Creating tctl.app so that our tctl distribution can use TouchID for M…

…ac (#45347)

* Adding tctl app skeletons

* New makefile target for tctl-app

* Adding tctl signing config

* Provision profile for tctl

* Fixing copy-paste typo

* Adding provisioning profile to tctldev

* Adding support for building tctl.pkg

* Adding tctl.pkg to main distribution package

* Fixing install scripts and package scripts

* Adding some forgotten bits from test branch

* One more missed

Makefile

@@ -427,6 +427,15 @@ tsh-app:
 	cp "$(BUILDDIR)/tsh" "$(TSH_APP_BUNDLE)/Contents/MacOS/."
 	$(NOTARIZE_TSH_APP)
 
+.PHONY: tctl-app
+tctl-app: TCTL_APP_BUNDLE = $(BUILDDIR)/tctl.app
+tctl-app: TCTL_APP_ENTITLEMENTS = build.assets/macos/$(TCTL_SKELETON)/$(TCTL_SKELETON).entitlements
+tctl-app:
+	cp -rf "build.assets/macos/$(TCTL_SKELETON)/tctl.app/" "$(TCTL_APP_BUNDLE)/"
+	mkdir -p "$(TCTL_APP_BUNDLE)/Contents/MacOS/"
+	cp "$(BUILDDIR)/tctl" "$(TCTL_APP_BUNDLE)/Contents/MacOS/."
+	$(NOTARIZE_TCTL_APP)
+
 #
 # BPF support (IF ENABLED)
 # Requires a recent version of clang and libbpf installed.
@@ -613,12 +622,15 @@ include darwin-signing.mk
 release-darwin-unsigned: RELEASE:=$(RELEASE)-unsigned
 release-darwin-unsigned: full build-archive
 
+SIGNED_BINARIES := $(BINARIES:%tsh=%tsh.app)
+SIGNED_BINARIES := $(SIGNED_BINARIES:%tctl=%tctl.app)
+
 .PHONY: release-darwin
 ifneq ($(ARCH),universal)
 release-darwin: release-darwin-unsigned
 	$(NOTARIZE_BINARIES)
-	$(MAKE) tsh-app
-	$(MAKE) build-archive BINARIES="$(subst tsh,tsh.app,$(BINARIES))"
+	$(MAKE) tsh-app tctl-app
+	$(MAKE) build-archive BINARIES="$(SIGNED_BINARIES)"
 	@if [ -f e/Makefile ]; then $(MAKE) -C e release; fi
 else
 
@@ -635,23 +647,26 @@ else
 # Ensure you have the rust toolchains for these installed by running
 #   make ARCH=arm64 rustup-install-target-toolchain
 #   make ARCH=amd64 rustup-install-target-toolchain
-release-darwin: TARBINS := $(subst tsh,tsh.app,$(TARBINS))
+release-darwin: TARBINS := $(TARBINS:%tsh=%tsh.app)
+release-darwin: TARBINS := $(TARBINS:%tctl=%tctl.app)
 release-darwin: $(RELEASE_darwin_arm64) $(RELEASE_darwin_amd64)
 	mkdir -p $(BUILDDIR_arm64) $(BUILDDIR_amd64)
 	tar -C $(BUILDDIR_arm64) -xzf $(RELEASE_darwin_arm64) --strip-components=1 $(TARBINS)
 	tar -C $(BUILDDIR_amd64) -xzf $(RELEASE_darwin_amd64) --strip-components=1 $(TARBINS)
 
 	lipo -create -output $(BUILDDIR)/teleport $(BUILDDIR_arm64)/teleport $(BUILDDIR_amd64)/teleport
-	lipo -create -output $(BUILDDIR)/tctl $(BUILDDIR_arm64)/tctl $(BUILDDIR_amd64)/tctl
 	lipo -create -output $(BUILDDIR)/tbot $(BUILDDIR_arm64)/tbot $(BUILDDIR_amd64)/tbot
 	lipo -create -output $(BUILDDIR)/fdpass-teleport $(BUILDDIR_arm64)/fdpass-teleport $(BUILDDIR_amd64)/fdpass-teleport
 	lipo -create -output $(BUILDDIR)/tsh \
 		$(BUILDDIR_arm64)/tsh.app/Contents/MacOS/tsh \
 		$(BUILDDIR_amd64)/tsh.app/Contents/MacOS/tsh
+	lipo -create -output $(BUILDDIR)/tctl \
+		$(BUILDDIR_arm64)/tctl.app/Contents/MacOS/tctl \
+		$(BUILDDIR_amd64)/tctl.app/Contents/MacOS/tctl
 
