diff --git a/.github/add_signing_key.sh b/.github/add_signing_key.sh
index 689e2cad..d2c494a2 100755
--- a/.github/add_signing_key.sh
+++ b/.github/add_signing_key.sh
@@ -18,9 +18,18 @@ security set-keychain-settings -t 3600 -u $KEY_CHAIN
# Add certificates to keychain and allow codesign to access them
curl -L https://developer.apple.com/certificationauthority/AppleWWDRCA.cer > AppleWWDRCA.cer
-security import AppleWWDRCA.cer -k ~/Library/Keychains/$KEY_CHAIN -T /usr/bin/codesign
-security import certificate.cer -k ~/Library/Keychains/$KEY_CHAIN -T /usr/bin/codesign
-security import certificate.p12 -k ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD -T /usr/bin/codesign
+security import AppleWWDRCA.cer \
+ -k ~/Library/Keychains/$KEY_CHAIN \
+ -T /usr/bin/codesign -T /usr/bin/productsign
+security import DeveloperIDApplication.cer \
+ -k ~/Library/Keychains/$KEY_CHAIN \
+ -T /usr/bin/codesign -T /usr/bin/productsign
+security import DeveloperIDInstaller.cer \
+ -k ~/Library/Keychains/$KEY_CHAIN \
+ -T /usr/bin/codesign -T /usr/bin/productsign
+security import key.p12 \
+ -k ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD \
+ -T /usr/bin/codesign -T /usr/bin/productsign
security unlock-keychain -p travis $KEY_CHAIN
# https://docs.travis-ci.com/user/common-build-problems/#mac-macos-sierra-1012-code-signing-errors
diff --git a/.github/push_artifacts.sh b/.github/push_artifacts.sh
index 4b7f5d9a..5c62ce47 100755
--- a/.github/push_artifacts.sh
+++ b/.github/push_artifacts.sh
@@ -13,8 +13,15 @@ for file in ${BUILDPATH}/win32/Output/OpenSC*.exe ${BUILDPATH}/opensc*.tar.gz ${
do
if [ -f ${file} ]
then
- cp ${file} .
- git add `basename ${file}`
+ # github only allows a maximum file size of 50MB
+ MAX_MB_FILESIZE=50
+ if [ $(du -m "$file" | cut -f 1) -ge $MAX_MB_FILESIZE ]
+ then
+ split -b ${MAX_MB_FILESIZE}m ${file} `basename ${file}`.
+ else
+ cp ${file} .
+ fi
+ git add `basename ${file}`*
fi
done
diff --git a/.github/remove_signing_key.sh b/.github/remove_signing_key.sh
index 218471c5..2ebac512 100755
--- a/.github/remove_signing_key.sh
+++ b/.github/remove_signing_key.sh
@@ -4,5 +4,5 @@ set -ex -o xtrace
pushd .github/
security delete-keychain mac-build.keychain
-rm -f certificate.cer certificate.p12
+rm -f DeveloperIDApplication.cer DeveloperIDInstaller.cer key.p12
popd
diff --git a/.github/secrets.tar.enc b/.github/secrets.tar.enc
index ea2adfa6..09e8b80e 100644
Binary files a/.github/secrets.tar.enc and b/.github/secrets.tar.enc differ
diff --git a/.travis.yml b/.travis.yml
index 40805750..5fc078e0 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -75,11 +75,10 @@ before_install:
brew update;
brew uninstall libtool;
brew install libtool;
- brew install gengetopt help2man cmocka ccache;
+ brew install gengetopt help2man cmocka ccache git-lfs;
export PATH="/usr/local/opt/ccache/libexec:$PATH";
openssl aes-256-cbc -K $encrypted_3b9f0b9d36d1_key -iv $encrypted_3b9f0b9d36d1_iv -in .github/secrets.tar.enc -out .github/secrets.tar -d;
