build: auto-generate the codesigning cert used for macOS CI testing runs (#17668)
* build: auto-generate the codesigning cert used for macOS CI testing runs * build: give the cert ALL the trust values * chore: also import public key * idek
This commit is contained in:
parent
c4a7eade28
commit
b2dc0a4f11
11 changed files with 242 additions and 171 deletions
|
@ -347,7 +347,7 @@ step-install-signing-cert-on-mac: &step-install-signing-cert-on-mac
|
||||||
command: |
|
command: |
|
||||||
if [ "`uname`" == "Darwin" ]; then
|
if [ "`uname`" == "Darwin" ]; then
|
||||||
cd src/electron
|
cd src/electron
|
||||||
./script/codesign/import-testing-cert-ci.sh
|
./script/codesign/generate-identity.sh
|
||||||
fi
|
fi
|
||||||
|
|
||||||
step-install-gnutar-on-mac: &step-install-gnutar-on-mac
|
step-install-gnutar-on-mac: &step-install-gnutar-on-mac
|
||||||
|
|
1
script/codesign/.gitignore
vendored
Normal file
1
script/codesign/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
.working
|
18
script/codesign/codesign.cnf
Normal file
18
script/codesign/codesign.cnf
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
[req]
|
||||||
|
default_bits = 4096
|
||||||
|
encrypt_key = no
|
||||||
|
default_md = 512
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
prompt = no
|
||||||
|
|
||||||
|
[req_distinguished_name]
|
||||||
|
C = CA
|
||||||
|
ST = BC
|
||||||
|
L = Vancouver
|
||||||
|
O = ElectronJS
|
||||||
|
OU = BuildAutomation
|
||||||
|
CN = codesign.electronjs.org
|
||||||
|
|
||||||
|
[extended]
|
||||||
|
keyUsage = critical,digitalSignature
|
||||||
|
extendedKeyUsage = critical,codeSigning
|
38
script/codesign/gen-trust.js
Normal file
38
script/codesign/gen-trust.js
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
const cp = require('child_process')
|
||||||
|
const fs = require('fs')
|
||||||
|
const path = require('path')
|
||||||
|
|
||||||
|
const certificatePath = process.argv[2]
|
||||||
|
const outPath = process.argv[3]
|
||||||
|
const templatePath = path.resolve(__dirname, 'trust.xml')
|
||||||
|
|
||||||
|
const template = fs.readFileSync(templatePath, 'utf8')
|
||||||
|
|
||||||
|
const fingerprintResult = cp.spawnSync('openssl', ['x509', '-noout', '-fingerprint', '-sha1', '-in', certificatePath])
|
||||||
|
if (fingerprintResult.status !== 0) {
|
||||||
|
console.error(fingerprintResult.stderr.toString())
|
||||||
|
process.exit(1)
|
||||||
|
}
|
||||||
|
|
||||||
|
const fingerprint = fingerprintResult.stdout.toString().replace(/^SHA1 Fingerprint=/, '').replace(/:/g, '').trim()
|
||||||
|
|
||||||
|
const serialResult = cp.spawnSync('openssl', ['x509', '-serial', '-noout', '-in', certificatePath])
|
||||||
|
if (serialResult.status !== 0) {
|
||||||
|
console.error(serialResult.stderr.toString())
|
||||||
|
process.exit(1)
|
||||||
|
}
|
||||||
|
|
||||||
|
let serialHex = serialResult.stdout.toString().replace(/^serial=/, '').trim()
|
||||||
|
// Pad the serial number out to 18 hex chars
|
||||||
|
while (serialHex.length < 18) {
|
||||||
|
serialHex = `0${serialHex}`
|
||||||
|
}
|
||||||
|
const serialB64 = Buffer.from(serialHex, 'hex').toString('base64')
|
||||||
|
|
||||||
|
const trust = template
|
||||||
|
.replace(/{{FINGERPRINT}}/g, fingerprint)
|
||||||
|
.replace(/{{SERIAL_BASE64}}/g, serialB64)
|
||||||
|
|
||||||
|
fs.writeFileSync(outPath, trust)
|
||||||
|
|
||||||
|
