-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tools: remove bashisms from macOS release scripts #36121
Conversation
What's the reason for banning bash? |
TBH that because it makes #36099 a bit simpler. I don't think we need
|
@nodejs/releasers can you review this please? All changes here looks relatively safe, and this is blocking #36099. |
/cc @nodejs/build |
I don't know shell scripting languages good enough to review this, sorry. |
|
||
set -x | ||
set -e | ||
|
||
if [ "X$SIGN" == "X" ]; then | ||
echo "No SIGN environment var. Skipping codesign." >&2 | ||
# shellcheck disable=SC2154 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this disable directive is necessary?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm getting this warning when I remove this line:
$ shellcheck --shell=sh --severity=info --enable=all tools/osx-codesign.sh
In tools/osx-codesign.sh line 6:
[ -z "$SIGN" ] && \
^---^ SC2154: SIGN is referenced but not assigned.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm using ShellCheck 0.7.1 btw, that may be a version-specific behavior.
|
||
# All macOS executable binaries in the bundle must be codesigned with the | ||
# hardened runtime enabled. | ||
# See https://github.com/nodejs/node/pull/31459 | ||
|
||
# shellcheck disable=SC2154 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than this disable directive, would it be better to add a -z "$PKGDIR"
check similar to that on line 7 for $SIGN
? Both are supplied by the Makefile and guaranteed to be not-empty. So it would seem to me that we should either check for both or assume non-empty for both. But we seem to check for only one. Check for both?
Or is that a modification outside the scope of this PR and should be done later?
|
||
if [ "X$NOTARIZATION_ID" == "X" ]; then | ||
echo "No NOTARIZATION_ID environment var. Skipping notarization." | ||
# shellcheck disable=SC2154 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this directive is necessary?
|
||
set -x | ||
set -e | ||
|
||
if [ "X$SIGN" == "X" ]; then | ||
echo "No SIGN environment var. Skipping codesign." >&2 | ||
# shellcheck disable=SC2154 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this directive is necessary?
# shellcheck disable=SC2154 | ||
productsign --sign "$SIGN" "$PKG" "$PKG"-SIGNED | ||
# shellcheck disable=SC2154 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of these two disable directives, would it make sense to add a -z "$PKG"
check similar to the one for $SIGN
on line 7? Both are guaranteed by the Makefile so it would seem that we should either check for both or assume both, but we are checking for just one and assuming the other. Or is that outside the scope of this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with or without my comments addressed.
Has this been tested to ensure the signing still works? |
is this really necessary? seems like needless churn to me |
test build running, should come out @ https://nodejs.org/download/test/v16.0.0-test202012024dc74c4fbb/ shortly, someone can test that if you really want to merge this and need it verified. The .pkg should get full coverage of these changes I think - signing, notarization, etc. |
https://nodejs.org/download/test/v16.0.0-test202012024dc74c4fbb/node-v16.0.0-test202012024dc74c4fbb.pkg there's yer pkg to test, it got built without error at least. |
On my macOS Catalina machine, I got the same output as you for $ ls -lh /bin/bash /bin/sh
-r-xr-xr-x 1 root wheel 609K Sep 22 02:30 /bin/bash
-rwxr-xr-x 1 root wheel 31K Sep 22 02:30 /bin/sh
I tried to install it, and the installation went smoothly. Can I take the notorization works? |
I believe because on macOS
yep, and I can see a notarization email for it too:
|
Landed in 1729ba7...8973075 |
PR-URL: #36121 Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: #36121 Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: nodejs#36121 Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: #36121 Reviewed-By: Rich Trott <rtrott@gmail.com>
In preparation for #36099.
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes