build: auto-generate the codesigning cert used for macOS CI testing runs (#17668)
* build: auto-generate the codesigning cert used for macOS CI testing runs * build: give the cert ALL the trust values * chore: also import public key * idek
This commit is contained in:
parent
c4a7eade28
commit
b2dc0a4f11
11 changed files with 242 additions and 171 deletions
|
@ -347,7 +347,7 @@ step-install-signing-cert-on-mac: &step-install-signing-cert-on-mac
|
|||
command: |
|
||||
if [ "`uname`" == "Darwin" ]; then
|
||||
cd src/electron
|
||||
./script/codesign/import-testing-cert-ci.sh
|
||||
./script/codesign/generate-identity.sh
|
||||
fi
|
||||
|
||||
step-install-gnutar-on-mac: &step-install-gnutar-on-mac
|
||||
|
|
1
script/codesign/.gitignore
vendored
Normal file
1
script/codesign/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
.working
|
18
script/codesign/codesign.cnf
Normal file
18
script/codesign/codesign.cnf
Normal file
|
@ -0,0 +1,18 @@
|
|||
[req]
|
||||
default_bits = 4096
|
||||
encrypt_key = no
|
||||
default_md = 512
|
||||
distinguished_name = req_distinguished_name
|
||||
prompt = no
|
||||
|
||||
[req_distinguished_name]
|
||||
C = CA
|
||||
ST = BC
|
||||
L = Vancouver
|
||||
O = ElectronJS
|
||||
OU = BuildAutomation
|
||||
CN = codesign.electronjs.org
|
||||
|
||||
[extended]
|
||||
keyUsage = critical,digitalSignature
|
||||
extendedKeyUsage = critical,codeSigning
|
38
script/codesign/gen-trust.js
Normal file
38
script/codesign/gen-trust.js
Normal file
|
@ -0,0 +1,38 @@
|
|||
const cp = require('child_process')
|
||||
const fs = require('fs')
|
||||
const path = require('path')
|
||||
|
||||
const certificatePath = process.argv[2]
|
||||
const outPath = process.argv[3]
|
||||
const templatePath = path.resolve(__dirname, 'trust.xml')
|
||||
|
||||
const template = fs.readFileSync(templatePath, 'utf8')
|
||||
|
||||
const fingerprintResult = cp.spawnSync('openssl', ['x509', '-noout', '-fingerprint', '-sha1', '-in', certificatePath])
|
||||
if (fingerprintResult.status !== 0) {
|
||||
console.error(fingerprintResult.stderr.toString())
|
||||
process.exit(1)
|
||||
}
|
||||
|
||||
const fingerprint = fingerprintResult.stdout.toString().replace(/^SHA1 Fingerprint=/, '').replace(/:/g, '').trim()
|
||||
|
||||
const serialResult = cp.spawnSync('openssl', ['x509', '-serial', '-noout', '-in', certificatePath])
|
||||
if (serialResult.status !== 0) {
|
||||
console.error(serialResult.stderr.toString())
|
||||
process.exit(1)
|
||||
}
|
||||
|
||||
let serialHex = serialResult.stdout.toString().replace(/^serial=/, '').trim()
|
||||
// Pad the serial number out to 18 hex chars
|
||||
while (serialHex.length < 18) {
|
||||
serialHex = `0${serialHex}`
|
||||
}
|
||||
const serialB64 = Buffer.from(serialHex, 'hex').toString('base64')
|
||||
|
||||
const trust = template
|
||||
.replace(/{{FINGERPRINT}}/g, fingerprint)
|
||||
.replace(/{{SERIAL_BASE64}}/g, serialB64)
|
||||
|
||||
fs.writeFileSync(outPath, trust)
|
||||
|
||||
console.log('Generated Trust Settings')
|
46
