Merge remote-tracking branch 'upstream/master'

Author: sternik

.gitignore

@@ -1,3 +1,4 @@
+cmd/gon/gon
 dist/
 
 # For testing:

.gon.hcl

@@ -1,20 +1,21 @@
-source = ["./dist/gon"]
+source = ["./dist/macos_darwin_amd64/gon"]
 bundle_id = "com.mitchellh.gon"
 
 apple_id {
   username = "[email protected]"
   password = "@env:AC_PASSWORD"
+  provider = "UL304B4VGY"
 }
 
 sign {
   application_identity = "97E4A93EAA8BAC7A8FD2383BFA459D2898100E56"
 }
 
 zip {
-  output_path = "./dist/gon.zip"
+  output_path = "./dist/gon_macos.zip"
 }
 
 dmg {
-  output_path = "./dist/gon.dmg"
+  output_path = "./dist/gon_macos.dmg"
   volume_name = "gon"
 }

.goreleaser.yml

@@ -0,0 +1,58 @@
+env:
+  - GO111MODULE=on
+
+before:
+  hooks:
+    - go mod download
+
+builds:
+  - id: macos
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+    goarch:
+      - amd64
+    dir: ./cmd/gon/
+
+archives:
+  - id: macos-zip
+    format: zip
+    name_template: "{{ .ProjectName }}_{{ .Os }}"
+    replacements:
+      darwin: macos
+      amd64: x86_64
+
+checksum:
+  disable: true
+
+signs:
+  - signature: "${artifact}_macos.dmg"
+    ids:
+      - macos-zip
+    cmd: gon
+    args:
+      - .gon.hcl
+    artifacts: all
+
+snapshot:
+  name_template: "{{ .Tag }}-next"
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+    - 'README'
+
+release:
+  ids:
+    - none
+  extra_files:
+    - glob: ./dist/gon_macos.dmg
+    - glob: ./dist/gon_macos.zip
+
+brews:
+  - tap:
+      owner: mitchellh
+      name: homebrew-gon
+    description: "Sign, notarize, and package macOS CLI applications written in any language."

Makefile

@@ -1,16 +1,10 @@
-VERSION := 0.2.2
-
-# Note that I'd love to use goreleaser for this but they don't quite
-# have the hooks yet to be able to merge in gon support. Ideally they'd
-# just integrate natively in some way.
-build: clean
-	mkdir -p dist
-	GOOS=darwin GOARCH=amd64 go build -ldflags "-X main.version=$(VERSION)" -o ./dist/gon ./cmd/gon
-.PHONY: build
-
-# release will package the distribution packages, sign, and notarize
-release: build
-	./dist/gon .gon.hcl
+# release will package the distribution packages, sign, and notarize. It
+# will then upload the release to GitHub and publish the Homebrew tap.
+#
+# AFTER THIS YOU MUST MANUALLY DELETE the checksums.txt file since it is
+# incomplete and we don't need checksums since our artifacts are signed.
+release:
+	goreleaser --rm-dist
 .PHONY: release
 
 clean:

README.md

@@ -1,3 +1,9 @@
+**Archived:** I unfortunately no longer make active use of this project
+and haven't properly maintained it since early 2022. I welcome anyone to
+fork and take over this project.
+
+-----------------------------------------------------
+
 # gon - CLI and Go Library for macOS Notarization
 
 gon is a simple, no-frills tool for
@@ -33,6 +39,7 @@ gon helps you automate the process of notarization.
     - [Prompts](#prompts)
 - [Usage with GoReleaser](#usage-with-goreleaser)
 - [Go Library](#go-library)
+- [Troubleshooting](#troubleshooting)
 - [Roadmap](#roadmap)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
@@ -57,7 +64,11 @@ The example below runs `gon` against itself to generate a zip and dmg.
 
 ## Installation
 
-To install `gon`, download the appropriate release for your platform
+The easiest way to install `gon` is via [Homebrew](https://brew.sh):
+
+    $ brew install mitchellh/gon/gon
+
+You may also download the appropriate release for your platform
 from the [releases page](https://github.com/mitchellh/gon/releases).
 These are all signed and notarized to run out of the box on macOS 10.15+.
 
