VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/src/Setup
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2024-06-23 12:55:13 +0200
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2024-06-23 12:55:13 +0200
commit210827d27cdab8ffe33e71653ff269cd3c02dcff (patch)
tree2e7211f38b6fe1d64b1b18940da47498f77cf45a /src/Setup
parent5ca2eee624995ffc6cf119210a8e1a05ce17ab35 (diff)
downloadVeraCrypt-210827d27cdab8ffe33e71653ff269cd3c02dcff.tar.gz
VeraCrypt-210827d27cdab8ffe33e71653ff269cd3c02dcff.zip
MacOSX: Add notarization script and entitlements file used to create official VeraCrypt dmg
Diffstat (limited to 'src/Setup')
-rw-r--r--src/Setup/MacOSX/VeraCrypt.entitlements.plist8
-rwxr-xr-xsrc/Setup/MacOSX/notarize.sh140
2 files changed, 148 insertions, 0 deletions
diff --git a/src/Setup/MacOSX/VeraCrypt.entitlements.plist b/src/Setup/MacOSX/VeraCrypt.entitlements.plist
new file mode 100644
index 00000000..123d12a5
--- /dev/null
+++ b/src/Setup/MacOSX/VeraCrypt.entitlements.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>com.apple.security.cs.disable-library-validation</key>
+ <true/>
+</dict>
+</plist>
diff --git a/src/Setup/MacOSX/notarize.sh b/src/Setup/MacOSX/notarize.sh
new file mode 100755
index 00000000..c3e2ff05
--- /dev/null
+++ b/src/Setup/MacOSX/notarize.sh
@@ -0,0 +1,140 @@
+#!/bin/bash
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # Directory where the script is located
+BUNDLE_PATH="${SCRIPT_DIR}/../../Main/VeraCrypt.app" # Path to the VeraCrypt.app bundle
+APPLE_ID="appleid" # Apple ID
+APP_SPECIFIC_PASSWORD="password" # app-specific password
+TEAM_ID="teamid" # team ID
+SIGNING_ID="signingid" # Signing ID
+
+# Check if VeraCrypt.app bundle exists
+if [ ! -d "$BUNDLE_PATH" ]; then
+ echo "VeraCrypt.app bundle not found: $BUNDLE_PATH"
+ exit 1
+fi
+
+# Retrieve the version of VeraCrypt from Info.plist
+VC_VERSION=$(/usr/libexec/PlistBuddy -c "Print CFBundleShortVersionString" "${BUNDLE_PATH}/Contents/Info.plist")
+
+echo "Notarizing VeraCrypt ${VC_VERSION}..."
+
+# Change to the script directory
+cd "${SCRIPT_DIR}"
+
+xattr -rc "$BUNDLE_PATH"
+codesign --timestamp --option runtime --deep --force --entitlements "${SCRIPT_DIR}/VeraCrypt.entitlements.plist" --sign "${SIGNING_ID}" "$BUNDLE_PATH"
+
+# Check dependencies of the VeraCrypt binary
+VC_BINARY="$BUNDLE_PATH/Contents/MacOS/VeraCrypt"
+DEPENDENCY_OUTPUT=$(otool -L "$VC_BINARY" | grep libfuse-t.dylib)
+
+# Determine the correct .pkgproj file based on the dependency
+PKGPROJ_FILE="${SCRIPT_DIR}/veracrypt.pkgproj"
+DMG_LABEL="VeraCrypt_${VC_VERSION}.dmg"
+if [[ "$DEPENDENCY_OUTPUT" != "" ]]; then
+ echo "VeraCrypt is linked against FUSE-T."
+ PKGPROJ_FILE="${SCRIPT_DIR}/veracrypt_fuse-t.pkgproj"
+ DMG_LABEL="VeraCrypt_FUSE-T_${VC_VERSION}.dmg"
+else
+ echo "VeraCrypt is linked against standard MacFUSE."
+fi
+
+/usr/local/bin/packagesbuild "$PKGPROJ_FILE"
+
+PKG_PATH="${SCRIPT_DIR}/VeraCrypt_${VC_VERSION}.pkg" # Constructed path to the VeraCrypt pkg
+productsign --sign "Developer ID Installer: IDRIX (Z933746L2S)" --timestamp "${SCRIPT_DIR}/VeraCrypt ${VC_VERSION}.pkg" "$PKG_PATH"
+
+if [ ! -f "$PKG_PATH" ]; then
+ echo "pkg file not found: $PKG_PATH"
+ exit 1
+fi
+
+# Step 1: Upload PKG to Apple for notarization
+echo "Uploading PKG to Apple for notarization..."
