build: macOS package notarization

Includes hardened-runtime patch from gdams from
#29216 (comment)

Backport-PR-URL: #32527
PR-URL: #31459
Refs: #29216
Reviewed-By: Christian Clauss <cclauss@me.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ash Cripps <ashley.cripps@ibm.com>
Signed-off-by: Rod Vagg <rod@vagg.org>

Author: rvagg

.gitignore

@@ -33,6 +33,7 @@
 /doc/api.xml
 /node
 /node_g
+/gon-config.json
 /*.exe
 /*.swp
 /out

Makefile

@@ -1010,6 +1010,7 @@ $(PKG): release-only
 		--resources $(MACOSOUTDIR)/installer/productbuild/Resources \
 		--package-path $(MACOSOUTDIR)/pkgs ./$(PKG)
 	SIGN="$(PRODUCTSIGN_CERT)" PKG="$(PKG)" bash tools/osx-productsign.sh
+	bash tools/osx-notarize.sh $(FULLVERSION)
 
 .PHONY: pkg
 # Builds the macOS installer for releases.

tools/osx-codesign.sh

@@ -8,4 +8,13 @@ if [ "X$SIGN" == "X" ]; then
   exit 0
 fi
 
-codesign -s "$SIGN" "$PKGDIR"/bin/node
+# All macOS executable binaries in the bundle must be codesigned with the
+# hardened runtime enabled.
+# See https://github.com/nodejs/node/pull/31459
+
+codesign \
+  --sign "$SIGN" \
+  --entitlements tools/osx-entitlements.plist \
+  --options runtime \
+  --timestamp \
+  "$PKGDIR"/bin/node

tools/osx-entitlements.plist

@@ -0,0 +1,16 @@
+  <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>

tools/osx-gon-config.json.tmpl

@@ -0,0 +1,12 @@
+{
+  "notarize": [{
+    "path": "node-{{pkgid}}.pkg",
+    "bundle_id": "org.nodejs.pkg.{{pkgid}}",
+    "staple": true
+  }],
+
+  "apple_id": {
+     "username": "{{appleid}}",
+     "password": "@env:NOTARIZATION_PASSWORD"
+  }
+}

tools/osx-notarize.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Uses gon, from https://github.com/mitchellh/gon, to notarize a generated node-<version>.pkg file
+# with Apple for installation on macOS Catalina and later as validated by Gatekeeper.
+
+set -e
+
+gon_version="0.2.2"
+gon_exe="${HOME}/.gon/gon_${gon_version}"
+
+__dirname="$(CDPATH= cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+pkgid="$1"
+
+if [ "X${pkgid}" == "X" ]; then
+  echo "Usage: $0 <pkgid>"
+  exit 1
+fi
+
+if [ "X$NOTARIZATION_ID" == "X" ]; then
+  echo "No NOTARIZATION_ID environment var. Skipping notarization."
+  exit 0
+fi
+
+set -x
+
+mkdir -p "${HOME}/.gon/"
+
+if [ ! -f "${gon_exe}" ]; then
+  curl -sL "https://github.com/mitchellh/gon/releases/download/v${gon_version}/gon_${gon_version}_macos.zip" -o "${gon_exe}.zip"
+  (cd "${HOME}/.gon/" && rm -f gon && unzip "${gon_exe}.zip" && mv gon "${gon_exe}")
+fi
+
+cat tools/osx-gon-config.json.tmpl \
+  | sed -e "s/{{appleid}}/${NOTARIZATION_ID}/" -e "s/{{pkgid}}/${pkgid}/" \
+  > gon-config.json
+
+"${gon_exe}" -log-level=info gon-config.json