Add API_KEY to authenticate notarization request

Kamil Piotrowski · Kamil Piotrowski · commit d1ee585d0c12 · 2020-02-20T11:06:49.000+01:00
diff --git a/README.md b/README.md
@@ -208,6 +208,10 @@ Supported configurations:
       variable. If this value isn't set, we'll attempt to use the `AC_PASSWORD`
       environment variable as a default.
 
+    * `api_key` (`string` _optional_) - The API key required for JWT authentication while using validation, upload, and notarization. This option will search the following directories in sequence for a private key file with the name of 'AuthKey_<api_key>.p8':  './private_keys', '~/private_keys', '~/.private_keys' and '~/.appstoreconnect/private_keys'. API key can be used instead of providing username and password.
+
+    * `api_issuer` (`string` _optional_ ) - The Issuer ID. Required if --api_key is specified.
+
     * `provider` (`string` _optional_) - The App Store Connect provider when using
       multiple teams within App Store Connect. If this isn't set, we'll attempt
       to read the `AC_PROVIDER` environment variable as a default.
diff --git a/cmd/gon/item.go b/cmd/gon/item.go
@@ -71,6 +71,8 @@ func (i *item) notarize(ctx context.Context, opts *processOptions) error {
 		BundleId:   bundleId,
 		Username:   opts.Config.AppleId.Username,
 		Password:   opts.Config.AppleId.Password,
+		APIKey:     opts.Config.AppleId.APIKey,
+		APIIssuer:  opts.Config.AppleId.APIIssuer,
 		Provider:   opts.Config.AppleId.Provider,
 		Logger:     opts.Logger.Named("notarize"),
 		Status:     &statusHuman{Prefix: opts.Prefix, Lock: lock},
diff --git a/cmd/gon/main.go b/cmd/gon/main.go
@@ -145,31 +145,43 @@ func realMain() int {
 	if cfg.AppleId == nil {
 		cfg.AppleId = &config.AppleId{}
 	}
-	if cfg.AppleId.Username == "" {
-		appleIdUsername, ok := os.LookupEnv("AC_USERNAME")
-		if !ok {
-			color.New(color.Bold, color.FgRed).Fprintf(os.Stdout, "❗️ No apple_id username provided\n")
-			color.New(color.FgRed).Fprintf(os.Stdout,
-				"An Apple ID username must be specified in the `apple_id` block or\n"+
-					"it must exist in the environment as AC_USERNAME,\n"+
-					"otherwise we won't be able to authenticate with Apple to notarize.\n")
+
+	if len(cfg.AppleId.APIKey) > 0 || len(cfg.AppleId.APIIssuer) > 0 {
+		if cfg.AppleId.APIKey == "" {
+			color.New(color.Bold, color.FgRed).Fprintf(os.Stdout, "❗️ No api_key provided, but used api_issuer\n")
 			return 1
 		}
-
-		cfg.AppleId.Username = appleIdUsername
-	}
-
-	if cfg.AppleId.Password == "" {
-		if _, ok := os.LookupEnv("AC_PASSWORD"); !ok {
-			color.New(color.Bold, color.FgRed).Fprintf(os.Stdout, "❗️ No apple_id password provided\n")
-			color.New(color.FgRed).Fprintf(os.Stdout,
-				"An Apple ID password (or lookup directive) must be specified in the\n"+
-					"`apple_id` block or it must exist in the environment as AC_PASSWORD,\n"+
-					"otherwise we won't be able to authenticate with Apple to notarize.\n")
+		if cfg.AppleId.APIIssuer == "" {
+			color.New(color.Bold, color.FgRed).Fprintf(os.Stdout, "❗️ No api_issuer provided\n")
 			return 1
 		}
+	} else {
+		if cfg.AppleId.Username == "" {
+			appleIdUsername, ok := os.LookupEnv("AC_USERNAME")
+			if !ok {
+				color.New(color.Bold, color.FgRed).Fprintf(os.Stdout, "❗️ No apple_id username provided\n")
+				color.New(color.FgRed).Fprintf(os.Stdout,
+					"An Apple ID username must be specified in the `apple_id` block or\n"+
+						"it must exist in the environment as AC_USERNAME,\n"+
+						"otherwise we won't be able to authenticate with Apple to notarize.\n")
+				return 1
+			}
+
+			cfg.AppleId.Username = appleIdUsername
+		}
 
