build: auto-generate the codesigning cert used for macOS CI testing runs (#17668)

* build: auto-generate the codesigning cert used for macOS CI testing runs

* build: give the cert ALL the trust values

* chore: also import public key

* idek
This commit is contained in:
Samuel Attard 2020-03-18 18:00:42 -07:00 committed by GitHub
parent c4a7eade28
commit b2dc0a4f11
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 242 additions and 171 deletions

View file

@ -347,7 +347,7 @@ step-install-signing-cert-on-mac: &step-install-signing-cert-on-mac
command: | command: |
if [ "`uname`" == "Darwin" ]; then if [ "`uname`" == "Darwin" ]; then
cd src/electron cd src/electron
./script/codesign/import-testing-cert-ci.sh ./script/codesign/generate-identity.sh
fi fi
step-install-gnutar-on-mac: &step-install-gnutar-on-mac step-install-gnutar-on-mac: &step-install-gnutar-on-mac

1
script/codesign/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
.working

View file

@ -0,0 +1,18 @@
[req]
default_bits = 4096
encrypt_key = no
default_md = 512
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = CA
ST = BC
L = Vancouver
O = ElectronJS
OU = BuildAutomation
CN = codesign.electronjs.org
[extended]
keyUsage = critical,digitalSignature
extendedKeyUsage = critical,codeSigning

View file

@ -0,0 +1,38 @@
const cp = require('child_process')
const fs = require('fs')
const path = require('path')
const certificatePath = process.argv[2]
const outPath = process.argv[3]
const templatePath = path.resolve(__dirname, 'trust.xml')
const template = fs.readFileSync(templatePath, 'utf8')
const fingerprintResult = cp.spawnSync('openssl', ['x509', '-noout', '-fingerprint', '-sha1', '-in', certificatePath])
if (fingerprintResult.status !== 0) {
console.error(fingerprintResult.stderr.toString())
process.exit(1)
}
const fingerprint = fingerprintResult.stdout.toString().replace(/^SHA1 Fingerprint=/, '').replace(/:/g, '').trim()
const serialResult = cp.spawnSync('openssl', ['x509', '-serial', '-noout', '-in', certificatePath])
if (serialResult.status !== 0) {
console.error(serialResult.stderr.toString())
process.exit(1)
}
let serialHex = serialResult.stdout.toString().replace(/^serial=/, '').trim()
// Pad the serial number out to 18 hex chars
while (serialHex.length < 18) {
serialHex = `0${serialHex}`
}
const serialB64 = Buffer.from(serialHex, 'hex').toString('base64')
const trust = template
.replace(/{{FINGERPRINT}}/g, fingerprint)
.replace(/{{SERIAL_BASE64}}/g, serialB64)
fs.writeFileSync(outPath, trust)
console.log('Generated Trust Settings')

View file

@ -0,0 +1,46 @@
#!/bin/sh
set -eo pipefail
dir="$(dirname $0)"/.working
cleanup() {
rm -rf "$dir"
}
# trap cleanup EXIT
# Clean Up
cleanup
# Create Working Dir
mkdir -p "$dir"
# Generate Certs
openssl req -new -newkey rsa:2048 -x509 -days 7300 -nodes -config "$(dirname $0)"/codesign.cnf -extensions extended -batch -out "$dir"/certificate.cer -keyout "$dir"/certificate.key
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$dir"/certificate.cer
sudo security import "$dir"/certificate.key -A -k /Library/Keychains/System.keychain
# restart(reload) taskgated daemon
sudo pkill -f /usr/libexec/taskgated
# need once
sudo security authorizationdb write system.privilege.taskport allow
# need once
DevToolsSecurity -enable
# openssl req -newkey rsa:2048 -nodes -keyout "$dir"/private.pem -x509 -days 1 -out "$dir"/certificate.pem -extensions extended -config "$(dirname $0)"/codesign.cnf
# openssl x509 -inform PEM -in "$dir"/certificate.pem -outform DER -out "$dir"/certificate.cer
# openssl x509 -pubkey -noout -in "$dir"/certificate.pem > "$dir"/public.key
# rm -f "$dir"/certificate.pem
# Import Certs
# security import "$dir"/certificate.cer -k $KEY_CHAIN
# security import "$dir"/private.pem -k $KEY_CHAIN
# security import "$dir"/public.key -k $KEY_CHAIN
# Generate Trust Settings
node "$(dirname $0)"/gen-trust.js "$dir"/certificate.cer "$dir"/trust.xml
# Import Trust Settings
sudo security trust-settings-import -d "$dir/trust.xml"

