fix(package): remove unnecessary files from all packages

fixes EMQX-13146

build

@@ -288,45 +288,12 @@ make_tgz() {
     cp_dyn_libs "${tard}/emqx"
     case "$SYSTEM" in
         macos*)
-            # if the flag to sign macos binaries is set, but developer certificate
-            # or certificate password is not configured, reset the flag
-            # could happen, for example, when people submit PR from a fork, in this
-            # case they cannot access secrets
-            if [[ "${APPLE_SIGN_BINARIES:-0}" == 1 && \
-                      ( "${APPLE_DEVELOPER_ID_BUNDLE:-0}" == 0 || \
-                           "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD:-0}" == 0 ) ]]; then
-                echo "Apple developer certificate is not configured, skip signing"
-                APPLE_SIGN_BINARIES=0
-            fi
-            if [ "${APPLE_SIGN_BINARIES:-0}" = 1 ]; then
-                ./scripts/macos-sign-binaries.sh "${tard}/emqx"
-            fi
             ## create zip after change dir
             ## to avoid creating an extra level of 'emqx' dir in the .zip file
             pushd "${tard}/emqx" >/dev/null
             zip -r "../${target_name}" -- * >/dev/null
             popd >/dev/null
             mv "${tard}/${target_name}" "${target}"
-            if [ "${APPLE_SIGN_BINARIES:-0}" = 1 ]; then
-                # notarize the package
-                # if fails, check what went wrong with this command:
-                    # xcrun notarytool log \
-                    #   --apple-id <apple id> \
-                    #   --password <apple id password>
-                    #   --team-id <apple team id> <submission-id>
-                echo 'Submitting the package for notarization to Apple (normally takes about a minute)'
-                notarytool_output="$(xcrun notarytool submit \
-                                           --apple-id "${APPLE_ID}" \
-                                           --password "${APPLE_ID_PASSWORD}" \
-                                           --team-id "${APPLE_TEAM_ID}" "${target}" \
-                                           --no-progress \
-                                           --wait)"
-                echo "$notarytool_output"
-                echo "$notarytool_output" | grep -q 'status: Accepted' || {
-                    echo 'Notarization failed';
-                    exit 1;
-                }
-            fi
             # sha256sum may not be available on macos
             openssl dgst -sha256 "${target}" | cut -d ' ' -f 2  > "${target}.sha256"
             ;;

deploy/docker/Dockerfile

@@ -57,9 +57,7 @@ RUN set -eu; \
 
 COPY --from=builder --chown=emqx:emqx /emqx-rel /opt/
 
-RUN set -eu; \
-    find /opt/emqx -name 'swagger*.js.map' -exec rm {} +; \
-    ln -s /opt/emqx/bin/* /usr/local/bin/;
+RUN ln -s /opt/emqx/bin/* /usr/local/bin/
 
 WORKDIR /opt/emqx
 

rebar.config.erl

@@ -336,6 +336,11 @@ relx(Vsn, RelType, PkgType, Edition) ->
         {sys_config, false},
         {vm_args, false},
         {release, {emqx, Vsn}, relx_apps(RelType, Edition)},
+        {tar_hooks, [
+            "scripts/rel/cleanup-release-package.sh",
+            "scripts/rel/macos-sign-binaries.sh",
+            "scripts/rel/macos-notarize-package.sh"
+        ]},
         {overlay, relx_overlay(RelType, Edition)},
         {overlay_vars_values,
             build_info() ++

scripts/rel/cleanup-release-package.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+# Remove unnecessary files to reduce the package size
+
+set -euo pipefail
+
+find "${RELX_TEMP_DIR}" -name 'swagger*.js.map' -exec rm {} +
+find "${RELX_TEMP_DIR}" -name 'swagger*.css.map' -exec rm {} +