console.log('Generated Trust Settings')
|
46
script/codesign/generate-identity.sh
Executable file
46
script/codesign/generate-identity.sh
Executable file
|
@ -0,0 +1,46 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -eo pipefail
|
||||||
|
|
||||||
|
dir="$(dirname $0)"/.working
|
||||||
|
|
||||||
|
cleanup() {
|
||||||
|
rm -rf "$dir"
|
||||||
|
}
|
||||||
|
|
||||||
|
# trap cleanup EXIT
|
||||||
|
|
||||||
|
# Clean Up
|
||||||
|
cleanup
|
||||||
|
|
||||||
|
# Create Working Dir
|
||||||
|
mkdir -p "$dir"
|
||||||
|
|
||||||
|
# Generate Certs
|
||||||
|
openssl req -new -newkey rsa:2048 -x509 -days 7300 -nodes -config "$(dirname $0)"/codesign.cnf -extensions extended -batch -out "$dir"/certificate.cer -keyout "$dir"/certificate.key
|
||||||
|
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$dir"/certificate.cer
|
||||||
|
sudo security import "$dir"/certificate.key -A -k /Library/Keychains/System.keychain
|
||||||
|
|
||||||
|
# restart(reload) taskgated daemon
|
||||||
|
sudo pkill -f /usr/libexec/taskgated
|
||||||
|
|
||||||
|
# need once
|
||||||
|
sudo security authorizationdb write system.privilege.taskport allow
|
||||||
|
# need once
|
||||||
|
DevToolsSecurity -enable
|
||||||
|
|
||||||
|
# openssl req -newkey rsa:2048 -nodes -keyout "$dir"/private.pem -x509 -days 1 -out "$dir"/certificate.pem -extensions extended -config "$(dirname $0)"/codesign.cnf
|
||||||
|
# openssl x509 -inform PEM -in "$dir"/certificate.pem -outform DER -out "$dir"/certificate.cer
|
||||||
|
# openssl x509 -pubkey -noout -in "$dir"/certificate.pem > "$dir"/public.key
|
||||||
|
# rm -f "$dir"/certificate.pem
|
||||||
|
|
||||||
|
# Import Certs
|
||||||
|
# security import "$dir"/certificate.cer -k $KEY_CHAIN
|
||||||
|
# security import "$dir"/private.pem -k $KEY_CHAIN
|
||||||
|
# security import "$dir"/public.key -k $KEY_CHAIN
|
||||||
|
|
||||||
|
# Generate Trust Settings
|
||||||
|
node "$(dirname $0)"/gen-trust.js "$dir"/certificate.cer "$dir"/trust.xml
|
||||||
|
|
||||||
|
# Import Trust Settings
|
||||||
|
sudo security trust-settings-import -d "$dir/trust.xml"
|
|
@ -1,23 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
KEY_CHAIN=mac-build.keychain
|
|
||||||
KEYCHAIN_PASSWORD=unsafe_keychain_pass
|
|
||||||
security create-keychain -p $KEYCHAIN_PASSWORD $KEY_CHAIN
|
|
||||||
# Make the keychain the default so identities are found
|
|
||||||
security default-keychain -s $KEY_CHAIN
|
|
||||||
# Unlock the keychain
|
|
||||||
security unlock-keychain -p $KEYCHAIN_PASSWORD $KEY_CHAIN
|
|
||||||
|
|
||||||
# Add certificates to keychain and allow codesign to access them
|
|
||||||
security import "$(dirname $0)"/signing.cer -k $KEY_CHAIN -A /usr/bin/codesign
|
|
||||||
security import "$(dirname $0)"/signing.pem -k $KEY_CHAIN -A /usr/bin/codesign
|
|
||||||
security import "$(dirname $0)"/signing.p12 -k $KEY_CHAIN -P $SPEC_KEY_PASSWORD -A /usr/bin/codesign
|
|
||||||
|
|
||||||
echo "Add keychain to keychain-list"
|
|
||||||
security list-keychains -s $KEY_CHAIN
|
|
||||||
|
|
||||||
echo "Setting key partition list"
|
|
||||||
security set-key-partition-list -S apple-tool:,apple: -s -k $KEYCHAIN_PASSWORD $KEY_CHAIN
|
|
||||||
|
|
||||||
echo "Trusting self-signed certificate"
|
|
||||||
sudo security trust-settings-import -d "$(dirname $0)"/trust-settings.plist
|
|
Binary file not shown.
Binary file not shown.