View file

@ -1,23 +0,0 @@
#!/bin/sh
KEY_CHAIN=mac-build.keychain
KEYCHAIN_PASSWORD=unsafe_keychain_pass
security create-keychain -p $KEYCHAIN_PASSWORD $KEY_CHAIN
# Make the keychain the default so identities are found
security default-keychain -s $KEY_CHAIN
# Unlock the keychain
security unlock-keychain -p $KEYCHAIN_PASSWORD $KEY_CHAIN
# Add certificates to keychain and allow codesign to access them
security import "$(dirname $0)"/signing.cer -k $KEY_CHAIN -A /usr/bin/codesign
security import "$(dirname $0)"/signing.pem -k $KEY_CHAIN -A /usr/bin/codesign
security import "$(dirname $0)"/signing.p12 -k $KEY_CHAIN -P $SPEC_KEY_PASSWORD -A /usr/bin/codesign
echo "Add keychain to keychain-list"
security list-keychains -s $KEY_CHAIN
echo "Setting key partition list"
security set-key-partition-list -S apple-tool:,apple: -s -k $KEYCHAIN_PASSWORD $KEY_CHAIN
echo "Trusting self-signed certificate"
sudo security trust-settings-import -d "$(dirname $0)"/trust-settings.plist

Binary file not shown.

Binary file not shown.

View file

@ -1,9 +0,0 @@
-----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw91mumcVpai94X7PASje
R9+meqEHsavRsKQmtVV5JkJk9ZZbWTdpXgOjy1hhGQURrbp3li9lmi3MFHVqZjuQ
H8omufj0iFiUD0bBY9EZeQjmcXd/ZgP8SoFfMS3BSAeRzXI5UQ5zFq86CWyzBh4k
lgRN+iuhmxxZ/8PUcuEQ49fzNWVtRskkX+ZDwj8mn9YYRQMm3nl+bB+lYbpgVnkX
WztXvSdRxCMjvjzLtoSJQhG36DEz6Sv7XeEAfYi70diQIwr/yCtgCpYUTadjOdzO
h0W/rpC2DTVE/yC3xZxg2uVjEa9siC8+DX9F6luAytkx2TgUGF6KdVblPVVCYkxW
QQIDAQAB
-----END RSA PUBLIC KEY-----

View file

@ -1,138 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>trustList</key>
<dict>
<key>80079C1EC6AED92C03B4C67E9A94B0B05E854AC8</key>
<dict>
<key>issuerName</key>
<data>
MIGIMSYwJAYDVQQDDB1FbGVjdHJvblNlbGZTaWduZWRTcGVjU2ln
bmluZzEUMBIGA1UECgwLRWxlY3Ryb24gSlMxEDAOBgNVBAsMB1Rl
c3RpbmcxCzAJBgNVBAYTAlVTMSkwJwYJKoZIhvcNAQkBFhpjb2Rl
c2lnbmluZ0BlbGVjdHJvbmpzLm9yZw==
</data>
<key>modDate</key>
<date>2019-03-19T02:33:38Z</date>
<key>serialNumber</key>
<data>
AQ==
</data>
<key>trustSettings</key>
<array>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147409654</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAED
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>sslServer</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147408896</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAED
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>sslServer</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147409654</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAEI
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>SMIME</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147408872</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAEI
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>SMIME</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147409654</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAEJ
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>eapServer</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147409654</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAEL
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>ipsecServer</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147409654</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAEQ
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>CodeSigning</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147409654</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAEU
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>AppleTimeStamping</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147409654</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAEC
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>basicX509</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
</array>
</dict>
</dict>
<key>trustVersion</key>
<integer>1</integer>
</dict>
</plist>

138
script/codesign/trust.xml Normal file
View file

@ -0,0 +1,138 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>trustList</key>
<dict>
<key>{{FINGERPRINT}}</key>
<dict>
<key>issuerName</key>
<data>
MH8xCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJCQzESMBAGA1UEBwwJ
VmFuY291dmVyMRMwEQYDVQQKDApFbGVjdHJvbkpTMRgwFgYDVQQL
DA9CdWlsZEF1dG9tYXRpb24xIDAeBgNVBAMMF2NvZGVzaWduLmVs
ZWN0cm9uanMub3Jn
</data>
<key>modDate</key>
<date>2019-01-01T00:00:00Z</date>
<key>serialNumber</key>
<data>
{{SERIAL_BASE64}}
</data>
<key>trustSettings</key>
<array>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147409654</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAED
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>sslServer</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147408896</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAED
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>sslServer</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147409654</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAEI
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>SMIME</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147408872</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAEI
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>SMIME</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147409654</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAEJ
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>eapServer</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147409654</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAEL
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>ipsecServer</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147409654</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAEQ
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>CodeSigning</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147409654</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAEU
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>AppleTimeStamping</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
<dict>
<key>kSecTrustSettingsAllowedError</key>
<integer>-2147409654</integer>
<key>kSecTrustSettingsPolicy</key>
<data>
KoZIhvdjZAEC
</data>
<key>kSecTrustSettingsPolicyName</key>
<string>basicX509</string>
<key>kSecTrustSettingsResult</key>
<integer>1</integer>
</dict>
</array>
</dict>
</dict>
<key>trustVersion</key>
<integer>1</integer>
</dict>
</plist>