 	$(NOTARIZE_BINARIES)
-	$(MAKE) tsh-app
-	$(MAKE) ARCH=universal build-archive BINARIES="$(subst tsh,tsh.app,$(BINARIES))"
+	$(MAKE) tsh-app tctl-app
+	$(MAKE) ARCH=universal build-archive BINARIES="$(SIGNED_BINARIES)"
 	@if [ -f e/Makefile ]; then $(MAKE) -C e release; fi
 endif
 
@@ -1660,9 +1675,13 @@ pkg: | $(RELEASE_DIR)
 	mkdir -p $(BUILDDIR)/
 
 	@echo Building tsh-$(VERSION).pkg
-	./build.assets/build-pkg-tsh.sh -t oss -v $(VERSION) -b $(TSH_BUNDLEID) -a $(ARCH) $(TARBALL_PATH_SECTION)
+	./build.assets/build-pkg-app.sh -t oss -v $(VERSION) -b $(TSH_BUNDLEID) -a $(ARCH) $(TARBALL_PATH_SECTION)
 	mv tsh*.pkg* $(BUILDDIR)/
 
+	@echo Building tctl-$(VERSION).pkg
+	./build.assets/build-pkg-app.sh -p tctl -t oss -v $(VERSION) -b $(TCTL_BUNDLEID) -a $(ARCH) $(TARBALL_PATH_SECTION)
+	mv tctl*.pkg* $(BUILDDIR)/
+
 	@echo Building teleport-bin-$(VERSION).pkg
 	cp ./build.assets/build-package.sh ./build.assets/build-common.sh $(BUILDDIR)/
 	chmod +x $(BUILDDIR)/build-package.sh
@@ -1671,7 +1690,7 @@ pkg: | $(RELEASE_DIR)
 	cd $(BUILDDIR) && ./build-package.sh -t oss -v $(VERSION) -p pkg -b $(TELEPORT_BUNDLEID) -a $(ARCH) $(RUNTIME_SECTION) $(TARBALL_PATH_SECTION)
 
 	@echo Combining teleport-bin-$(VERSION).pkg and tsh-$(VERSION).pkg into teleport-$(VERSION).pkg
-	productbuild --package $(BUILDDIR)/tsh*.pkg --package $(BUILDDIR)/teleport-bin*.pkg $(TELEPORT_PKG_UNSIGNED)
+	productbuild --package $(BUILDDIR)/tsh*.pkg --package $(BUILDDIR)/tctl*.pkg --package $(BUILDDIR)/teleport-bin*.pkg $(TELEPORT_PKG_UNSIGNED)
 	$(NOTARIZE_TELEPORT_PKG)
 
 	if [ -f e/Makefile ]; then $(MAKE) -C e pkg; fi

build.assets/build-package.sh

@@ -218,7 +218,7 @@ if [[ "${PACKAGE_TYPE}" == "pkg" ]]; then
         ARCH_TAG="-${PACKAGE_ARCH}"
     fi
     SIGN_PKG="true"
-    FILE_LIST="${TAR_PATH}/tctl ${TAR_PATH}/teleport ${TAR_PATH}/tbot ${TAR_PATH}/fdpass-teleport"
+    FILE_LIST="${TAR_PATH}/teleport ${TAR_PATH}/tbot ${TAR_PATH}/fdpass-teleport"
     BUNDLE_ID="${b:-com.gravitational.teleport}"
     if [[ "${TELEPORT_TYPE}" == "ent" ]]; then
         PKG_FILENAME="teleport-ent-${TELEPORT_VERSION}${ARCH_TAG}.${PACKAGE_TYPE}"

build.assets/build-pkg-tsh.sh → build.assets/build-pkg-app.sh

@@ -7,9 +7,10 @@ TELEPORT_VERSION=''  # -v, version, without leading 'v'
 TARBALL_DIRECTORY='' # -s
 BUNDLEID="${TSH_BUNDLEID}"
 PACKAGE_ARCH=amd64   # -a, default to amd64 for backward-compatibilty.
+PACKAGE_NAME=tsh     # -p, name of app, defaulted to tsh
 
 usage() {
-  log "Usage: $0 -t oss|eng -v version [-s tarball_directory] [-b bundle_id] [-n]"
+  log "Usage: $0 -t oss|eng -v version [-s tarball_directory] [-b bundle_id] [-n] [-p tsh|tctl]"
 }
 
