Skip to content

Commit

Permalink
Remove use of entitlements field for the santad build rule (#615)
Browse files Browse the repository at this point in the history
* Remove use of entitlements field for santad

* Create a local keychain instead of using the system keychain and drop sudo from most of the build stages
  • Loading branch information
tnek authored Sep 28, 2021
1 parent 81049db commit 1523d58
Show file tree
Hide file tree
Showing 5 changed files with 18 additions and 7 deletions.
1 change: 0 additions & 1 deletion Source/santad/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,6 @@ macos_bundle(
infoplists = ["Info.plist"],
linkopts = ["-execute"],
minimum_os_version = "10.9",
entitlements = "com.google.santa.daemon.systemextension.entitlements",
codesignopts = [
"--timestamp",
"--force",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>$(TeamIdentifierPrefix)com.google.santa.daemon</string>
<key>com.apple.developer.team-identifier</key>
<string>EQHXZ8M8AV</string>
<key>com.apple.developer.endpoint-security.client</key>
<true/>
</dict>
Expand Down
12 changes: 9 additions & 3 deletions Testing/build_and_sign.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,21 +2,27 @@
set -e
GIT_ROOT=$(git rev-parse --show-toplevel)

KEYCHAIN="santa-dev-test.keychain"
SANTAD_PATH=Santa.app/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension/Contents/MacOS/com.google.santa.daemon
SANTAD_ENTITLEMENTS="$GIT_ROOT/Source/santad/com.google.santa.daemon.systemextension.entitlements"
SANTA_BIN_PATH=Santa.app/Contents/MacOS
SIGNING_IDENTITY="localhost"


function main() {
sudo bazel build --ios_signing_cert_name=$SIGNING_IDENTITY --apple_generate_dsym -c opt --define=SANTA_BUILD_TYPE=ci --define=apple.propagate_embedded_extra_outputs=yes --macos_cpus=x86_64,arm64 //:release
bazel build --apple_generate_dsym -c opt --define=SANTA_BUILD_TYPE=ci --define=apple.propagate_embedded_extra_outputs=yes --macos_cpus=x86_64,arm64 //:release

echo "> Build complete, installing santa"
TMP_DIR=$(mktemp -d)
tar xvf $GIT_ROOT/bazel-bin/santa-*.tar.gz -C $TMP_DIR
CS_ARGS="--prefix=EQHXZ8M8AV -fs $SIGNING_IDENTITY --timestamp --options library,kill,runtime"

for bin in $TMP_DIR/binaries/$SANTA_BIN_PATH/* $TMP_DIR/binaries/$SANTAD_PATH; do
sudo codesign --prefix=EQHXZ8M8AV --preserve-metadata=entitlements -fs $SIGNING_IDENTITY --timestamp --options library,kill,runtime $bin
for bin in $TMP_DIR/binaries/$SANTA_BIN_PATH/*; do
codesign --keychain $KEYCHAIN --preserve-metadata=entitlements ${CS_ARGS} $bin
done

codesign ${CS_ARGS} --keychain $KEYCHAIN --entitlements $SANTAD_ENTITLEMENTS $TMP_DIR/binaries/$SANTAD_PATH

echo "> Running install.sh"
(
cd $TMP_DIR
Expand Down
7 changes: 4 additions & 3 deletions Testing/init_dev_certs.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ openssl req -new -key ./santa.key -out ./santa.csr -config $CNF_PATH
openssl x509 -req -days 10 -in ./santa.csr -signkey ./santa.key -out ./santa.crt -extfile $CNF_PATH -extensions codesign
openssl pkcs12 -export -out santa.p12 -inkey santa.key -in santa.crt -password pass:santa

KEYCHAIN="/Library/Keychains/System.keychain"
sudo security import ./santa.p12 -k $KEYCHAIN -A -P santa
sudo security add-trusted-cert -d -r trustRoot -k $KEYCHAIN santa.crt
KEYCHAIN="santa-dev-test.keychain"
security create-keychain -p santa $KEYCHAIN
security import ./santa.p12 -k $KEYCHAIN -A -P santa
security add-trusted-cert -d -r trustRoot -k $KEYCHAIN santa.crt
1 change: 1 addition & 0 deletions Testing/reset.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@ killall moroz
security delete-identity -c "localhost"
rm -rf /Applications/Santa.app
systemextensionsctl reset
security delete-keychain santa-dev-test.keychain

0 comments on commit 1523d58

Please sign in to comment.