@@ -144,6 +155,7 @@ bundle_id = "com.mitchellh.example.terraform"
 apple_id {
   username = "[email protected]"
   password = "@env:AC_PASSWORD"
+  provider = "UL304B4VGY"
 }
 
 sign {
@@ -166,7 +178,8 @@ zip {
     "bundle_id" : "com.mitchellh.example.terraform",
     "apple_id": {
         "username" : "[email protected]",
-        "password":  "@env:AC_PASSWORD"
+        "password":  "@env:AC_PASSWORD",
+        "provider":  "UL304B4VGY"
     },
     "sign" :{
         "application_identity" : "Developer ID Application: Mitchell Hashimoto"
@@ -208,11 +221,14 @@ Supported configurations:
       variable. If this value isn't set, we'll attempt to use the `AC_PASSWORD`
       environment variable as a default.
 
+      **NOTE**: If you have 2FA enabled, the password must be an application password, not
+      your normal apple id password. See [Troubleshooting](#troubleshooting) for details.
+
     * `api_key` (`string` _optional_) - The API key required for JWT authentication while using validation, upload, and notarization. This option will search the following directories in sequence for a private key file with the name of 'AuthKey_<api_key>.p8':  './private_keys', '~/private_keys', '~/.private_keys' and '~/.appstoreconnect/private_keys'. API key can be used instead of providing username and password.
 
     * `api_issuer` (`string` _optional_ ) - The Issuer ID. Required if --api_key is specified.
 
-    * `provider` (`string` _optional_) - The App Store Connect provider when using
+    * `provider` (`string`) - The App Store Connect provider when using
       multiple teams within App Store Connect. If this isn't set, we'll attempt
       to read the `AC_PROVIDER` environment variable as a default.
 
@@ -420,6 +436,12 @@ package, notarization, and stapling steps. This lets you integrate this
 functionality into any tooling easily vs. having an opinionated `gon`-CLI
 experience.
 
+## Troubleshooting
+
+### "We are unable to create an authentication session. (-22016)"
+
+You likely have Apple 2FA enabled. You'll need to [generate an application password](https://appleid.apple.com/account/manage) and use that instead of your Apple ID password.
+
 ## Roadmap
 
 These are some things I'd love to see but aren't currently implemented.

cmd/gon/item.go

@@ -2,13 +2,11 @@ package main
 
 import (
 	"context"
-	"fmt"
 	"os"
 	"sync"
 
 	"github.com/fatih/color"
 	"github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/go-multierror"
 
 	"github.com/mitchellh/gon/internal/config"
 	"github.com/mitchellh/gon/notarize"
@@ -66,21 +64,20 @@ func (i *item) notarize(ctx context.Context, opts *processOptions) error {
 	}
 
 	// Start notarization
-	info, err := notarize.Notarize(ctx, &notarize.Options{
-		File:       i.Path,
-		BundleId:   bundleId,
-		Username:   opts.Config.AppleId.Username,
-		Password:   opts.Config.AppleId.Password,
-		APIKey:     opts.Config.AppleId.APIKey,
-		APIIssuer:  opts.Config.AppleId.APIIssuer,
-		Provider:   opts.Config.AppleId.Provider,
-		Logger:     opts.Logger.Named("notarize"),
-		Status:     &statusHuman{Prefix: opts.Prefix, Lock: lock},
-		UploadLock: opts.UploadLock,
+	_, _, err := notarize.Notarize(ctx, &notarize.Options{
+		File:        i.Path,
+		DeveloperId: opts.Config.AppleId.Username,
+		Password:    opts.Config.AppleId.Password,
+		APIKey:      opts.Config.AppleId.APIKey,
+		APIIssuer:   opts.Config.AppleId.APIIssuer,
+		Provider:    opts.Config.AppleId.Provider,
+		Logger:      opts.Logger.Named("notarize"),
+		Status:      &statusHuman{Prefix: opts.Prefix, Lock: lock},
+		UploadLock:  opts.UploadLock,
 	})
 
 	// Save the error state. We don't save the notarization result yet
-	// because we don't know it for sure until we download the log file.
+	// because we don't know it for sure until we retrieve the log information.
 	i.State.NotarizeError = err
 
 	// If we had an error, we mention immediate we have an error.
@@ -90,73 +87,6 @@ func (i *item) notarize(ctx context.Context, opts *processOptions) error {
 		lock.Unlock()
 	}
 