|
@ -1,9 +0,0 @@
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
|
||||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw91mumcVpai94X7PASje
|
|
||||||
R9+meqEHsavRsKQmtVV5JkJk9ZZbWTdpXgOjy1hhGQURrbp3li9lmi3MFHVqZjuQ
|
|
||||||
H8omufj0iFiUD0bBY9EZeQjmcXd/ZgP8SoFfMS3BSAeRzXI5UQ5zFq86CWyzBh4k
|
|
||||||
lgRN+iuhmxxZ/8PUcuEQ49fzNWVtRskkX+ZDwj8mn9YYRQMm3nl+bB+lYbpgVnkX
|
|
||||||
WztXvSdRxCMjvjzLtoSJQhG36DEz6Sv7XeEAfYi70diQIwr/yCtgCpYUTadjOdzO
|
|
||||||
h0W/rpC2DTVE/yC3xZxg2uVjEa9siC8+DX9F6luAytkx2TgUGF6KdVblPVVCYkxW
|
|
||||||
QQIDAQAB
|
|
||||||
-----END RSA PUBLIC KEY-----
|
|
|
@ -1,138 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
||||||
<plist version="1.0">
|
|
||||||
<dict>
|
|
||||||
<key>trustList</key>
|
|
||||||
<dict>
|
|
||||||
<key>80079C1EC6AED92C03B4C67E9A94B0B05E854AC8</key>
|
|
||||||
<dict>
|
|
||||||
<key>issuerName</key>
|
|
||||||
<data>
|
|
||||||
MIGIMSYwJAYDVQQDDB1FbGVjdHJvblNlbGZTaWduZWRTcGVjU2ln
|
|
||||||
bmluZzEUMBIGA1UECgwLRWxlY3Ryb24gSlMxEDAOBgNVBAsMB1Rl
|
|
||||||
c3RpbmcxCzAJBgNVBAYTAlVTMSkwJwYJKoZIhvcNAQkBFhpjb2Rl
|
|
||||||
c2lnbmluZ0BlbGVjdHJvbmpzLm9yZw==
|
|
||||||
</data>
|
|
||||||
<key>modDate</key>
|
|
||||||
<date>2019-03-19T02:33:38Z</date>
|
|
||||||
<key>serialNumber</key>
|
|
||||||
<data>
|
|
||||||
AQ==
|
|
||||||
</data>
|
|
||||||
<key>trustSettings</key>
|
|
||||||
<array>
|
|
||||||
<dict>
|
|
||||||
<key>kSecTrustSettingsAllowedError</key>
|
|
||||||
<integer>-2147409654</integer>
|
|
||||||
<key>kSecTrustSettingsPolicy</key>
|
|
||||||
<data>
|
|
||||||
KoZIhvdjZAED
|
|
||||||
</data>
|
|
||||||
<key>kSecTrustSettingsPolicyName</key>
|
|
||||||
<string>sslServer</string>
|
|
||||||
<key>kSecTrustSettingsResult</key>
|
|
||||||
<integer>1</integer>
|
|
||||||
</dict>
|
|
||||||
<dict>
|
|
||||||
<key>kSecTrustSettingsAllowedError</key>
|
|
||||||
<integer>-2147408896</integer>
|
|
||||||
<key>kSecTrustSettingsPolicy</key>
|
|
||||||
<data>
|
|
||||||
KoZIhvdjZAED
|
|
||||||
</data>
|
|
||||||
<key>kSecTrustSettingsPolicyName</key>
|
|
||||||
<string>sslServer</string>
|
|
||||||
<key>kSecTrustSettingsResult</key>
|
|
||||||
<integer>1</integer>
|
|
||||||
</dict>
|
|
||||||
<dict>
|
|
||||||
<key>kSecTrustSettingsAllowedError</key>
|
|
||||||
<integer>-2147409654</integer>
|
|
||||||
<key>kSecTrustSettingsPolicy</key>
|
|
||||||
<data>
|
|
||||||
KoZIhvdjZAEI
|
|
||||||
</data>
|
|
||||||
<key>kSecTrustSettingsPolicyName</key>
|
|
||||||
<string>SMIME</string>
|
|
||||||
<key>kSecTrustSettingsResult</key>
|
|
||||||
<integer>1</integer>
|
|
||||||
</dict>
|
|
||||||
<dict>
|
|
||||||
<key>kSecTrustSettingsAllowedError</key>
|
|
||||||
<integer>-2147408872</integer>
|
|
||||||
<key>kSecTrustSettingsPolicy</key>
|
|
||||||
<data>
|
|
||||||
KoZIhvdjZAEI
|
|
||||||
</data>
|
|
||||||
<key>kSecTrustSettingsPolicyName</key>
|
|
||||||
<string>SMIME</string>
|
|
||||||
<key>kSecTrustSettingsResult</key>
|
|
||||||
<integer>1</integer>
|
|
||||||
</dict>
|
|
||||||
<dict>
|
|
||||||
<key>kSecTrustSettingsAllowedError</key>
|
|
||||||
<integer>-2147409654</integer>
|
|
||||||
<key>kSecTrustSettingsPolicy</key>
|
|
||||||
<data>
|
|
||||||
KoZIhvdjZAEJ
|
|
||||||
</data>
|
|
||||||
<key>kSecTrustSettingsPolicyName</key>
|
|
||||||
<string>eapServer</string>