script/codesign/generate-identity.sh
Executable file
46
script/codesign/generate-identity.sh
Executable file
|
@ -0,0 +1,46 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -eo pipefail
|
||||
|
||||
dir="$(dirname $0)"/.working
|
||||
|
||||
cleanup() {
|
||||
rm -rf "$dir"
|
||||
}
|
||||
|
||||
# trap cleanup EXIT
|
||||
|
||||
# Clean Up
|
||||
cleanup
|
||||
|
||||
# Create Working Dir
|
||||
mkdir -p "$dir"
|
||||
|
||||
# Generate Certs
|
||||
openssl req -new -newkey rsa:2048 -x509 -days 7300 -nodes -config "$(dirname $0)"/codesign.cnf -extensions extended -batch -out "$dir"/certificate.cer -keyout "$dir"/certificate.key
|
||||
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$dir"/certificate.cer
|
||||
sudo security import "$dir"/certificate.key -A -k /Library/Keychains/System.keychain
|
||||
|
||||
# restart(reload) taskgated daemon
|
||||
sudo pkill -f /usr/libexec/taskgated
|
||||
|
||||
# need once
|
||||
sudo security authorizationdb write system.privilege.taskport allow
|
||||
# need once
|
||||
DevToolsSecurity -enable
|
||||
|
||||
# openssl req -newkey rsa:2048 -nodes -keyout "$dir"/private.pem -x509 -days 1 -out "$dir"/certificate.pem -extensions extended -config "$(dirname $0)"/codesign.cnf
|
||||
# openssl x509 -inform PEM -in "$dir"/certificate.pem -outform DER -out "$dir"/certificate.cer
|
||||
# openssl x509 -pubkey -noout -in "$dir"/certificate.pem > "$dir"/public.key
|
||||
# rm -f "$dir"/certificate.pem
|
||||
|
||||
# Import Certs
|
||||
# security import "$dir"/certificate.cer -k $KEY_CHAIN
|
||||
# security import "$dir"/private.pem -k $KEY_CHAIN
|
||||
# security import "$dir"/public.key -k $KEY_CHAIN
|
||||
|
||||
# Generate Trust Settings
|
||||
node "$(dirname $0)"/gen-trust.js "$dir"/certificate.cer "$dir"/trust.xml
|
||||
|
||||
# Import Trust Settings
|
||||
sudo security trust-settings-import -d "$dir/trust.xml"
|
|
@ -1,23 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
KEY_CHAIN=mac-build.keychain
|
||||
KEYCHAIN_PASSWORD=unsafe_keychain_pass
|
||||
security create-keychain -p $KEYCHAIN_PASSWORD $KEY_CHAIN
|
||||
# Make the keychain the default so identities are found
|
||||
security default-keychain -s $KEY_CHAIN
|
||||
# Unlock the keychain
|
||||
security unlock-keychain -p $KEYCHAIN_PASSWORD $KEY_CHAIN
|
||||
|
||||
# Add certificates to keychain and allow codesign to access them
|
||||
security import "$(dirname $0)"/signing.cer -k $KEY_CHAIN -A /usr/bin/codesign
|
||||
security import "$(dirname $0)"/signing.pem -k $KEY_CHAIN -A /usr/bin/codesign
|
||||
security import "$(dirname $0)"/signing.p12 -k $KEY_CHAIN -P $SPEC_KEY_PASSWORD -A /usr/bin/codesign
|
||||
|
||||
echo "Add keychain to keychain-list"
|
||||
security list-keychains -s $KEY_CHAIN
|
||||
|
||||
echo "Setting key partition list"
|
||||
security set-key-partition-list -S apple-tool:,apple: -s -k $KEYCHAIN_PASSWORD $KEY_CHAIN
|
||||
|
||||
echo "Trusting self-signed certificate"
|
||||
sudo security trust-settings-import -d "$(dirname $0)"/trust-settings.plist
|
Binary file not shown.