 # make_non_relocatable_plist changes the default component plist of the $root
@@ -36,7 +37,7 @@ main() {
   . "$buildassets/build-common.sh"
 
   local opt=''
-  while getopts "t:v:s:b:a:n" opt; do
+  while getopts "t:v:s:b:a:p:n" opt; do
     case "$opt" in
       t)
         if [[ "$OPTARG" != "oss" && "$OPTARG" != "ent" ]]; then
@@ -62,6 +63,14 @@ main() {
       a)
         PACKAGE_ARCH="$OPTARG"
         ;;
+      p)
+        if [[ "$OPTARG" != "tsh" && "$OPTARG" != "tctl" ]]; then
+          log "$0: invalid value for -$opt, want 'tsh' or 'tctl'"
+          usage
+          exit 1
+        fi
+        PACKAGE_NAME="$OPTARG"
+        ;;
       n)
         DRY_RUN_PREFIX='echo + '  # declared by build-common.sh
         ;;
@@ -152,15 +161,20 @@ or name of the key to sign packages"
   tar xzf "$tarname" -C "$tmp"
 
   # Prepare app shell.
-  local target="$tmp/root/tsh.app"
-  cp -r "$tmp/teleport/tsh.app" "$target"
+  local target="$tmp/root/$PACKAGE_NAME.app"
+  cp -r "$tmp/teleport/$PACKAGE_NAME.app" "$target"
+
+  local entitlements="$buildassets/macos/$TSH_SKELETON/$TSH_SKELETON.entitlements"
+  if [[ "$PACKAGE_NAME" == "tctl" ]]; then
+    entitlements="$buildassets/macos/$TCTL_SKELETON/$TCTL_SKELETON.entitlements"
+  fi
 
   # Sign app.
   $DRY_RUN_PREFIX codesign -f \
     -o kill,hard,runtime \
     -s "$DEVELOPER_ID_APPLICATION" \
     -i "$BUNDLEID" \
-    --entitlements "$buildassets"/macos/$TSH_SKELETON/tsh*.entitlements \
+    --entitlements "$entitlements" \
     --timestamp \
     "$target"
 
@@ -171,10 +185,10 @@ or name of the key to sign packages"
   if [[ "$PACKAGE_ARCH" != "universal" ]]; then
     arch_tag="-$PACKAGE_ARCH"
   fi
-  target="$tmp/tsh-$TELEPORT_VERSION$arch_tag.pkg" # switches from app to pkg
+  target="$tmp/$PACKAGE_NAME-$TELEPORT_VERSION$arch_tag.pkg" # switches from app to pkg
   local pkg_root="$tmp/root"
-  local pkg_component_plist="$tmp/tsh-component.plist"
-  local pkg_scripts="$buildassets/macos/scripts"
+  local pkg_component_plist="$tmp/$PACKAGE_NAME-component.plist"
+  local pkg_scripts="$buildassets/macos/scripts/$PACKAGE_NAME"
   make_non_relocatable_plist "$pkg_root" "$pkg_component_plist"
   pkgbuild \
     --root "$pkg_root" \

build.assets/macos/install

@@ -34,8 +34,9 @@ esac
 echo "Starting Teleport installation..."
 cd $(dirname $0)
 mkdir -p $VARDIR $BINDIR
-cp -f teleport tctl tbot fdpass-teleport $BINDIR/ || exit 1
+cp -f teleport tbot fdpass-teleport $BINDIR/ || exit 1
 cp -rf tsh.app/ "$APPS_DIR"/tsh.app/ || exit 1
+cp -rf tctl.app/ "$APPS_DIR"/tctl.app/ || exit 1
 
 echo "Teleport binaries have been copied to $BINDIR"
 echo ""

build.assets/macos/scripts/tctl/postinstall

@@ -0,0 +1,19 @@
+#!/bin/sh
+set -eu
+
+main() {
+  BIN=/usr/local/bin/
+  [ ! -d "$BIN" ] && mkdir -p "$BIN"
+
+  # If tctl exists and is not a link, make a backup.
+  if [ -f "$BIN/tctl" ] && [ ! -L "$BIN/tctl" ]; then
+    rm -f "$BIN/tctl.bak"
+    mv "$BIN/tctl" "$BIN/tctl.bak"
+  fi
+
+  # Link package to $BIN.
+  rm -f "$BIN/tctl"  # in case link exists
+  ln -s "/Applications/tctl.app/Contents/MacOS/tctl" "$BIN/tctl"
+}
+
+main "$@"

