├── Munki.Notarize.Specific.Git.Version.zsh ├── Munki.Notarize.zsh ├── MunkiClientSettings.plist └── README.md /Munki.Notarize.Specific.Git.Version.zsh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | 3 | # Made by Lux 4 | # https://github.com/lifeunexpected 5 | 6 | # PS: you first need to modify MunkiPythonNotarizeAndSign.zsh if you dont do that this script wont work! 7 | # Copy both Munki.Notarize.zsh and Munki.Notarize.Specific.Git.Version.zsh too munki/code/tools/ 8 | 9 | # This is based on Greag Neagles original script and we are just doing some small modifications. 10 | # 1: Copy script to Munki folder 11 | # 2: In terminal "cd FolderWheremunki" git repo is located 12 | # 3: run script with the commands you want 13 | # 4 Enter Password 14 | 15 | # Defaults. 16 | PKGID="com.googlecode.munki" 17 | OUTPUTDIR="$(pwd)" 18 | CHECKOUTREV="HEAD" 19 | BRANCH="main" 20 | 21 | # Delete old munki-git folder from munki root folder if exist 22 | sudo rm -rf $OUTPUTDIR/munki-git 23 | 24 | usage() { 25 | cat <]" 27 | 28 | -b branch Git branch to clone (main is the default) 29 | -r revision Git revision to check out (HEAD is the default) 30 | 31 | The remaining options are passed to make_munki_pkg.sh: 32 | -i id Specify the base package bundle ID 33 | -o dir Specify the output directory 34 | -n orgname Specify the name of the organization 35 | -p Build Python.framework even if one exists 36 | -B Include a package that sets Munki's bootstrap mode 37 | -A Auto run managedsoftwareupdate immediately after install. This 38 | really should be used only with DEP/ADM enrollments. 39 | -c plist Build a configuration package using the preferences defined in a 40 | plist file 41 | -R Include a pkg to install Rosetta2 on ARM-based hardware. 42 | -s cert_cn Sign distribution package with a Developer ID Installer 43 | certificate from keychain. Provide the certificate's Common 44 | Name. Ex: "Developer ID Installer: Munki (U8PN57A5N2)" 45 | -S cert_cn Sign apps with a Developer ID Application certificated from 46 | keychain. Provide the certificate's Common Name. 47 | Ex: "Developer ID Application: Munki (U8PN57A5N2)" 48 | -T pemfile Include a pkg to install a client certificate for server mTLS 49 | mutual authentication, at /Library/Managed Installs/certs/. 50 | 51 | EOF 52 | } 53 | 54 | ADDITIONALARGS="" 55 | while getopts "b:r:i:o:n:c:s:S:T:pBAhR" option 56 | do 57 | case $option in 58 | "b") 59 | BRANCH="$OPTARG" 60 | ;; 61 | "r") 62 | CHECKOUTREV="$OPTARG" 63 | ;; 64 | "i") 65 | ADDITIONALARGS="${ADDITIONALARGS} -i \"$OPTARG\"" 66 | ;; 67 | "o") 68 | ADDITIONALARGS="${ADDITIONALARGS} -o \"$OPTARG\"" 69 | ;; 70 | "n") 71 | ADDITIONALARGS="${ADDITIONALARGS} -n \"$OPTARG\"" 72 | ;; 73 | "c") 74 | ADDITIONALARGS="${ADDITIONALARGS} -c \"$OPTARG\"" 75 | ;; 76 | "s") 77 | ADDITIONALARGS="${ADDITIONALARGS} -s \"$OPTARG\"" 78 | ;; 79 | "S") 80 | ADDITIONALARGS="${ADDITIONALARGS} -S \"$OPTARG\"" 81 | ;; 82 | "p") 83 | ADDITIONALARGS="${ADDITIONALARGS} -p" 84 | ;; 85 | "B") 86 | ADDITIONALARGS="${ADDITIONALARGS} -B" 87 | ;; 88 | "A") 89 | ADDITIONALARGS="${ADDITIONALARGS} -A" 90 | ;; 91 | "R") 92 | ADDITIONALARGS="${ADDITIONALARGS} -R" 93 | ;; 94 | "T") 95 | ADDITIONALARGS="${ADDITIONALARGS} -T \"$OPTARG\"" 96 | ;; 97 | "h" | *) 98 | usage 99 | exit 1 100 | ;; 101 | esac 102 | done 103 | shift $(($OPTIND - 1)) 104 | 105 | if [ $# -ne 0 ]; then 106 | usage 107 | exit 1 108 | fi 109 | 110 | MUNKIDIR="$(pwd)/munki-git" 111 | 112 | # Sanity checks. 113 | if ! which git 1>/dev/null ; then 114 | echo "Could not find git in command path. Maybe it's not installed?" 1>&2 115 | echo "You can get a Git package here:" 1>&2 116 | echo " https://git-scm.com/download/mac" 117 | exit 1 118 | fi 119 | 120 | echo "Cloning munki repo branch $BRANCH from github..." 121 | git clone --branch "$BRANCH" --no-checkout -- https://github.com/munki/munki.git "$MUNKIDIR" 122 | CLONE_RESULT="$?" 