pkginstaller: add makefile target to notarize the built pkg

[NO NEW TESTS NEEDED]

Signed-off-by: Anjan Nath <kaludios@gmail.com>

contrib/pkginstaller/Makefile

@@ -9,6 +9,7 @@ QEMU_RELEASE_URL ?= https://github.com/containers/podman-machine-qemu/releases/d
 PACKAGE_DIR ?= out/packaging
 TMP_DOWNLOAD ?= tmp-download
 PACKAGE_ROOT ?= root
+PKG_NAME := podman-installer-macos-$(ARCH).pkg
 
 default: pkginstaller
 
@@ -46,6 +47,12 @@ package_root: get_gvproxy get_qemu
 pkginstaller: packagedir
 	cd $(PACKAGE_DIR) && ./package.sh ..
 
+_notarize: pkginstaller
+	xcrun notarytool submit --apple-id $(NOTARIZE_USERNAME) --password $(NOTARIZE_PASSWORD) --team-id=$(NOTARIZE_TEAM) -f json --wait out/$(PKG_NAME)
+
+notarize: _notarize
+	xcrun stapler staple out/$(PKG_NAME)
+
 .PHONY: clean
 clean:
 	rm -rf $(TMP_DOWNLOAD) $(PACKAGE_ROOT) $(PACKAGE_DIR) Distribution welcome.html

contrib/pkginstaller/README.md

@@ -5,6 +5,9 @@ $ make ARCH=<amd64 | aarch64> NO_CODESIGN=1 pkginstaller
 
 # or to create signed pkg
 $ make ARCH=<amd64 | aarch64> CODESIGN_IDENTITY=<ID> PRODUCTSIGN_IDENTITY=<ID> pkginstaller
+
+# or to prepare a signed and notarized pkg for release
+$ make ARCH=<amd64 | aarch64> CODESIGN_IDENTITY=<ID> PRODUCTSIGN_IDENTITY=<ID> NOTARIZE_USERNAME=<appleID> NOTARIZE_PASSWORD=<appleID-password> NOTARIZE_TEAM=<team-id> notarize
 ```
 
 The generated pkg will be written to `out/podman-macos-installer-*.pkg`.