build: auto-generate the codesigning cert used for macOS CI testing runs (#17668)

* build: auto-generate the codesigning cert used for macOS CI testing runs * build: give the cert ALL the trust values * chore: also import public key * idek
2020-03-18 18:00:42 -07:00 · 2020-03-18 18:00:42 -07:00 · b2dc0a4f11
commit b2dc0a4f11
parent c4a7eade28
11 changed files with 242 additions and 171 deletions
--- a/script/codesign/generate-identity.sh
+++ b/script/codesign/generate-identity.sh
@ -0,0 +1,46 @@
+#!/bin/sh
+
+set -eo pipefail
+
+dir="$(dirname $0)"/.working
+
+cleanup() {
+    rm -rf "$dir"
+}
+
+# trap cleanup EXIT
+
+# Clean Up
+cleanup
+
+# Create Working Dir
+mkdir -p "$dir"
+
+# Generate Certs
+openssl req -new -newkey rsa:2048 -x509 -days 7300 -nodes -config "$(dirname $0)"/codesign.cnf -extensions extended -batch -out "$dir"/certificate.cer -keyout "$dir"/certificate.key
+sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$dir"/certificate.cer
+sudo security import "$dir"/certificate.key -A -k /Library/Keychains/System.keychain
+
+# restart(reload) taskgated daemon
+sudo pkill -f /usr/libexec/taskgated
+
+# need once
+sudo security authorizationdb write system.privilege.taskport allow
+# need once
+DevToolsSecurity -enable
+
+# openssl req -newkey rsa:2048 -nodes -keyout "$dir"/private.pem -x509 -days 1 -out "$dir"/certificate.pem -extensions extended -config "$(dirname $0)"/codesign.cnf
+# openssl x509 -inform PEM -in "$dir"/certificate.pem -outform DER -out "$dir"/certificate.cer
+# openssl x509 -pubkey -noout -in "$dir"/certificate.pem > "$dir"/public.key
+# rm -f "$dir"/certificate.pem
+
+# Import Certs
+# security import "$dir"/certificate.cer -k $KEY_CHAIN
+# security import "$dir"/private.pem -k $KEY_CHAIN
+# security import "$dir"/public.key -k $KEY_CHAIN
+
+# Generate Trust Settings
+node "$(dirname $0)"/gen-trust.js "$dir"/certificate.cer "$dir"/trust.xml
+
+# Import Trust Settings
+sudo security trust-settings-import -d "$dir/trust.xml"