123 | if [ "$CLONE_RESULT" != "0" ]; then 124 | echo "Error cloning munki repo: $CLONE_RESULT" 1>&2 125 | exit 1 126 | fi 127 | 128 | echo "Checking out revision $CHECKOUTREV..." 129 | cd "$MUNKIDIR" 130 | git checkout "$CHECKOUTREV" 131 | CHECKOUT_RESULT="$?" 132 | if [ "$CHECKOUT_RESULT" != "0" ]; then 133 | echo "Error checking out $CHECKOUTREV: $CHECKOUT_RESULT" 1>&2 134 | exit 1 135 | fi 136 | 137 | # Copy notarization script to munki-git folder 138 | cp $OUTPUTDIR/code/tools/Munki.Notarize.zsh $MUNKIDIR/code/tools/ 139 | cp $OUTPUTDIR/code/tools/MunkiClientSettings.plist $MUNKIDIR/code/tools/ 140 | 141 | # now use the version of the MunkiPythonNotarizeAndSignedPrivate.zsh script in the Git repo to get the files notarized 142 | CMD="\"$MUNKIDIR/code/tools/Munki.Notarize.zsh\" -r \"$MUNKIDIR\" -o \"$OUTPUTDIR\" $ADDITIONALARGS" 143 | eval $CMD 144 | 145 | exit $? -------------------------------------------------------------------------------- /Munki.Notarize.zsh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | # encoding: utf-8 3 | 4 | # Made by Lux 5 | # https://github.com/lifeunexpected 6 | 7 | # Scripts are based on code by: 8 | # https://groups.google.com/forum/#!topic/munki-dev/FADUXPWJeds - Michal Moravec 9 | # https://github.com/rednoah/notarize-app/blob/master/notarize-app - rednoah 10 | # https://github.com/munki/munki/tree/master/code/tools - Greg Neagle 11 | # https://stackoverflow.com/a/57083245 - Perry 12 | # https://scriptingosx.com/2021/07/notarize-a-command-line-tool-with-notarytool/ 13 | 14 | # 1: Copy script to Munki folder 15 | # 2: In terminal "cd FolderWheremunki" git repo is located 16 | # 3: run script 17 | # 4 Enter Password when asked for it 18 | 19 | # Tip: if you get “You must first sign the relevant contracts online. (1048)” error 20 | # Go to Apple.developer.com and sign in with the account you are trying to notarize the app with and agree to the updated license agreement. 21 | 22 | # Change what is needed below this line 23 | # _____________________ 24 | # Change DevApp to your personal/company Developer ID Application Name + ID number 25 | DevApp="Developer ID Application: Name/Company (ID)" 26 | # Change DevInst to your personal/company Developer ID Installer Name + ID number 27 | DevInst="Developer ID Installer: Name/Company (ID)" 28 | # Change Bundle_ID if you are using a custom one, default is "com.googlecode.munki" 29 | BUNDLE_ID="com.googlecode.munki" 30 | 31 | # Defaults do NOT Change! 32 | Credential_Profile="Notary-Tool" 33 | MUNKIROOT="." 34 | # Convert to absolute path. 35 | MUNKIROOT=$(cd "$MUNKIROOT"; pwd) 36 | OUTPUTDIR="$(pwd)" 37 | 38 | # Update munki to latest version 39 | # Disable with # before the command if you dont want it to update 40 | git pull 41 | 42 | # Rename existing munkitools files 43 | Old_PKG=$( ls munkitools-[0-9]* ) 44 | if [[ -f $Old_PKG ]]; then 45 | mv $Old_PKG Unkown-$Old_PKG 46 | echo "Renamed $Old_PKG to Unkown-$Old_PKG to let the script run properly later on" 47 | fi 48 | 49 | # Python notarization part of the sript 50 | 51 | $MUNKIROOT/code/tools/build_python_framework.sh 52 | 53 | #get current python version used in Munki build so that it doesn't have to be hardcoded 54 | PYTHON_FRAMEWORK_VERSION=$(ls Python.framework/Versions | grep -v "Current") 55 | 56 | find $MUNKIROOT/Python.framework/Versions/$PYTHON_FRAMEWORK_VERSION/lib/ -type f -perm -u=x -exec codesign --force --deep --verbose -s "$DevApp" {} \; 57 | find $MUNKIROOT/Python.framework/Versions/$PYTHON_FRAMEWORK_VERSION/bin/ -type f -perm -u=x -exec codesign --force --deep --verbose -s "$DevApp" {} \; 58 | 59 | find $MUNKIROOT/Python.framework/Versions/$PYTHON_FRAMEWORK_VERSION/lib/ -type f -name "*dylib" -exec codesign --force --deep --verbose -s "$DevApp" {} \; 60 | find $MUNKIROOT/Python.framework/Versions/$PYTHON_FRAMEWORK_VERSION/lib/ -type f -name "*so" -exec codesign --force --deep --verbose -s "$DevApp" {} \; 61 | 62 | /usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-unsigned-executable-memory bool true" $MUNKIROOT/entitlements.plist 63 | 64 | codesign --force --options runtime --entitlements $MUNKIROOT/entitlements.plist --deep --verbose -s "$DevApp" $MUNKIROOT/Python.framework/Versions/$PYTHON_FRAMEWORK_VERSION/Resources/Python.app/ 65 | 66 | codesign --force --options runtime --entitlements $MUNKIROOT/entitlements.plist --deep --verbose -s "$DevApp" $MUNKIROOT/Python.framework/Versions/$PYTHON_FRAMEWORK_VERSION/bin/"python$PYTHON_FRAMEWORK_VERSION" 67 | 68 | codesign --force --options runtime --entitlements $MUNKIROOT/entitlements.plist --deep --verbose -s "$DevApp" $MUNKIROOT/Python.framework/Versions/$PYTHON_FRAMEWORK_VERSION/bin/"python$PYTHON_FRAMEWORK_VERSION-intel64" 69 | 70 | codesign --force --deep --verbose -s "$DevApp" $MUNKIROOT/Python.framework 71 | 72 | # Creating munkitools.pkg 73 | # Ask's if you want too build a package that includes the client settings for the installation or not 74 | echo 75 | echo 76 | echo "Do you want to include a configuration package using the preferences defined in the MunkiClientSettings.plist?" 77 | 78 | if read -q "? Yes/No: "; then 79 | echo "Building munkitools.pkg that includes the configuration package using the preferences defined in the MunkiClientSettings.plist" 80 | sudo $MUNKIROOT/code/tools/make_munki_mpkg.sh -i "$BUNDLE_ID" -S "$DevApp" -s "$DevInst" -c "$MUNKIROOT/code/tools/MunkiClientSettings.plist" -o "$OUTPUTDIR" 81 | else 82 | echo "Building munkitools.pkg without a configuration package" 83 | sudo $MUNKIROOT/code/tools/make_munki_mpkg.sh -i "$BUNDLE_ID" -S "$DevApp" -s "$DevInst" -o "$OUTPUTDIR" 84 | fi 85 | 86 | # Get filename for munkitools file that was created above 87 | BUNDLE_PKG=$( ls munkitools-[0-9]* ) 88 | 89 | # prepare munkitools for notarization and signing 90 | LocalUser=$(whoami) 91 | sudo chown $LocalUser $BUNDLE_PKG 92 | 93 | # Notarizing and signing munkitools.pkg 94 | 95 | # create temporary files 96 | NOTARIZE_APP_LOG=$(mktemp -t notarize-app) 97 | NOTARIZE_INFO_LOG=$(mktemp -t notarize-info) 98 | 99 | # delete temporary files on exit 100 | function finish { 101 | rm "$NOTARIZE_APP_LOG" "$NOTARIZE_INFO_LOG" 102 | } 103 | trap finish EXIT 104 | 105 | # submit app for notarization 106 | # submit app for notarization 107 | xcrun notarytool submit "$OUTPUTDIR/$BUNDLE_PKG" \ 108 | --keychain-profile "$Credential_Profile" \ 109 | --wait 110 | 111 | # Staple the notarized Application 112 | xcrun stapler staple "$BUNDLE_PKG" 113 | 114 | # Renames the $BUNDLE_PKG file too Notarized-$BUNDLE_PKG so the script can run again without any problems 115 | mv $BUNDLE_PKG Notarized-$BUNDLE_PKG 116 | 117 | echo 118 | echo "Renamed $BUNDLE_PKG to Notarized-$BUNDLE_PKG to let you know it was notarized" 119 | echo "You can check if its notarized properly with Taccy - https://eclecticlight.co/taccy-signet-precize-alifix-utiutility-alisma/" 120 | echo 121 | 122 | # how SPCTL Log 123 | echo Show SPCTL Log 124 | spctl --assess -vv --type install "$OUTPUTDIR/Notarized-$BUNDLE_PKG" 125 | 126 | # Show the notarized Application in Finder 127 | open -R "$OUTPUTDIR/Notarized-$BUNDLE_PKG" -------------------------------------------------------------------------------- /MunkiClientSettings.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SoftwareRepoURL 6 | https://munkiserver.com 7 | ClientIdentifier 8 | temp_munki_client 9 | ShowOptionalInstallsForHigherOSVersions 10 | true 11 | 12 | 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Different scripts for macOS 2 | 3 | ## Munki Notarization scripts 4 | ###### lets you do the following: 5 | - Updates munki folder before updating so you get the latest version 6 | - Re-names previous munkitools-versions files to unkown-munkitools-version.pkg so the script later in the script runs correct. 7 | Renaming is done since its unkown if the older files in munki folder are notarized or note. 8 | - Signes the the custom python.pkg for munkitools to make it work with notarization later on in the script. 