scripts/rel/macos-notarize-package.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# intended to run on MacOS only
+if [ "$(uname)" != 'Darwin' ]; then
+    echo 'Not macOS, exiting';
+    exit 0;
+fi
+
+if [ "${APPLE_SIGN_BINARIES:-0}" == 0 ]; then
+    echo "Signing Apple binaries is disabled, exiting"
+    exit 0
+fi
+
+if [[ "${APPLE_ID:-0}" == 0 || "${APPLE_ID_PASSWORD:-0}" == 0 || "${APPLE_TEAM_ID:-0}" == 0 ]]; then
+    echo "Apple ID is not configured, skipping notarization."
+    exit 0
+fi
+
+pushd "${RELX_TEMP_DIR}"
+
+ZIP_PACKAGE_PATH="${1:-${RELX_OUTPUT_DIR}/${RELX_RELEASE_NAME}-${RELX_RELEASE_VSN}.zip}"
+zip -qr "${ZIP_PACKAGE_PATH}" .
+
+popd
+
+# notarize the package
+# if fails, check what went wrong with this command:
+# xcrun notarytool log \
+#   --apple-id "${APPLE_ID}" \
+#   --password "${APPLE_ID_PASSWORD}" \
+#   --team-id "${APPLE_TEAM_ID}" <submission-id>
+echo 'Submitting the package for notarization to Apple (normally takes about a minute)'
+notarytool_output="$(xcrun notarytool submit \
+                                           --apple-id "${APPLE_ID}" \
+                                           --password "${APPLE_ID_PASSWORD}" \
+                                           --team-id "${APPLE_TEAM_ID}" "${ZIP_PACKAGE_PATH}" \
+                                           --no-progress \
+                                           --wait)"
+echo "$notarytool_output"
+echo "$notarytool_output" | grep -q 'status: Accepted' || {
+    echo 'Notarization failed';
+    submission_id=$(echo "$notarytool_output" | grep 'id: ' | awk '{print $2}')
+    # find out what went wrong
+    xcrun notarytool log \
+        --apple-id "${APPLE_ID}" \
+        --password "${APPLE_ID_PASSWORD}" \
+        --team-id "${APPLE_TEAM_ID}" "$submission_id"
+    exit 1;
+}
+

scripts/macos-sign-binaries.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 # intended to run on MacOS only
-# signs all executable files in a given folder (as $1) with developer certificate
+# signs executables and runtime libraries found in $RELX_TEMP_DIR with developer certificate
 
 # required variables:
 # APPLE_DEVELOPER_IDENTITY: "Developer ID Application: <company name> (<hex id>)"
@@ -12,12 +12,23 @@
 
 set -euo pipefail
 
+if [ "$(uname)" != 'Darwin' ]; then
+    echo 'Not macOS, exiting';
+    exit 0;
+fi
+
+if [ "${APPLE_SIGN_BINARIES:-0}" == 0 ]; then
+n    echo "Signing Apple binaries is disabled, exiting"
+    exit 0
+fi
+
 if [[ "${APPLE_DEVELOPER_ID_BUNDLE:-0}" == 0 || "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD:-0}" == 0 ]]; then
     echo "Apple developer certificate is not configured, skip signing"
     exit 0
 fi
 
-REL_DIR="${1}"
+pushd "${RELX_TEMP_DIR}"
+
 PKSC12_FILE="$HOME/developer-id-application.p12"
 base64 --decode > "${PKSC12_FILE}" <<<"${APPLE_DEVELOPER_ID_BUNDLE}"
 
@@ -51,13 +62,13 @@ security -v list-keychains -s "${keychain_names[@]}" "${KEYCHAIN}"
 
 # known runtime executables and binaries
 codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime \
-         "${REL_DIR}"/erts-*/bin/{beam.smp,dyn_erl,epmd,erl,erl_call,erl_child_setup,erlexec,escript,heart,inet_gethost,run_erl,to_erl}
+         erts-*/bin/{beam.smp,dyn_erl,epmd,erl,erl_call,erl_child_setup,erlexec,escript,heart,inet_gethost,run_erl,to_erl}
 codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime \
-         "${REL_DIR}"/lib/runtime_tools-*/priv/lib/{dyntrace.so,trace_ip_drv.so,trace_file_drv.so}
+         lib/runtime_tools-*/priv/lib/{dyntrace.so,trace_ip_drv.so,trace_file_drv.so}
 codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime \
-         "${REL_DIR}"/lib/os_mon-*/priv/bin/{cpu_sup,memsup}
+         lib/os_mon-*/priv/bin/{cpu_sup,memsup}
 codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime \
-         "${REL_DIR}"/lib/jq-*/priv/{jq_nif1.so,libjq.1.dylib,libonig.5.dylib,erlang_jq_port}
+         lib/jq-*/priv/{jq_nif1.so,libjq.1.dylib,libonig.5.dylib,erlang_jq_port}
 # other files from runtime and dependencies
 for f in \
         asn1rt_nif.so \
@@ -74,7 +85,9 @@ for f in \
         sasl_auth.so \
         snappyer.so \
         ; do
-    find "${REL_DIR}"/lib/ -name "$f" -exec codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime {} \;
+    find lib/ -name "$f" -exec codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime {} \;
 done
 
+popd
+
 cleanup