diff --git a/.circleci/config.yml b/.circleci/config.yml
index 8364a12c56cf..31c7de97932b 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -347,7 +347,7 @@ step-install-signing-cert-on-mac: &step-install-signing-cert-on-mac
command: |
if [ "`uname`" == "Darwin" ]; then
cd src/electron
- ./script/codesign/import-testing-cert-ci.sh
+ ./script/codesign/generate-identity.sh
fi
step-install-gnutar-on-mac: &step-install-gnutar-on-mac
diff --git a/script/codesign/.gitignore b/script/codesign/.gitignore
new file mode 100644
index 000000000000..2717ebb4fbd8
--- /dev/null
+++ b/script/codesign/.gitignore
@@ -0,0 +1 @@
+.working
\ No newline at end of file
diff --git a/script/codesign/codesign.cnf b/script/codesign/codesign.cnf
new file mode 100644
index 000000000000..aad66e16c7b0
--- /dev/null
+++ b/script/codesign/codesign.cnf
@@ -0,0 +1,18 @@
+[req]
+default_bits = 4096
+encrypt_key = no
+default_md = 512
+distinguished_name = req_distinguished_name
+prompt = no
+
+[req_distinguished_name]
+C = CA
+ST = BC
+L = Vancouver
+O = ElectronJS
+OU = BuildAutomation
+CN = codesign.electronjs.org
+
+[extended]
+keyUsage = critical,digitalSignature
+extendedKeyUsage = critical,codeSigning
diff --git a/script/codesign/gen-trust.js b/script/codesign/gen-trust.js
new file mode 100644
index 000000000000..ed3ab1f85bc6
--- /dev/null
+++ b/script/codesign/gen-trust.js
@@ -0,0 +1,38 @@
+const cp = require('child_process')
+const fs = require('fs')
+const path = require('path')
+
+const certificatePath = process.argv[2]
+const outPath = process.argv[3]
+const templatePath = path.resolve(__dirname, 'trust.xml')
+
+const template = fs.readFileSync(templatePath, 'utf8')
+
+const fingerprintResult = cp.spawnSync('openssl', ['x509', '-noout', '-fingerprint', '-sha1', '-in', certificatePath])
+if (fingerprintResult.status !== 0) {
+ console.error(fingerprintResult.stderr.toString())
+ process.exit(1)
+}
+
+const fingerprint = fingerprintResult.stdout.toString().replace(/^SHA1 Fingerprint=/, '').replace(/:/g, '').trim()
+
+const serialResult = cp.spawnSync('openssl', ['x509', '-serial', '-noout', '-in', certificatePath])
+if (serialResult.status !== 0) {
+ console.error(serialResult.stderr.toString())
+ process.exit(1)
+}
+
+let serialHex = serialResult.stdout.toString().replace(/^serial=/, '').trim()
+// Pad the serial number out to 18 hex chars
+while (serialHex.length < 18) {
+ serialHex = `0${serialHex}`
+}
+const serialB64 = Buffer.from(serialHex, 'hex').toString('base64')
+
+const trust = template
+ .replace(/{{FINGERPRINT}}/g, fingerprint)
+ .replace(/{{SERIAL_BASE64}}/g, serialB64)
+
+fs.writeFileSync(outPath, trust)
+
+console.log('Generated Trust Settings')
diff --git a/script/codesign/generate-identity.sh b/script/codesign/generate-identity.sh
new file mode 100755
index 000000000000..27a1c8f244fb
--- /dev/null
+++ b/script/codesign/generate-identity.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+set -eo pipefail
+
+dir="$(dirname $0)"/.working
+
+cleanup() {
+ rm -rf "$dir"
+}
+
+# trap cleanup EXIT
+
+# Clean Up
+cleanup
+
+# Create Working Dir
+mkdir -p "$dir"
+
+# Generate Certs
+openssl req -new -newkey rsa:2048 -x509 -days 7300 -nodes -config "$(dirname $0)"/codesign.cnf -extensions extended -batch -out "$dir"/certificate.cer -keyout "$dir"/certificate.key
+sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$dir"/certificate.cer
+sudo security import "$dir"/certificate.key -A -k /Library/Keychains/System.keychain
+
+# restart(reload) taskgated daemon
+sudo pkill -f /usr/libexec/taskgated
+
+# need once
+sudo security authorizationdb write system.privilege.taskport allow
