sign and notarize existing Kodi .dmg's

sign_notarize_dmg.fish

#!/usr/bin/env fish

set kodiRepo "$HOME/dev/kodi/macos"
set -x CODE_SIGN_IDENTITY "Developer ID Application: Kodi Foundation"
set DEV_ACCOUNT foo
set DEV_ACCOUNT_PASSWORD bar
set DEV_TEAM "QR7RHK8K4X"

# fixed params
set kodiVolume /Volumes/Kodi
set -x CODESIGNING_FOLDER_PATH "$kodiVolume/Kodi.app"
set -x EXPANDED_CODE_SIGN_IDENTITY_NAME "$CODE_SIGN_IDENTITY"
set -x PLATFORM_NAME macosx

for dmg in (cat "kodi releases.txt")
  echo "downloading $dmg" 
  curl -L -o "$dmg" https://mirrors.kodi.tv/releases/osx/x86_64/"$dmg" | cat
  echo

  set signedDmg (basename "$dmg" .dmg)_signed.dmg
  hdiutil convert "$dmg" -format UDRW -o "$signedDmg"

  # Kodi binary is pretty big, resize dmg to make sure temp codesigned file fits
  set signedDmgSize (stat -f %z "$signedDmg")
  hdiutil resize -size (echo "$signedDmgSize + 100*1024*1024" | bc) "$signedDmg"
  hdiutil attach "$signedDmg" -readwrite -noverify
  sleep 2

  "$kodiRepo/tools/darwin/Support/Codesign.command"
  codesign -s "$EXPANDED_CODE_SIGN_IDENTITY_NAME" -o runtime "$CODESIGNING_FOLDER_PATH/Contents/Resources/Kodi/tools/darwin/runtime/XBMCHelper"
  codesign -s "$EXPANDED_CODE_SIGN_IDENTITY_NAME" -o runtime "$CODESIGNING_FOLDER_PATH"

  hdiutil detach "$kodiVolume"
  rm -f "$dmg"
  hdiutil convert "$signedDmg" -format UDZO -imagekey zlib-level=9 -o "$dmg"
  rm -f "$signedDmg"

  codesign -s "$EXPANDED_CODE_SIGN_IDENTITY_NAME" "$dmg"

  set altoolOutput (xcrun altool \
    --notarize-app \
    --type osx \
    --file "$dmg" \
    --primary-bundle-id org.xbmc.kodi \
    --username "$DEV_ACCOUNT" \
    --password "$DEV_ACCOUNT_PASSWORD" \
    --asc-provider "$DEV_TEAM" 2>&1)

  set requestUUID (echo "$altoolOutput" | awk '/RequestUUID/ { print $NF; }')
  if [ "$requestUUID" = "" ]
    echo "Failed to upload $dmg"
    echo "$altoolOutput"
  else
    echo "$dmg => $requestUUID" >> upload.txt
  end
end

# after all dmgs are notarized, run `xcrun stapler staple "$dmg"` on them