-	// If we have a log file, download it. We do this whether we have an error
-	// or not because the log file can contain more details about the error.
-	if info != nil && info.LogFileURL != "" {
-		opts.Logger.Info(
-			"downloading log file for notarization",
-			"request_uuid", info.RequestUUID,
-			"url", info.LogFileURL,
-		)
-
-		log, logerr := notarize.DownloadLog(info.LogFileURL)
-		opts.Logger.Debug("log file downloaded", "log", log, "err", logerr)
-		if logerr != nil {
-			opts.Logger.Warn(
-				"error downloading log file, this isn't a fatal error",
-				"err", err,
-			)
-
-			// If we already failed notarization, just return that error
-			if err := i.State.NotarizeError; err != nil {
-				return err
-			}
-
-			// If it appears we succeeded notification, we make a new error.
-			// We can't say notarization is successful without downloading this
-			// file because warnings will cause notarization to not work
-			// when loaded.
-			lock.Lock()
-			color.New(color.FgRed).Fprintf(os.Stdout,
-				"    %sError downloading log file to verify notarization.\n",
-				opts.Prefix,
-			)
-			lock.Unlock()
-
-			return fmt.Errorf(
-				"Error downloading log file to verify notarization success: %s\n\n"+
-					"You can download the log file manually at: %s",
-				logerr, info.LogFileURL,
-			)
-		}
-
-		// If we have any issues then it is a failed notarization. Notarization
-		// can "succeed" with warnings, but when you attempt to use/open a file
-		// Gatekeeper rejects it. So we currently reject any and all issues.
-		if len(log.Issues) > 0 {
-			var err error
-
-			lock.Lock()
-			color.New(color.FgRed).Fprintf(os.Stdout,
-				"    %s%d issues during notarization:\n",
-				opts.Prefix, len(log.Issues))
-			for idx, issue := range log.Issues {
-				color.New(color.FgRed).Fprintf(os.Stdout,
-					"    %sIssue #%d (%s) for path %q: %s\n",
-					opts.Prefix, idx+1, issue.Severity, issue.Path, issue.Message)
-
-				// Append the error so we can return it
-				err = multierror.Append(err, fmt.Errorf(
-					"%s for path %q: %s",
-					issue.Severity, issue.Path, issue.Message,
-				))
-			}
-			lock.Unlock()
-
-			return err
-		}
-	}
-
 	// If we aren't notarized, then return
 	if err := i.State.NotarizeError; err != nil {
 		return err

cmd/gon/status_human.go

@@ -18,7 +18,8 @@ type statusHuman struct {
 	Prefix string
 	Lock   *sync.Mutex
 
-	lastStatus string
+	lastInfoStatus string
+	lastLogStatus  string
 }
 
 func (s *statusHuman) Submitting() {
@@ -37,13 +38,23 @@ func (s *statusHuman) Submitted(uuid string) {
 		os.Stdout, "    %sWaiting for results from Apple. This can take minutes to hours.\n", s.Prefix)
 }
 
-func (s *statusHuman) Status(info notarize.Info) {
+func (s *statusHuman) InfoStatus(info notarize.Info) {
 	s.Lock.Lock()
 	defer s.Lock.Unlock()
 
-	if info.Status != s.lastStatus {
-		s.lastStatus = info.Status
-		color.New().Fprintf(os.Stdout, "    %sStatus: %s\n", s.Prefix, info.Status)
+	if info.Status != s.lastInfoStatus {
+		s.lastInfoStatus = info.Status
+		color.New().Fprintf(os.Stdout, "    %sInfoStatus: %s\n", s.Prefix, info.Status)
+	}
+}
+
+func (s *statusHuman) LogStatus(log notarize.Log) {
+	s.Lock.Lock()
+	defer s.Lock.Unlock()
+
+	if log.Status != s.lastLogStatus {
+		s.lastLogStatus = log.Status
+		color.New().Fprintf(os.Stdout, "    %sLogStatus: %s\n", s.Prefix, log.Status)
 	}
 }
 

go.mod

@@ -5,10 +5,8 @@ go 1.13
 require (
 	github.com/davecgh/go-spew v1.1.1
 	github.com/fatih/color v1.7.0
-	github.com/hashicorp/go-cleanhttp v0.5.1
 	github.com/hashicorp/go-hclog v0.9.3-0.20191025211905-234833755cb2
 	github.com/hashicorp/go-multierror v1.0.0
-	github.com/hashicorp/go-retryablehttp v0.6.3
 	github.com/hashicorp/hcl/v2 v2.0.0
 	github.com/sebdah/goldie v1.0.0
 	github.com/stretchr/testify v1.3.0