-		cfg.AppleId.Password = "@env:AC_PASSWORD"
+		if cfg.AppleId.Password == "" {
+			if _, ok := os.LookupEnv("AC_PASSWORD"); !ok {
+				color.New(color.Bold, color.FgRed).Fprintf(os.Stdout, "❗️ No apple_id password provided\n")
+				color.New(color.FgRed).Fprintf(os.Stdout,
+					"An Apple ID password (or lookup directive) must be specified in the\n"+
+						"`apple_id` block or it must exist in the environment as AC_PASSWORD,\n"+
+						"otherwise we won't be able to authenticate with Apple to notarize.\n")
+				return 1
+			}
+
+			cfg.AppleId.Password = "@env:AC_PASSWORD"
+		}
 	}
 	if cfg.AppleId.Provider == "" {
 		cfg.AppleId.Provider = os.Getenv("AC_PROVIDER")
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -47,6 +47,15 @@ type AppleId struct {
 	// specified if you're using an Apple ID account that has multiple
 	// teams.
 	Provider string `hcl:"provider,optional"`
+
+	// APIKey is required for JWT authentication while using validation, upload, and notarization.
+	// This option will search the following directories in sequence for a private key file
+	// with the name of 'AuthKey_<api_key>.p8':  './private_keys', '~/private_keys', '~/.private_keys',
+	// and '~/.appstoreconnect/private_keys'.
+	APIKey string `hcl:"api_key,optional"`
+
+	//APIIssuer is Issuer ID. Required if --apiKey is specified.
+	APIIssuer string `hcl:"api_issuer,optional"`
 }
 
 // Notarize are the options for notarizing a pre-built file.
diff --git a/notarize/info.go b/notarize/info.go
@@ -81,11 +81,23 @@ func info(ctx context.Context, uuid string, opts *Options) (*Info, error) {
 		"altool",
 		"--notarization-info",
 		uuid,
-		"-u", opts.Username,
-		"-p", opts.Password,
 		"--output-format", "xml",
 	}
 
+	if len(opts.Username) > 0 {
+		cmd.Args = append(cmd.Args,
+			"-u", opts.Username,
+			"-p", opts.Password,
+		)
+	}
+
+	if len(opts.APIKey) > 0 {
+		cmd.Args = append(cmd.Args,
+			"--apiKey", opts.APIKey,
+			"--apiIssuer", opts.APIIssuer,
+		)
+	}
+
 	// We store all output in out for logging and in case there is an error
 	var out, combined bytes.Buffer
 	cmd.Stdout = io.MultiWriter(&out, &combined)
diff --git a/notarize/notarize.go b/notarize/notarize.go
@@ -27,6 +27,15 @@ type Options struct {
 	// read from the keychain and environment variables, respectively.
 	Password string
 
+	// APIKey is required for JWT authentication while using validation, upload, and notarization.
+	// This option will search the following directories in sequence for a private key file
+	// with the name of 'AuthKey_<api_key>.p8':  './private_keys', '~/private_keys', '~/.private_keys',
+	// and '~/.appstoreconnect/private_keys'.
+	APIKey string
+
+	//APIIssuer is Issuer ID. Required if --apiKey is specified.
+	APIIssuer string
+
 	// Provider is the Apple Connect provider to use. This is optional
 	// and is only used for Apple Connect accounts that support multiple
 	// providers.
diff --git a/notarize/upload.go b/notarize/upload.go
@@ -41,8 +41,20 @@ func upload(ctx context.Context, opts *Options) (string, error) {
 		"altool",
 		"--notarize-app",
 		"--primary-bundle-id", opts.BundleId,
-		"-u", opts.Username,
-		"-p", opts.Password,
+	}
+
+	if len(opts.Username) > 0 {
+		cmd.Args = append(cmd.Args,
+			"-u", opts.Username,
+			"-p", opts.Password,
+		)
+	}
+
+	if len(opts.APIKey) > 0 {
+		cmd.Args = append(cmd.Args,
+			"--apiKey", opts.APIKey,
+			"--apiIssuer", opts.APIIssuer,
+		)
 	}
 
 	if opts.Provider != "" {
