} -eq 0 ]; then
+        echo "Checkout of respository for signed packages failed"
+        exit 1
+fi
 
 # Copy notarization file to repository for signed packages
@@ -259 +290 @@
 
 # Remove lock file from repository for signed packages
-svn delete ${SIGNED_REPO_COPY}/${SIGNING_LOCK_FILE} > /dev/null 2>&1
-
+svn delete ${SIGNED_REPO_COPY}/${SIGNING_LOCK_FILE}
+
+SVN_ATTEMPT=0
+SVN_SUCCESS=0
 if [ ${SUCCESS} -eq 1 ]; then
         # Copy signed package to repository for signed packages
@@ -268 +301 @@
         # Commit changes
         echo "Committing changes to repository for signed packages"
-        svn commit --message "CHG: New signed package (success)" ${SIGNED_REPO_COPY} > /dev/null 2>&1
+        while [[ ${SVN_ATTEMPT} -lt ${MAX_SVN_ATTEMPTS} && ${SVN_SUCCESS} -eq 0 ]]; do
+                svn commit \
+                        --trust-server-cert \
+                        --non-interactive \
+                        --username ${USERNAME} \
+                        --password ${PASSWORD} \
+                        --message "CHG: New signed package (success)" ${SIGNED_REPO_COPY} > /dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        SVN_SUCCESS=1
+                        break
+                else
+                        ((++SVN_ATTEMPT))
+                        sleep 5
+                fi
+        done
+
+        if [ ${SVN_SUCCESS} -eq 0 ]; then
+                echo "Commit to respository for signed packages failed"
+                exit 1
+        fi
 else
         # Commit changes
         echo "Committing changes to repository for signed packages"
-        svn commit --message "CHG: New signed package (failure)" ${SIGNED_REPO_COPY} > /dev/null 2>&1
+        while [[ ${SVN_ATTEMPT} -lt ${MAX_SVN_ATTEMPTS} && ${SVN_SUCCESS} -eq 0 ]]; do
+                svn commit \
+                        --trust-server-cert \
+                        --non-interactive \
+                        --username ${USERNAME} \
+                        --password ${PASSWORD} \
+                        --message "CHG: New signed package (failure)" ${SIGNED_REPO_COPY} > /dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        SVN_SUCCESS=1
+                        break
+                else
+                        ((++SVN_ATTEMPT))
+                        sleep 5
+                fi
+        done
+
+        if [ ${SVN_SUCCESS} -eq 0 ]; then
+                echo "Commit to respository for signed packages failed"
+                exit 1
+        fi
 
         exit 1