build.assets/macos/tctl/tctl.app/Contents/Info.plist

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>BuildMachineOSBuild</key>
+		<string>21D49</string>
+		<key>CFBundleDevelopmentRegion</key>
+		<string>en</string>
+		<key>CFBundleExecutable</key>
+		<string>tctl</string>
+		<key>CFBundleIconFile</key>
+		<string>app.icns</string>
+		<key>CFBundleIdentifier</key>
+		<string>com.gravitational.teleport.tctl</string>
+		<key>CFBundleInfoDictionaryVersion</key>
+		<string>6.0</string>
+		<key>CFBundleName</key>
+		<string>tctl</string>
+		<key>CFBundlePackageType</key>
+		<string>APPL</string>
+		<key>CFBundleShortVersionString</key>
+		<string>1.0</string>
+		<key>CFBundleSupportedPlatforms</key>
+		<array>
+			<string>MacOSX</string>
+		</array>
+		<key>CFBundleVersion</key>
+		<string>1.0</string>
+		<key>DTCompiler</key>
+		<string>com.apple.compilers.llvm.clang.1_0</string>
+		<key>DTPlatformBuild</key>
+		<string>13C100</string>
+		<key>DTPlatformName</key>
+		<string>macosx</string>
+		<key>DTPlatformVersion</key>
+		<string>11.0</string>
+		<key>DTSDKBuild</key>
+		<string>21C46</string>
+		<key>DTSDKName</key>
+		<string>macosx11.0</string>
+		<key>DTXcode</key>
+		<string>1321</string>
+		<key>DTXcodeBuild</key>
+		<string>13C100</string>
+		<key>LSMinimumSystemVersion</key>
+		<string>10.15.0</string>
+		<key>NSHumanReadableCopyright</key>
+		<string/>
+		<key>NSMainStoryboardFile</key>
+		<string>Main</string>
+		<key>NSPrincipalClass</key>
+		<string>NSApplication</string>
+	</dict>
+</plist>

build.assets/macos/tctl/tctl.app/Contents/PkgInfo

@@ -0,0 +1 @@
+APPL????

build.assets/macos/tctl/tctl.entitlements

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>com.apple.developer.team-identifier</key>
+  <string>QH8AA5B8UP</string>
+  <key>com.apple.application-identifier</key>
+  <string>QH8AA5B8UP.com.gravitational.teleport.tctl</string>
+
+  <key>keychain-access-groups</key>
+  <array>
+    <string>QH8AA5B8UP.com.gravitational.teleport.tctl</string>
+  </array>
+</dict>
+</plist>

build.assets/macos/tctldev/tctl.app/Contents/Info.plist

@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>BuildMachineOSBuild</key>
+		<string>21D49</string>
+		<key>CFBundleDevelopmentRegion</key>
+		<string>en</string>
+		<key>CFBundleExecutable</key>
+		<string>tctl</string>
+		<key>CFBundleIdentifier</key>
+		<string>com.goteleport.tctldev</string>
+		<key>CFBundleInfoDictionaryVersion</key>
+		<string>6.0</string>
+		<key>CFBundleName</key>
+		<string>tctl</string>
+		<key>CFBundlePackageType</key>
+		<string>APPL</string>
+		<key>CFBundleShortVersionString</key>
+		<string>1.0</string>
+		<key>CFBundleSupportedPlatforms</key>
+		<array>
+			<string>MacOSX</string>
+		</array>
+		<key>CFBundleVersion</key>
+		<string>1.0</string>
+		<key>DTCompiler</key>
+		<string>com.apple.compilers.llvm.clang.1_0</string>
+		<key>DTPlatformBuild</key>
+		<string>13C100</string>
+		<key>DTPlatformName</key>
+		<string>macosx</string>
+		<key>DTPlatformVersion</key>
+		<string>11.0</string>
+		<key>DTSDKBuild</key>
+		<string>21C46</string>
+		<key>DTSDKName</key>
+		<string>macosx11.0</string>
+		<key>DTXcode</key>
+		<string>1321</string>
+		<key>DTXcodeBuild</key>
+		<string>13C100</string>
+		<key>LSMinimumSystemVersion</key>
+		<string>10.15.0</string>
+		<key>NSHumanReadableCopyright</key>
+		<string/>
+		<key>NSMainStoryboardFile</key>
+		<string>Main</string>
+		<key>NSPrincipalClass</key>
+		<string>NSApplication</string>
+	</dict>
+</plist>

build.assets/macos/tctldev/tctl.app/Contents/PkgInfo

@@ -0,0 +1 @@
+APPL????

build.assets/macos/tctldev/tctldev.entitlements

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>com.apple.developer.team-identifier</key>
+  <string>K497G57PDJ</string>
+  <key>com.apple.application-identifier</key>
+  <string>K497G57PDJ.com.goteleport.tctldev</string>
+
+  <key>keychain-access-groups</key>
+  <array>
+    <string>K497G57PDJ.com.goteleport.tctldev</string>
+  </array>
+</dict>
+</plist>