+xcrun notarytool submit "$PKG_PATH" --apple-id "$APPLE_ID" --password "$APP_SPECIFIC_PASSWORD" --team-id "$TEAM_ID" --wait --output-format json > notarization_result.json
+
+# Check if the notarization submission was successful
+if [ $? -ne 0 ]; then
+ echo "Failed to submit PKG for notarization."
+ cat notarization_result.json
+ exit 1
+fi
+
+# Extract the notarization UUID from the result
+REQUEST_UUID=$(grep -o '"id":"[^"]*' notarization_result.json | sed 's/"id":"//')
+echo "Notarization Request UUID: $REQUEST_UUID"
+
+# Step 2: Check the notarization status
+echo "Checking notarization status..."
+STATUS=$(grep -o '"status":"[^"]*' notarization_result.json | sed 's/"status":"//' | sed 's/"}//')
+echo "Initial status: $STATUS"
+
+while [ "$STATUS" == "in progress" ]; do
+ sleep 30
+ xcrun notarytool info "$REQUEST_UUID" --apple-id "$APPLE_ID" --password "$APP_SPECIFIC_PASSWORD" --team-id "$TEAM_ID" --output-format json > notarization_status.json
+
+ if [ ! -f notarization_status.json ]; then
+ echo "Failed to retrieve notarization status."
+ exit 1
+ fi
+
+ STATUS=$(grep -o '"status":"[^"]*' notarization_status.json | sed 's/"status":"//' | sed 's/"}//')
+ echo "Current status: $STATUS"
+done
+
+# Step 3: Staple the notarization ticket to the pkg or retrieve the log
+if [ "$STATUS" == "Accepted" ]; then
+ echo "Stapling the notarization ticket to the pkg..."
+ # Staple the notarization ticket to the installer package
+ xcrun stapler staple "$PKG_PATH"
+ echo "Notarization and stapling completed successfully."
+
+ # Clean up any existing temporary files and directories
+ rm -f template.dmg
+ rm -fr VeraCrypt_dmg
+
+ # Create a directory to mount the template DMG
+ echo "Creating directory to mount the template DMG..."
+ mkdir -p VeraCrypt_dmg
+
+ # Decompress the template DMG file
+ echo "Decompressing the template DMG file..."
+ bunzip2 -k -f template.dmg.bz2
+
+ # Attach the template DMG to the system, mount it at VeraCrypt_dmg directory
+ echo "Attaching the template DMG to the system..."
+ hdiutil attach template.dmg -noautoopen -quiet -mountpoint VeraCrypt_dmg
+
+ # Copy the notarized installer package into the mounted DMG
+ echo "Copying the notarized installer package into the mounted DMG..."
+ cp "VeraCrypt_${VC_VERSION}.pkg" VeraCrypt_dmg/VeraCrypt_Installer.pkg
+
+ # Detach the DMG, ensuring all changes are saved and it's unmounted
+ echo "Detaching the DMG..."
+ hdiutil detach VeraCrypt_dmg -quiet -force
+
+ # Convert the DMG back to a compressed format (UDZO) and create the final DMG file
+ echo "Converting the DMG back to a compressed format..."
+ rm -f "${DMG_LABEL}"
+ hdiutil convert template.dmg -quiet -format UDZO -imagekey zlib-level=9 -o "${DMG_LABEL}"
+
+ # Sign the final DMG file
+ echo "Signing the final DMG file..."
+ codesign -s "${SIGNING_ID}" --timestamp "${DMG_LABEL}"
+
+ # Clean up temporary files and directories
+ rm -f template.dmg
+ rm -fr VeraCrypt_dmg
+else
+ echo "Notarization failed. Retrieving log for more details..."
+ # Retrieve the notarization log for details on why it failed
+ xcrun notarytool log "$REQUEST_UUID" --apple-id "$APPLE_ID" --password "$APP_SPECIFIC_PASSWORD" --team-id "$TEAM_ID" --output-format json > notarization_log.json
+ cat notarization_log.json
+fi
+
+# Clean up temporary files
+rm -f notarization_result.json
+rm -f notarization_status.json
+rm -f notarization_log.json
+
+exit 0 \ No newline at end of file