build: auto-generate the codesigning cert used for macOS CI testing runs (#17668)

* build: auto-generate the codesigning cert used for macOS CI testing runs

* build: give the cert ALL the trust values

* chore: also import public key

* idek

script/codesign/gen-trust.js

@@ -0,0 +1,38 @@
+const cp = require('child_process')
+const fs = require('fs')
+const path = require('path')
+
+const certificatePath = process.argv[2]
+const outPath = process.argv[3]
+const templatePath = path.resolve(__dirname, 'trust.xml')
+
+const template = fs.readFileSync(templatePath, 'utf8')
+
+const fingerprintResult = cp.spawnSync('openssl', ['x509', '-noout', '-fingerprint', '-sha1', '-in', certificatePath])
+if (fingerprintResult.status !== 0) {
+  console.error(fingerprintResult.stderr.toString())
+  process.exit(1)
+}
+
+const fingerprint = fingerprintResult.stdout.toString().replace(/^SHA1 Fingerprint=/, '').replace(/:/g, '').trim()
+
+const serialResult = cp.spawnSync('openssl', ['x509', '-serial', '-noout', '-in', certificatePath])
+if (serialResult.status !== 0) {
+  console.error(serialResult.stderr.toString())
+  process.exit(1)
+}
+
+let serialHex = serialResult.stdout.toString().replace(/^serial=/, '').trim()
+// Pad the serial number out to 18 hex chars
+while (serialHex.length < 18) {
+  serialHex = `0${serialHex}`
+}
+const serialB64 = Buffer.from(serialHex, 'hex').toString('base64')
+
+const trust = template
+  .replace(/{{FINGERPRINT}}/g, fingerprint)
+  .replace(/{{SERIAL_BASE64}}/g, serialB64)
+
+fs.writeFileSync(outPath, trust)
+
+console.log('Generated Trust Settings')