|
|
||||||
<key>kSecTrustSettingsResult</key>
|
|
||||||
<integer>1</integer>
|
|
||||||
</dict>
|
|
||||||
<dict>
|
|
||||||
<key>kSecTrustSettingsAllowedError</key>
|
|
||||||
<integer>-2147409654</integer>
|
|
||||||
<key>kSecTrustSettingsPolicy</key>
|
|
||||||
<data>
|
|
||||||
KoZIhvdjZAEL
|
|
||||||
</data>
|
|
||||||
<key>kSecTrustSettingsPolicyName</key>
|
|
||||||
<string>ipsecServer</string>
|
|
||||||
<key>kSecTrustSettingsResult</key>
|
|
||||||
<integer>1</integer>
|
|
||||||
</dict>
|
|
||||||
<dict>
|
|
||||||
<key>kSecTrustSettingsAllowedError</key>
|
|
||||||
<integer>-2147409654</integer>
|
|
||||||
<key>kSecTrustSettingsPolicy</key>
|
|
||||||
<data>
|
|
||||||
KoZIhvdjZAEQ
|
|
||||||
</data>
|
|
||||||
<key>kSecTrustSettingsPolicyName</key>
|
|
||||||
<string>CodeSigning</string>
|
|
||||||
<key>kSecTrustSettingsResult</key>
|
|
||||||
<integer>1</integer>
|
|
||||||
</dict>
|
|
||||||
<dict>
|
|
||||||
<key>kSecTrustSettingsAllowedError</key>
|
|
||||||
<integer>-2147409654</integer>
|
|
||||||
<key>kSecTrustSettingsPolicy</key>
|
|
||||||
<data>
|
|
||||||
KoZIhvdjZAEU
|
|
||||||
</data>
|
|
||||||
<key>kSecTrustSettingsPolicyName</key>
|
|
||||||
<string>AppleTimeStamping</string>
|
|
||||||
<key>kSecTrustSettingsResult</key>
|
|
||||||
<integer>1</integer>
|
|
||||||
</dict>
|
|
||||||
<dict>
|
|
||||||
<key>kSecTrustSettingsAllowedError</key>
|
|
||||||
<integer>-2147409654</integer>
|
|
||||||
<key>kSecTrustSettingsPolicy</key>
|
|
||||||
<data>
|
|
||||||
KoZIhvdjZAEC
|
|
||||||
</data>
|
|
||||||
<key>kSecTrustSettingsPolicyName</key>
|
|
||||||
<string>basicX509</string>
|
|
||||||
<key>kSecTrustSettingsResult</key>
|
|
||||||
<integer>1</integer>
|
|
||||||
</dict>
|
|
||||||
</array>
|
|
||||||
</dict>
|
|
||||||
</dict>
|
|
||||||
<key>trustVersion</key>
|
|
||||||
<integer>1</integer>
|
|
||||||
</dict>
|
|
||||||
</plist>
|
|
138
script/codesign/trust.xml
Normal file
138
script/codesign/trust.xml
Normal file
|
@ -0,0 +1,138 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<key>trustList</key>
|
||||||
|
<dict>
|
||||||
|
<key>{{FINGERPRINT}}</key>
|
||||||
|
<dict>
|
||||||
|
<key>issuerName</key>
|
||||||
|
<data>
|
||||||
|
MH8xCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJCQzESMBAGA1UEBwwJ
|
||||||
|
VmFuY291dmVyMRMwEQYDVQQKDApFbGVjdHJvbkpTMRgwFgYDVQQL
|
||||||
|
DA9CdWlsZEF1dG9tYXRpb24xIDAeBgNVBAMMF2NvZGVzaWduLmVs
|
||||||
|
ZWN0cm9uanMub3Jn
|
||||||
|
</data>
|
||||||
|
<key>modDate</key>
|
||||||
|
<date>2019-01-01T00:00:00Z</date>
|
||||||
|
<key>serialNumber</key>
|
||||||
|
<data>
|
||||||
|
{{SERIAL_BASE64}}
|
||||||
|
</data>
|
||||||
|
<key>trustSettings</key>
|
||||||
|
<array>
|
||||||
|
<dict>
|
||||||
|
<key>kSecTrustSettingsAllowedError</key>
|
||||||
|
<integer>-2147409654</integer>
|
||||||
|
<key>kSecTrustSettingsPolicy</key>
|
||||||
|
<data>
|
||||||
|
KoZIhvdjZAED
|
||||||
|
</data>
|
||||||
|
<key>kSecTrustSettingsPolicyName</key>
|
||||||
|
<string>sslServer</string>
|
||||||
|
<key>kSecTrustSettingsResult</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
</dict>
|
||||||
|
<dict>
|
||||||
|
<key>kSecTrustSettingsAllowedError</key>
|
||||||
|
<integer>-2147408896</integer>
|
||||||
|
<key>kSecTrustSettingsPolicy</key>
|
||||||
|
<data>
|
||||||