.github/add_signing_key.sh;
- export OTHER_CODE_SIGN_FLAGS=--timestamp CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual;
git clone https://github.com/frankmorgner/OpenSCToken.git;
fi
- if [ "${DO_SIMULATION}" = "javacard" ]; then
diff --git a/MacOSX/OpenSC_Uninstaller.entitlements b/MacOSX/OpenSC_Uninstaller.entitlements
new file mode 100644
index 00000000..548ce436
--- /dev/null
+++ b/MacOSX/OpenSC_Uninstaller.entitlements
@@ -0,0 +1,10 @@
+
+
+
+
+ com.apple.security.app-sandbox
+
+ com.apple.security.automation.apple-events
+
+
+
diff --git a/MacOSX/build-package.in b/MacOSX/build-package.in
index c729dd8b..ed6125d1 100755
--- a/MacOSX/build-package.in
+++ b/MacOSX/build-package.in
@@ -19,13 +19,6 @@ SDK_PATH=$(xcrun --sdk macosx --show-sdk-path)
# Set SDK path
export CFLAGS="$CFLAGS -isysroot $SDK_PATH -arch x86_64"
-# xcodebuild doesn't read the environment variables
-# transform them into parameters
-P1="${CODE_SIGN_IDENTITY:+CODE_SIGN_IDENTITY=${CODE_SIGN_IDENTITY}}"
-P2="${OTHER_CODE_SIGN_FLAGS:+OTHER_CODE_SIGN_FLAGS=${OTHER_CODE_SIGN_FLAGS}}"
-P3="${CODE_SIGN_INJECT_BASE_ENTITLEMENTS:+CODE_SIGN_INJECT_BASE_ENTITLEMENTS=${CODE_SIGN_INJECT_BASE_ENTITLEMENTS}}"
-P4="${CODE_SIGN_STYLE:+CODE_SIGN_STYLE=${CODE_SIGN_STYLE}}"
-
export SED=/usr/bin/sed
PREFIX=/Library/OpenSC
export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/lib/pkgconfig
@@ -97,13 +90,17 @@ fi
if ! test -e NotificationProxy; then
git clone http://github.com/frankmorgner/NotificationProxy.git
fi
-if test -n "${CODE_SIGN_IDENTITY}"; then
- xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/ "$P1" "$P2" "$P3" "$P4"
+if test -n "${CODE_SIGN_IDENTITY}" -a -n "${DEVELOPMENT_TEAM}"; then
+ xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/ \
+ CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" DEVELOPMENT_TEAM="${DEVELOPMENT_TEAM}" OTHER_CODE_SIGN_FLAGS="--timestamp --options=runtime" CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual
else
xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/
fi
mkdir -p "$BUILDPATH/target/Applications/Utilities"
osacompile -o "$BUILDPATH/target/Applications/Utilities/OpenSC Notify.app" "MacOSX/OpenSC_Notify.applescript"
+if test -n "${CODE_SIGN_IDENTITY}"; then
+ codesign --force --sign "${CODE_SIGN_IDENTITY}" --entitlements MacOSX/OpenSC_Uninstaller.entitlements --deep --timestamp --options runtime "$BUILDPATH/target/Applications/Utilities/OpenSC Notify.app"
+fi
# Build OpenSC.tokend when XCode version < 10
@@ -117,8 +114,9 @@ if (( $(xcodebuild -version | sed -En 's/Xcode[[:space:]]+([0-9]+)(\.[0-9]*)*/\1
test -L OpenSC.tokend/build/opensc-src || ln -sf ${BUILDPATH}/src OpenSC.tokend/build/opensc-src
# Build and copy OpenSC.tokend
- if test -n "${CODE_SIGN_IDENTITY}"; then
- xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend "$P1" $P2 "$P3" "$P4"
+ if test -n "${CODE_SIGN_IDENTITY}" -a -n "${DEVELOPMENT_TEAM}"; then
+ xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend \
+ CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" DEVELOPMENT_TEAM="${DEVELOPMENT_TEAM}" OTHER_CODE_SIGN_FLAGS="--timestamp --options=runtime" CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual
else
xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend
fi
@@ -150,7 +148,7 @@ cp src/tools/pkcs11-register.plist ${BUILDPATH}/target_startup/Library/LaunchAge
cp src/tools/opensc-notify.plist ${BUILDPATH}/target_startup/Library/LaunchAgents
# Build OpenSCToken if possible
-if test -e OpenSCToken -a -n "${CODE_SIGN_IDENTITY}"; then
+if test -e OpenSCToken -a -n "${CODE_SIGN_IDENTITY}" -a -n "${DEVELOPMENT_TEAM}"; then
cd OpenSCToken
# make sure OpenSCToken builds with the same dependencies as before
if ! test -e OpenSC; then
@@ -172,26 +170,44 @@ if test -e OpenSCToken -a -n "${CODE_SIGN_IDENTITY}"; then
BP=${BUILDPATH}
. ./bootstrap
BUILDPATH=${BP}
- xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token "$P1" "$P2" "$P3" "$P4"
- mkdir ${BUILDPATH}/target_token/Applications/Utilities
- mv ${BUILDPATH}/target_token/Applications/OpenSCTokenApp.app ${BUILDPATH}/target_token/Applications/Utilities
+ xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token \
+ CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" DEVELOPMENT_TEAM="${DEVELOPMENT_TEAM}" OTHER_CODE_SIGN_FLAGS="--timestamp --options=runtime" CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual
cd ..
else
# if no OpenSCToken is checked out, then we create a dummy package
mkdir -p ${BUILDPATH}/target_token
fi
+if test -n "${CODE_SIGN_IDENTITY}"; then
+ for d in ${BUILDPATH}/target/Library/OpenSC/bin ${BUILDPATH}/target/Library/OpenSC/lib
+ do
+ # find executable files and run codesign on them
+ find ${d} -type f -perm +111 -print -exec \
+ codesign --force --sign "${CODE_SIGN_IDENTITY}" --entitlements MacOSX/OpenSC_Uninstaller.entitlements --deep --timestamp --options runtime {} \;
+ done
+fi
+
+
# Build package
-pkgbuild --root ${BUILDPATH}/target --scripts MacOSX/scripts --identifier org.opensc-project.mac --version @PACKAGE_VERSION@ --install-location / OpenSC.pkg
-pkgbuild --root ${BUILDPATH}/target_tokend --identifier org.opensc-project.tokend --version @PACKAGE_VERSION@ --install-location / OpenSC-tokend.pkg
-pkgbuild --root ${BUILDPATH}/target_token --identifier org.opensc-project.mac.opensctoken --version @PACKAGE_VERSION@ --install-location / OpenSCToken.pkg
-pkgbuild --root ${BUILDPATH}/target_startup --identifier org.opensc-project.startup --version @PACKAGE_VERSION@ --install-location / OpenSC-startup.pkg
+pkgbuild --root ${BUILDPATH}/target --component-plist MacOSX/target.plist --scripts MacOSX/scripts --identifier org.opensc-project.mac --version @PACKAGE_VERSION@ --install-location / OpenSC.pkg
+pkgbuild --root ${BUILDPATH}/target_tokend --component-plist MacOSX/target_tokend.plist --identifier org.opensc-project.tokend --version @PACKAGE_VERSION@ --install-location / OpenSC-tokend.pkg