Binary file not shown.
|
@ -1,9 +0,0 @@
|
|||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw91mumcVpai94X7PASje
|
||||
R9+meqEHsavRsKQmtVV5JkJk9ZZbWTdpXgOjy1hhGQURrbp3li9lmi3MFHVqZjuQ
|
||||
H8omufj0iFiUD0bBY9EZeQjmcXd/ZgP8SoFfMS3BSAeRzXI5UQ5zFq86CWyzBh4k
|
||||
lgRN+iuhmxxZ/8PUcuEQ49fzNWVtRskkX+ZDwj8mn9YYRQMm3nl+bB+lYbpgVnkX
|
||||
WztXvSdRxCMjvjzLtoSJQhG36DEz6Sv7XeEAfYi70diQIwr/yCtgCpYUTadjOdzO
|
||||
h0W/rpC2DTVE/yC3xZxg2uVjEa9siC8+DX9F6luAytkx2TgUGF6KdVblPVVCYkxW
|
||||
QQIDAQAB
|
||||
-----END RSA PUBLIC KEY-----
|
|
@ -1,138 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>trustList</key>
|
||||
<dict>
|
||||
<key>80079C1EC6AED92C03B4C67E9A94B0B05E854AC8</key>
|
||||
<dict>
|
||||
<key>issuerName</key>
|
||||
<data>
|
||||
MIGIMSYwJAYDVQQDDB1FbGVjdHJvblNlbGZTaWduZWRTcGVjU2ln
|
||||
bmluZzEUMBIGA1UECgwLRWxlY3Ryb24gSlMxEDAOBgNVBAsMB1Rl
|
||||
c3RpbmcxCzAJBgNVBAYTAlVTMSkwJwYJKoZIhvcNAQkBFhpjb2Rl
|
||||
c2lnbmluZ0BlbGVjdHJvbmpzLm9yZw==
|
||||
</data>
|
||||
<key>modDate</key>
|
||||
<date>2019-03-19T02:33:38Z</date>
|
||||
<key>serialNumber</key>
|
||||
<data>
|
||||
AQ==
|
||||
</data>
|
||||
<key>trustSettings</key>
|
||||
<array>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147409654</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAED
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>sslServer</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147408896</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAED
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>sslServer</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147409654</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAEI
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>SMIME</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147408872</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAEI
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>SMIME</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147409654</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAEJ
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>eapServer</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147409654</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAEL
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>ipsecServer</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147409654</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAEQ
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>CodeSigning</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147409654</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAEU
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>AppleTimeStamping</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147409654</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAEC
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>basicX509</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</array>
|
||||
</dict>
|
||||
</dict>
|
||||
<key>trustVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</plist>
|
138
script/codesign/trust.xml
Normal file
138
script/codesign/trust.xml
Normal file
|
@ -0,0 +1,138 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>trustList</key>
|
||||
<dict>
|
||||
<key>{{FINGERPRINT}}</key>
|
||||
<dict>
|
||||
<key>issuerName</key>
|
||||
<data>
|
||||
MH8xCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJCQzESMBAGA1UEBwwJ
|
||||
VmFuY291dmVyMRMwEQYDVQQKDApFbGVjdHJvbkpTMRgwFgYDVQQL
|
||||
DA9CdWlsZEF1dG9tYXRpb24xIDAeBgNVBAMMF2NvZGVzaWduLmVs
|
||||
ZWN0cm9uanMub3Jn
|
||||
</data>
|
||||
<key>modDate</key>
|
||||
<date>2019-01-01T00:00:00Z</date>
|
||||
<key>serialNumber</key>
|
||||
<data>
|
||||
{{SERIAL_BASE64}}
|
||||
</data>
|
||||
<key>trustSettings</key>
|
||||
<array>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147409654</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAED
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>sslServer</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147408896</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAED
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>sslServer</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147409654</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAEI
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>SMIME</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147408872</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAEI
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>SMIME</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147409654</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAEJ
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>eapServer</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147409654</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAEL
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>ipsecServer</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147409654</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAEQ
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>CodeSigning</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147409654</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAEU
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>AppleTimeStamping</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>kSecTrustSettingsAllowedError</key>
|
||||
<integer>-2147409654</integer>
|
||||
<key>kSecTrustSettingsPolicy</key>
|
||||
<data>
|
||||
KoZIhvdjZAEC
|
||||
</data>
|
||||
<key>kSecTrustSettingsPolicyName</key>
|
||||
<string>basicX509</string>
|
||||
<key>kSecTrustSettingsResult</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</array>
|
||||
</dict>
|
||||
</dict>
|
||||
<key>trustVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</plist>
|
Loading…
Reference in a new issue