|
KoZIhvdjZAED
|
||||||
|
</data>
|
||||||
|
<key>kSecTrustSettingsPolicyName</key>
|
||||||
|
<string>sslServer</string>
|
||||||
|
<key>kSecTrustSettingsResult</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
</dict>
|
||||||
|
<dict>
|
||||||
|
<key>kSecTrustSettingsAllowedError</key>
|
||||||
|
<integer>-2147409654</integer>
|
||||||
|
<key>kSecTrustSettingsPolicy</key>
|
||||||
|
<data>
|
||||||
|
KoZIhvdjZAEI
|
||||||
|
</data>
|
||||||
|
<key>kSecTrustSettingsPolicyName</key>
|
||||||
|
<string>SMIME</string>
|
||||||
|
<key>kSecTrustSettingsResult</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
</dict>
|
||||||
|
<dict>
|
||||||
|
<key>kSecTrustSettingsAllowedError</key>
|
||||||
|
<integer>-2147408872</integer>
|
||||||
|
<key>kSecTrustSettingsPolicy</key>
|
||||||
|
<data>
|
||||||
|
KoZIhvdjZAEI
|
||||||
|
</data>
|
||||||
|
<key>kSecTrustSettingsPolicyName</key>
|
||||||
|
<string>SMIME</string>
|
||||||
|
<key>kSecTrustSettingsResult</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
</dict>
|
||||||
|
<dict>
|
||||||
|
<key>kSecTrustSettingsAllowedError</key>
|
||||||
|
<integer>-2147409654</integer>
|
||||||
|
<key>kSecTrustSettingsPolicy</key>
|
||||||
|
<data>
|
||||||
|
KoZIhvdjZAEJ
|
||||||
|
</data>
|
||||||
|
<key>kSecTrustSettingsPolicyName</key>
|
||||||
|
<string>eapServer</string>
|
||||||
|
<key>kSecTrustSettingsResult</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
</dict>
|
||||||
|
<dict>
|
||||||
|
<key>kSecTrustSettingsAllowedError</key>
|
||||||
|
<integer>-2147409654</integer>
|
||||||
|
<key>kSecTrustSettingsPolicy</key>
|
||||||
|
<data>
|
||||||
|
KoZIhvdjZAEL
|
||||||
|
</data>
|
||||||
|
<key>kSecTrustSettingsPolicyName</key>
|
||||||
|
<string>ipsecServer</string>
|
||||||
|
<key>kSecTrustSettingsResult</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
</dict>
|
||||||
|
<dict>
|
||||||
|
<key>kSecTrustSettingsAllowedError</key>
|
||||||
|
<integer>-2147409654</integer>
|
||||||
|
<key>kSecTrustSettingsPolicy</key>
|
||||||
|
<data>
|
||||||
|
KoZIhvdjZAEQ
|
||||||
|
</data>
|
||||||
|
<key>kSecTrustSettingsPolicyName</key>
|
||||||
|
<string>CodeSigning</string>
|
||||||
|
<key>kSecTrustSettingsResult</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
</dict>
|
||||||
|
<dict>
|
||||||
|
<key>kSecTrustSettingsAllowedError</key>
|
||||||
|
<integer>-2147409654</integer>
|
||||||
|
<key>kSecTrustSettingsPolicy</key>
|
||||||
|
<data>
|
||||||
|
KoZIhvdjZAEU
|
||||||
|
</data>
|
||||||
|
<key>kSecTrustSettingsPolicyName</key>
|
||||||
|
<string>AppleTimeStamping</string>
|
||||||
|
<key>kSecTrustSettingsResult</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
</dict>
|
||||||
|
<dict>
|
||||||
|
<key>kSecTrustSettingsAllowedError</key>
|
||||||
|
<integer>-2147409654</integer>
|
||||||
|
<key>kSecTrustSettingsPolicy</key>
|
||||||
|
<data>
|
||||||
|
KoZIhvdjZAEC
|
||||||
|
</data>
|
||||||
|
<key>kSecTrustSettingsPolicyName</key>
|
||||||
|
<string>basicX509</string>
|
||||||
|
<key>kSecTrustSettingsResult</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
</dict>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</dict>
|
||||||
|
<key>trustVersion</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
Loading…
Reference in a new issue