9 | - Uploads the finished packaged munkitools-version.pkg to Apple to get it approver for notarization. 10 | When and if Apple approves it for notarization it gets automaticly stapled and signed so it completes the notarization process. 11 | - Re-names the finished munkitools-version.pkg too Notarized-munkitools-version.pkg so it's easy to see it has been notarized. 12 | You can then run the script again if you want too. 13 | 14 | ## Update regarding Apple Altool 15 | Apple´s Altool software that the original script uses to notarize the app will be deprecated fall 2023 and the new tool is Notarytool. 16 | Because of this the script has been updated and the guide below has been updated also. 17 | Step 1 in the guide below has been updated to guide you thrue how to set a NotaryTool keychain profile. 18 | This new keychain profile will be used to notarize the app. 19 | 20 | ## Step 1: What you will need to notarize and sign software 21 | - Apple Developer account 22 | - Apple Developer ID Application Certificate in keychain 23 | - Apple Developer ID Installer Certificate in keychain 24 | - Apple Developer App-Specific Password 25 | - Xcode installed on your Mac or at least Xcode Command Line Tools 26 | 27 | ## Step 2: How to set up Apple Developer App-Specific Password: 28 | 29 | 1: Create an Apple Developer app-specific password using the guide in the link below. 30 | https://support.apple.com/en-us/HT204397 31 | 32 | Step 2 below has been updated to use the new notarytool not altool that was originally used 33 | 2: Open "Terminal.app" and run command below 34 | xcrun notarytool store-credentials --apple-id "name@example.com" --team-id "ABCD123456" 35 | 36 | More detailed: 37 | When you enter the Command you will be asked to type in a Profile Name then the App-specific password you created in the step abow it 38 | will then validate what you typed in and if it was correct you will get "Success. Credentials validated. Credentials saved to Keychain." 39 | 40 | What happens when you run the command abow: 41 | This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name. 42 | 43 | Profile name: 44 | notary-example.com 45 | Password for name@example.com: 46 | Validating your credentials... 47 | Success. Credentials validated. 48 | Credentials saved to Keychain. 49 | To use them, specify `--keychain-profile "notary-example.com"` 50 | 51 | 52 | Command explained: 53 | Store-Credentials = the name that will be used later in the script 54 | Add your Apple Developer ID e-mail account behind " --apple-id " and add your Apple Team ID " --team-id " 55 | 56 | Tip: You can find you Apple Devoloper Team ID number in Keychain just search for Installer and Application. 57 | 58 | You should then see "Apple Developer ID Application: Name/Company (Team ID)" and "Apple Developer ID Installer: Name/Company (Team ID)" 59 | 60 | ## Step 3: 61 | 1: Download the scripts 62 | 63 | 2: Open Munki.Notarize.zsh in your text editor TextEdit, Atom etc 64 | 65 | 3: Go to "Change what is needed below this line" and change "Name/Company (ID)" to match your Apple Developer ID info and save the file 66 | 67 | Tip: You can find you Apple Devoloper ID Name and ID number in Keychain just search for Installer and Application. 68 | 69 | You should then see "Apple Developer ID Application: Name/Company (ID)" and "Apple Developer ID Installer: Name/Company (ID)" 70 | 71 | ## Step 4: How to set up Munki and copy scripts to correct folder 72 | 73 | 1: Open terminal --> cd "To the folder you want munki to be in" 74 | Tip: If you get some type of warning or access problem you could try to use this folder for munki building "/Users/Shared/" 75 | 76 | 2: Type in terminal: git clone https://github.com/munki/munki.git 77 | 78 | 3: Copy the scripts to the "munki/code/tools" folder that was created in the step abow 79 | 80 | 4: In terminal type "cd /Path/To/munki/Folder" where the git repo folder is located 81 | 82 | Tip: You might need to open Terminal and run chmod +x on the files below to make them able to run. 83 | - Munki.Notarize.Specific.Git.Version.zsh 84 | - Munki.Notarize.zsh 85 | - MunkiClientSettings.plist 86 | 87 | ## Step 5: Building a specific munki version (Recommended way) 88 | More detailed information is here: https://github.com/munki/munki/wiki/Building-Munki-packages 89 | 90 | 2: In terminal type "cd /Path/To/munki/Folder" too where the git repo folder is located that you made in the steps above 91 | 92 | 3: Type "git tag" in Terminal and press the "Enter" key until you find the build version you want to make. 93 | 94 | OR 95 | 96 | You can look for the git tag for the specific version you want on the website below like showed in the picture 97 | https://github.com/munki/munki/releases/ 98 | 99 | GitTag 100 | 101 | 4: Run "Munki.Notarize.Specific.Git.Version.zsh -b VersionNumber" to build the specific version you want 102 | 103 | 5: Enter your users account password when asked for it. 104 | 105 | 6: If everything goes correct a notarized packaged file will be built to munki/munki-git folder 106 | 107 | 108 | ###### Building latest version running only Munki.Notarize.zsh (Not really recommended but it works, so you should use the method in step 4) 109 | Tip: Since munki can get different commits its recommended to build the specific munki version you want but you can run Munki.Notarize.zsh if you want. 110 | 111 | 1: Copy Munki.Notarize.Specific.Git.Version.zsh, Munki.Notarize.zsh and MunkiClientSettings.plist to munki/code/tools/ folder 112 | 113 | 2: In terminal type "cd munki" to where the git repo folder is located 114 | 115 | 4: Drag Munki.Notarize.zsh script into the terminal window and run it 116 | 117 | 6: Enter your computer Password when asked for it. 118 | 119 | ## macOS Catalina error message that sometimes happens with different munki builds: 120 | Problem: You might experience the following error when running this script or when you are running code/tools/make_munki_mpkg.sh 121 | 122 | The domain/default pair of (/Users/eric/Desktop/munki/code/client/munkilib/version, CFBundleShortVersionString) does not exist 123 | /Users/eric/Desktop/munki/code/client/munkilib/version is missing! 124 | Perhaps /Users/eric/Desktop/munki does not contain the munki source? 125 | 126 | https://github.com/munki/munki/issues/978 127 | 128 | The problem seems to be happen with some munki builds but not everyone. 129 | 130 | Partial fix: Try macOS Mojave 10.14.6 and Xcode 11.3.1 this the latest version that supports Mojave it should now work without any problems. 131 | Somebody have manged to make it work on macOS Catalina if they put the munki files in /Users/Shared folders. 132 | You could probably run older versions of Xcode but havent tried. 133 | 134 | ## Tips 135 | 136 | Tip 1: If you get “You must first sign the relevant contracts online. (1048)” error 137 | Go to Apple.developer.com and sign in with the account you are trying to notarize the app with and agree to the updated license agreement. 138 | 139 | ## Known problems 140 | Updated 29 September 2021 141 | 142 | Munki v5.5.0 & v5.5.1 on Apple M1 problems 143 | There is a known problem with packaging Munki v5.5.0 and v5.5.1 caused by PyobjC that triggers problems for Xattr during the build process. 144 | There is also a problem with Xcode 12.5 and 12.5.1 145 | 146 | If you want to notarize or build Munki v5.5.0 & v5.5.1 its recommended to use the following: 147 | CPU: Intel 148 | OS: macOS 11.4 maybe 11.5 and 11.6 will work but i havent tried. 149 | Xcode: 12.4 (12.3 might work) 12.5 and 12.5.1 DONT work, Not tested on Xcode 13 yet 150 | https://github.com/lifeunexpected/Scripts/issues/5 151 | https://github.com/munki/munki/issues/1100#issuecomment-900119943 152 | --------------------------------------------------------------------------------