Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/dev' into dev
Browse files Browse the repository at this point in the history
  • Loading branch information
demarey committed Jul 9, 2020
2 parents 7ec0116 + 3e57ca8 commit 41fc4b1
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 12 deletions.
32 changes: 20 additions & 12 deletions mac/build-dmg.sh
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,11 @@ fi

# Sign the app
function sign_mac_version() {
# This function expects that following environment varialbes are available:
# This function expects that following environment variables are available:
# - PHARO_CERT_PASSWORD
# - PHARO_SIGN_IDENTITY
local key_chain=macos-build.keychain
local keychain_name=macos-ci-build.keychain
local keychain_password=ci
local app_dir=$1
local cert_pass=${PHARO_CERT_PASSWORD}
local pharo_sign_password=${PHARO_CERT_PASSWORD}
Expand All @@ -79,23 +80,30 @@ function sign_mac_version() {

echo "Signing app bundle..."
# Set up keychain
security delete-keychain "${key_chain}" || true
security create-keychain -p ci "${key_chain}"
security default-keychain -s "${key_chain}"
security unlock-keychain -p ci "${key_chain}"
security set-keychain-settings -t 3600 -u "${key_chain}"
security import "${path_cer}" -k ~/Library/Keychains/"${key_chain}" -T /usr/bin/codesign
security import "${path_p12}" -k ~/Library/Keychains/"${key_chain}" -P "${cert_pass}" -T /usr/bin/codesign
security delete-keychain "${keychain_name}" || true
security create-keychain -p ${keychain_password} "${keychain_name}"
# add keychain to the search list
security list-keychains -d user -s "${keychain_name}"
security default-keychain -s "${keychain_name}"
security unlock-keychain -p ${keychain_password} "${keychain_name}"
security set-keychain-settings -t 3600 -u "${keychain_name}"
# Importing certificate
security import "${path_cer}" -k ~/Library/Keychains/"${keychain_name}" -T /usr/bin/codesign
# Importing identity
security import "${path_p12}" -k ~/Library/Keychains/"${keychain_name}" -P "${cert_pass}" -T /usr/bin/codesign
# Set ACL on keychain. To avoid to get codesign to yield an errSecInternalComponent you need to get the partition list (ACLs) correct.
# See https://code-examples.net/en/q/1344e6a
security set-key-partition-list -S apple-tool:,apple: -s -k ${keychain_password} "${keychain_name}"
# debug
echo ${sign_identity} >> "id.txt"
# Invoke codesign
if [[ -d "${app_dir}/Contents/MacOS/Plugins" ]]; then # Pharo.app does not (yet) have its plugins in Resources dir
codesign -s "${sign_identity}" --keychain "${key_chain}" --force --deep "${app_dir}/Contents/MacOS/Plugins/"*
codesign -s "${sign_identity}" --keychain "${keychain_name}" --force --deep "${app_dir}/Contents/MacOS/Plugins/"*
fi
codesign -s "${sign_identity}" --keychain "${key_chain}" --force --deep "${app_dir}"
codesign -s "${sign_identity}" --keychain "${keychain_name}" --force --deep "${app_dir}"
# Remove sensitive files again
rm -rf "${path_cer}" "${path_p12}"
security delete-keychain "${key_chain}"
security delete-keychain "${keychain_name}"
}

if [ "$SHOULD_SIGN" = true ] ; then
Expand Down
7 changes: 7 additions & 0 deletions signing/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,13 @@ openssl aes-256-cbc -k "${pharo_sign_password}" -in pharo-windows-certificate.p1
The password needed to decrypt them will be stored in an environment variable (secured) on the CI tool (travis or Jenkins).
# How to sign on OS X?
Some links:
- [macOS Code Signing In Depth](https://developer.apple.com/library/archive/technotes/tn2206/_index.html)
- [Distribute outside the Mac App Store (macOS)](https://help.apple.com/xcode/mac/current/#/dev033e997ca)
- [Troubleshooting Failed Signature Verification](https://developer.apple.com/library/archive/technotes/tn2318/_index.html#//apple_ref/doc/uid/DTS40013777-CH1-TNTAG2)
- [security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission](https://stackoverflow.com/questions/39868578/security-codesign-in-sierra-keychain-ignores-access-control-settings-and-ui-p/41220140#41220140)
You need to use codesign (shipped with Xcode):
```
codesign -s "${sign_identity}" --keychain "${key_chain}" --force --deep "${app_dir}/Contents/MacOS/Plugins/"*
Expand Down

0 comments on commit 41fc4b1

Please sign in to comment.