+pkgbuild --root ${BUILDPATH}/target_token --component-plist MacOSX/target_token.plist --identifier org.opensc-project.mac.opensctoken --version @PACKAGE_VERSION@ --install-location / OpenSCToken.pkg
+pkgbuild --root ${BUILDPATH}/target_startup --component-plist MacOSX/target_startup.plist --identifier org.opensc-project.startup --version @PACKAGE_VERSION@ --install-location / OpenSC-startup.pkg
# Build product
productbuild --distribution MacOSX/Distribution.xml --package-path . --resources MacOSX/resources "${imagedir}/OpenSC @PACKAGE_VERSION@.pkg"
+# Sign installer
+if test -n "${INSTALLER_SIGN_IDENTITY}"; then
+ productsign --sign "${INSTALLER_SIGN_IDENTITY}" "${imagedir}/OpenSC @PACKAGE_VERSION@.pkg" "${BUILDPATH}/OpenSC @PACKAGE_VERSION@.pkg"
+ mv "${BUILDPATH}/OpenSC @PACKAGE_VERSION@.pkg" "${imagedir}/OpenSC @PACKAGE_VERSION@.pkg"
+fi
+
# Build "Uninstaller"
osacompile -o "${imagedir}/OpenSC Uninstaller.app" "MacOSX/OpenSC_Uninstaller.applescript"
+if test -n "${CODE_SIGN_IDENTITY}"; then
+ codesign --force --sign "${CODE_SIGN_IDENTITY}" --entitlements MacOSX/OpenSC_Uninstaller.entitlements --deep --timestamp --options runtime "${imagedir}/OpenSC Uninstaller.app"
+fi
# Create .dmg
rm -f OpenSC-@PACKAGE_VERSION@.dmg
@@ -205,3 +221,6 @@ do
fi
done
rm -rf ${imagedir}
+
+#if [ "$TRAVIS_EVENT_TYPE" != "pull_request" ]; then xcrun altool --notarize-app --file $(pwd)/vorteil_darwin-x86.dmg --username $OSX_NOTARIZE_USERNAME --primary-bundle-id com.vorteil.cli -p $OSX_NOTARIZE_PW -- >> /dev/null; fi;
+#if [ "$TRAVIS_EVENT_TYPE" != "pull_request" ]; then for ((i=1;i<=30;i+=1)); do xcrun stapler staple $(pwd)/vorteil_darwin-x86.dmg >> /dev/null; if [ $? = 65 ]; then echo "Waiting for notarization to complete..." && sleep 10; fi; done; fi;
diff --git a/MacOSX/target.plist b/MacOSX/target.plist
new file mode 100644
index 00000000..ef1b4b82
--- /dev/null
+++ b/MacOSX/target.plist
@@ -0,0 +1,18 @@
+
+
+
+
+
+ BundleHasStrictIdentifier
+
+ BundleIsRelocatable
+
+ BundleIsVersionChecked
+
+ BundleOverwriteAction
+ upgrade
+ RootRelativeBundlePath
+ Library/OpenSC/Applications/NotificationProxy.app
+
+
+
diff --git a/MacOSX/target_startup.plist b/MacOSX/target_startup.plist
new file mode 100644
index 00000000..5dd5da85
--- /dev/null
+++ b/MacOSX/target_startup.plist
@@ -0,0 +1,5 @@
+
+
+
+
+
diff --git a/MacOSX/target_token.plist b/MacOSX/target_token.plist
new file mode 100644
index 00000000..2c2aa16f
--- /dev/null
+++ b/MacOSX/target_token.plist
@@ -0,0 +1,27 @@
+
+
+
+
+
+ BundleHasStrictIdentifier
+
+ BundleIsRelocatable
+
+ BundleIsVersionChecked
+
+ BundleOverwriteAction
+ upgrade
+ ChildBundles
+
+
+ BundleOverwriteAction
+
+ RootRelativeBundlePath
+ Applications/Utilities/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex
+
+
+ RootRelativeBundlePath
+ Applications/Utilities/OpenSCTokenApp.app
+
+
+
diff --git a/MacOSX/target_tokend.plist b/MacOSX/target_tokend.plist
new file mode 100644
index 00000000..5dd5da85
--- /dev/null
+++ b/MacOSX/target_tokend.plist
@@ -0,0 +1,5 @@
+
+
+
+
+