macOS: added basic installer signing

2020-04-06 15:42:30 +02:00 · 2020-04-06 15:42:30 +02:00 · e71b85867f
parent 3af52cd1c6
commit e71b85867f
5 changed files with 67 additions and 12 deletions
--- a/.github/add_signing_key.sh
+++ b/.github/add_signing_key.sh
@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -ex -o xtrace
+
+pushd .github/
+tar xvf secrets.tar
+KEY_CHAIN=mac-build.keychain
+
+# Create the keychain with a password
+security create-keychain -p travis $KEY_CHAIN
+
+# Make the custom keychain default, so xcodebuild will use it for signing
+security default-keychain -s $KEY_CHAIN
+
+# Unlock the keychain for one hour
+security unlock-keychain -p travis $KEY_CHAIN
+security set-keychain-settings -t 3600 -u $KEY_CHAIN
+
+# Add certificates to keychain and allow codesign to access them
+curl -L https://developer.apple.com/certificationauthority/AppleWWDRCA.cer > AppleWWDRCA.cer
+security import AppleWWDRCA.cer  -k  ~/Library/Keychains/$KEY_CHAIN -T /usr/bin/codesign
+security import certificate.cer  -k  ~/Library/Keychains/$KEY_CHAIN -T /usr/bin/codesign
+security import certificate.p12  -k  ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD -T /usr/bin/codesign
+security unlock-keychain -p travis $KEY_CHAIN
+
+# https://docs.travis-ci.com/user/common-build-problems/#mac-macos-sierra-1012-code-signing-errors
+security set-key-partition-list -S apple-tool:,apple: -s -k travis $KEY_CHAIN
+popd
--- a/.github/remove_signing_key.sh
+++ b/.github/remove_signing_key.sh
@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -ex -o xtrace
+
+pushd .github/
+security delete-keychain mac-build.keychain
+rm -f certificate.cer certificate.p12
+popd
--- a/.github/secrets.tar.enc
+++ b/.github/secrets.tar.enc
--- a/.travis.yml
+++ b/.travis.yml
@ -65,12 +65,17 @@ addons:
 before_install:
  # brew install gengetopt help2man cmocka ccache llvm;
  # export PATH="/usr/local/opt/ccache/libexec:/usr/local/opt/llvm/bin:$PATH";
+  # add magic notarization flags for macOS, see https://github.com/akeru-inc/xcnotary/blob/master/README.md
  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then
        brew update;
        brew uninstall libtool;
        brew install libtool;
        brew install gengetopt help2man cmocka ccache;
        export PATH="/usr/local/opt/ccache/libexec:$PATH";
+        openssl aes-256-cbc -K $encrypted_3b9f0b9d36d1_key -iv $encrypted_3b9f0b9d36d1_iv -in .github/secrets.tar.enc -out .github/secrets.tar -d;
+        .github/add_signing_key.sh;
+        export OTHER_CODE_SIGN_FLAGS=--timestamp CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual;
+        git clone https://github.com/frankmorgner/OpenSCToken.git;
    fi
  - if [ "${DO_SIMULATION}" = "cac" ]; then
        sudo apt-get install -y libglib2.0-dev libnss3-dev  pkgconf libtool make autoconf autoconf-archive automake libsofthsm2-dev softhsm2 softhsm2-common help2man gnutls-bin libcmocka-dev libusb-dev libudev-dev flex libnss3-tools libssl-dev libpcsclite1;
@ -309,6 +314,10 @@ after_script:
      git config --global user.name "Travis CI";
      .github/push_artifacts.sh "Travis CI build ${TRAVIS_JOB_NUMBER}";
    fi
+  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then
+      .github/remove_signing_key.sh;
+      rm -f .github/secrets.tar;
+    fi

 before_cache:
  - brew cleanup
@ -319,6 +328,8 @@ cache:
  directories:
    - $HOME/.m2/
    - $HOME/Library/Caches/Homebrew
+    - openssl
+    - openpace
    - openssl_bin
    - openpace_bin
    - isetup
--- a/MacOSX/build-package.in
+++ b/MacOSX/build-package.in
@ -19,6 +19,13 @@ SDK_PATH=$(xcrun --sdk macosx --show-sdk-path)
 # Set SDK path
 export CFLAGS="$CFLAGS -isysroot $SDK_PATH -arch x86_64"