+# need once
+DevToolsSecurity -enable
+
+# openssl req -newkey rsa:2048 -nodes -keyout "$dir"/private.pem -x509 -days 1 -out "$dir"/certificate.pem -extensions extended -config "$(dirname $0)"/codesign.cnf
+# openssl x509 -inform PEM -in "$dir"/certificate.pem -outform DER -out "$dir"/certificate.cer
+# openssl x509 -pubkey -noout -in "$dir"/certificate.pem > "$dir"/public.key
+# rm -f "$dir"/certificate.pem
+
+# Import Certs
+# security import "$dir"/certificate.cer -k $KEY_CHAIN
+# security import "$dir"/private.pem -k $KEY_CHAIN
+# security import "$dir"/public.key -k $KEY_CHAIN
+
+# Generate Trust Settings
+node "$(dirname $0)"/gen-trust.js "$dir"/certificate.cer "$dir"/trust.xml
+
+# Import Trust Settings
+sudo security trust-settings-import -d "$dir/trust.xml"
diff --git a/script/codesign/import-testing-cert-ci.sh b/script/codesign/import-testing-cert-ci.sh
deleted file mode 100755
index 03732f89d6e9..000000000000
--- a/script/codesign/import-testing-cert-ci.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/sh
-
-KEY_CHAIN=mac-build.keychain
-KEYCHAIN_PASSWORD=unsafe_keychain_pass
-security create-keychain -p $KEYCHAIN_PASSWORD $KEY_CHAIN
-# Make the keychain the default so identities are found
-security default-keychain -s $KEY_CHAIN
-# Unlock the keychain
-security unlock-keychain -p $KEYCHAIN_PASSWORD $KEY_CHAIN
-
-# Add certificates to keychain and allow codesign to access them
-security import "$(dirname $0)"/signing.cer -k $KEY_CHAIN -A /usr/bin/codesign
-security import "$(dirname $0)"/signing.pem -k $KEY_CHAIN -A /usr/bin/codesign
-security import "$(dirname $0)"/signing.p12 -k $KEY_CHAIN -P $SPEC_KEY_PASSWORD -A /usr/bin/codesign
-
-echo "Add keychain to keychain-list"
-security list-keychains -s $KEY_CHAIN
-
-echo "Setting key partition list"
-security set-key-partition-list -S apple-tool:,apple: -s -k $KEYCHAIN_PASSWORD $KEY_CHAIN
-
-echo "Trusting self-signed certificate"
-sudo security trust-settings-import -d "$(dirname $0)"/trust-settings.plist
diff --git a/script/codesign/signing.cer b/script/codesign/signing.cer
deleted file mode 100644
index aa91d20272b5..000000000000
Binary files a/script/codesign/signing.cer and /dev/null differ
diff --git a/script/codesign/signing.p12 b/script/codesign/signing.p12
deleted file mode 100644
index b8791f3bf023..000000000000
Binary files a/script/codesign/signing.p12 and /dev/null differ
diff --git a/script/codesign/signing.pem b/script/codesign/signing.pem
deleted file mode 100644
index 0f5dc502edaf..000000000000
--- a/script/codesign/signing.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN RSA PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw91mumcVpai94X7PASje
-R9+meqEHsavRsKQmtVV5JkJk9ZZbWTdpXgOjy1hhGQURrbp3li9lmi3MFHVqZjuQ
-H8omufj0iFiUD0bBY9EZeQjmcXd/ZgP8SoFfMS3BSAeRzXI5UQ5zFq86CWyzBh4k
-lgRN+iuhmxxZ/8PUcuEQ49fzNWVtRskkX+ZDwj8mn9YYRQMm3nl+bB+lYbpgVnkX
-WztXvSdRxCMjvjzLtoSJQhG36DEz6Sv7XeEAfYi70diQIwr/yCtgCpYUTadjOdzO
-h0W/rpC2DTVE/yC3xZxg2uVjEa9siC8+DX9F6luAytkx2TgUGF6KdVblPVVCYkxW
-QQIDAQAB
------END RSA PUBLIC KEY-----
diff --git a/script/codesign/trust-settings.plist b/script/codesign/trust-settings.plist
deleted file mode 100644
index 3019399b2076..000000000000
--- a/script/codesign/trust-settings.plist
+++ /dev/null
@@ -1,138 +0,0 @@
-
-
-
-
- trustList
-
- 80079C1EC6AED92C03B4C67E9A94B0B05E854AC8
-
- issuerName
-
- MIGIMSYwJAYDVQQDDB1FbGVjdHJvblNlbGZTaWduZWRTcGVjU2ln
- bmluZzEUMBIGA1UECgwLRWxlY3Ryb24gSlMxEDAOBgNVBAsMB1Rl
- c3RpbmcxCzAJBgNVBAYTAlVTMSkwJwYJKoZIhvcNAQkBFhpjb2Rl
- c2lnbmluZ0BlbGVjdHJvbmpzLm9yZw==
-
- modDate
- 2019-03-19T02:33:38Z
- serialNumber
-
- AQ==
-
- trustSettings
-
-