+# xcodebuild doesn't read the environment variables
+# transform them into parameters
+P1="${CODE_SIGN_IDENTITY:+CODE_SIGN_IDENTITY=${CODE_SIGN_IDENTITY}}"
+P2="${OTHER_CODE_SIGN_FLAGS:+OTHER_CODE_SIGN_FLAGS=${OTHER_CODE_SIGN_FLAGS}}"
+P3="${CODE_SIGN_INJECT_BASE_ENTITLEMENTS:+CODE_SIGN_INJECT_BASE_ENTITLEMENTS=${CODE_SIGN_INJECT_BASE_ENTITLEMENTS}}"
+P4="${CODE_SIGN_STYLE:+CODE_SIGN_STYLE=${CODE_SIGN_STYLE}}"
+
 export SED=/usr/bin/sed
 PREFIX=/Library/OpenSC
 export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/lib/pkgconfig
@ -90,7 +97,7 @@ fi
 if ! test -e NotificationProxy; then
 	git clone http://github.com/frankmorgner/NotificationProxy.git
 fi
-xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/
+xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/ "$P1" "$P2" "$P3" "$P4"
 mkdir -p "$BUILDPATH/target/Applications"
 osacompile -o "$BUILDPATH/target/Applications/OpenSC Notify.app" "MacOSX/OpenSC_Notify.applescript"

@ -106,7 +113,7 @@ if (( xcodebuild -version | sed -En 's/Xcode[[:space:]]+([0-9]+)\.[0-9]*/\1/p' <
 	test -L OpenSC.tokend/build/opensc-src || ln -sf ${BUILDPATH}/src OpenSC.tokend/build/opensc-src

 	# Build and copy OpenSC.tokend
-	xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend
+	xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend "$P1" $P2 "$P3" "$P4"
 else
 	# https://github.com/OpenSC/OpenSC.tokend/issues/33
 	mkdir -p ${BUILDPATH}/target_tokend
@ -139,24 +146,25 @@ if test -e OpenSCToken; then
 	cd OpenSCToken
 	# make sure OpenSCToken builds with the same dependencies as before
 	if ! test -e OpenSC; then
-		git clone --depth=1 ../../OpenSC
+		git clone --depth=1 file://$PWD/../../OpenSC
 	else
 		cd OpenSC && git pull && cd ..
 	fi
-	if ! test -e openssl; then
-		git clone --depth=1 ../openssl
-	else
-		cd openssl && git pull && cd ..
+	mkdir -p build
+	if ! test -e build/openssl; then
+		# build/openssl/lib/libcrypto.a is hardcoded in OpenSCToken
+		ln -sf $BUILDPATH/openssl_bin/$PREFIX build/openssl
+		# in OpenSCToken's variant of OpenSC we still use OpenSSL flags from above
 	fi
-	if ! test -e openpace; then
-		git clone --depth=1 ../openpace
-	else
-		cd openpace && git pull && cd ..
+	if ! test -e build/openpace; then
+		# build/openpace/lib/libeac.a is hardcoded in OpenSCToken
+		ln -sf $BUILDPATH/openpace_bin/$PREFIX build/openpace
+		# in OpenSCToken's variant of OpenSC we still use OpenPACE flags from above
 	fi
 	BP=${BUILDPATH}
 	. ./bootstrap
 	BUILDPATH=${BP}
-	xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token
+	xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token  "$P1" "$P2" "$P3" "$P4"
 	cd ..
 else
 	# if no OpenSCToken is checked out, then we create a dummy package