- kSecTrustSettingsAllowedError
- -2147409654
- kSecTrustSettingsPolicy
-
- KoZIhvdjZAED
-
- kSecTrustSettingsPolicyName
- sslServer
- kSecTrustSettingsResult
- 1
-
-
- kSecTrustSettingsAllowedError
- -2147408896
- kSecTrustSettingsPolicy
-
- KoZIhvdjZAED
-
- kSecTrustSettingsPolicyName
- sslServer
- kSecTrustSettingsResult
- 1
-
-
- kSecTrustSettingsAllowedError
- -2147409654
- kSecTrustSettingsPolicy
-
- KoZIhvdjZAEI
-
- kSecTrustSettingsPolicyName
- SMIME
- kSecTrustSettingsResult
- 1
-
-
- kSecTrustSettingsAllowedError
- -2147408872
- kSecTrustSettingsPolicy
-
- KoZIhvdjZAEI
-
- kSecTrustSettingsPolicyName
- SMIME
- kSecTrustSettingsResult
- 1
-
-
- kSecTrustSettingsAllowedError
- -2147409654
- kSecTrustSettingsPolicy
-
- KoZIhvdjZAEJ
-
- kSecTrustSettingsPolicyName
- eapServer
- kSecTrustSettingsResult
- 1
-
-
- kSecTrustSettingsAllowedError
- -2147409654
- kSecTrustSettingsPolicy
-
- KoZIhvdjZAEL
-
- kSecTrustSettingsPolicyName
- ipsecServer
- kSecTrustSettingsResult
- 1
-
-
- kSecTrustSettingsAllowedError
- -2147409654
- kSecTrustSettingsPolicy
-
- KoZIhvdjZAEQ
-
- kSecTrustSettingsPolicyName
- CodeSigning
- kSecTrustSettingsResult
- 1
-
-
- kSecTrustSettingsAllowedError
- -2147409654
- kSecTrustSettingsPolicy
-
- KoZIhvdjZAEU
-
- kSecTrustSettingsPolicyName
- AppleTimeStamping
- kSecTrustSettingsResult
- 1
-
-
- kSecTrustSettingsAllowedError
- -2147409654
- kSecTrustSettingsPolicy
-
- KoZIhvdjZAEC
-
- kSecTrustSettingsPolicyName
- basicX509
- kSecTrustSettingsResult
- 1
-
-
-
-
- trustVersion
- 1
-
-
diff --git a/script/codesign/trust.xml b/script/codesign/trust.xml
new file mode 100644
index 000000000000..1767b1ef1c50
--- /dev/null
+++ b/script/codesign/trust.xml
@@ -0,0 +1,138 @@
+
+
+
+
+ trustList
+
+ {{FINGERPRINT}}
+
+ issuerName
+
+ MH8xCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJCQzESMBAGA1UEBwwJ
+ VmFuY291dmVyMRMwEQYDVQQKDApFbGVjdHJvbkpTMRgwFgYDVQQL
+ DA9CdWlsZEF1dG9tYXRpb24xIDAeBgNVBAMMF2NvZGVzaWduLmVs
+ ZWN0cm9uanMub3Jn
+
+ modDate
+ 2019-01-01T00:00:00Z
+ serialNumber
+
+ {{SERIAL_BASE64}}
+
+ trustSettings
+
+
+ kSecTrustSettingsAllowedError
+ -2147409654
+ kSecTrustSettingsPolicy
+
+ KoZIhvdjZAED
+
+ kSecTrustSettingsPolicyName
+ sslServer
+ kSecTrustSettingsResult
+ 1
+
+
+ kSecTrustSettingsAllowedError
+ -2147408896
+ kSecTrustSettingsPolicy
+
+ KoZIhvdjZAED
+
+ kSecTrustSettingsPolicyName
+ sslServer
+ kSecTrustSettingsResult
+ 1
+
+
+ kSecTrustSettingsAllowedError
+ -2147409654
+ kSecTrustSettingsPolicy
+
+ KoZIhvdjZAEI
+
+ kSecTrustSettingsPolicyName
+ SMIME
+ kSecTrustSettingsResult
+ 1
+
+
+ kSecTrustSettingsAllowedError
+ -2147408872
+ kSecTrustSettingsPolicy
+
+ KoZIhvdjZAEI
+
+ kSecTrustSettingsPolicyName
+ SMIME
+ kSecTrustSettingsResult
+ 1
+
+
+ kSecTrustSettingsAllowedError
+ -2147409654
+ kSecTrustSettingsPolicy
+
+ KoZIhvdjZAEJ
+
+ kSecTrustSettingsPolicyName
+ eapServer
+ kSecTrustSettingsResult
+ 1
+
+
+ kSecTrustSettingsAllowedError
+ -2147409654
+ kSecTrustSettingsPolicy
+
+ KoZIhvdjZAEL
+
+ kSecTrustSettingsPolicyName
+ ipsecServer
+ kSecTrustSettingsResult
+ 1
+
+
+ kSecTrustSettingsAllowedError
+ -2147409654
+ kSecTrustSettingsPolicy
+
+ KoZIhvdjZAEQ
+
+ kSecTrustSettingsPolicyName
+ CodeSigning
+ kSecTrustSettingsResult
+ 1
+
+
+ kSecTrustSettingsAllowedError
+ -2147409654
+ kSecTrustSettingsPolicy
+
+ KoZIhvdjZAEU
+
+ kSecTrustSettingsPolicyName
+ AppleTimeStamping
+ kSecTrustSettingsResult
+ 1
+
+
+ kSecTrustSettingsAllowedError
+ -2147409654
+ kSecTrustSettingsPolicy
+
+ KoZIhvdjZAEC
+
+ kSecTrustSettingsPolicyName
+ basicX509
+ kSecTrustSettingsResult
+ 1
+
+
+
+
+ trustVersion
+ 1
+
+
\ No newline at end of file