diff --git a/.github/add_signing_key.sh b/.github/add_signing_key.sh new file mode 100755 index 00000000..689e2cad --- /dev/null +++ b/.github/add_signing_key.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +set -ex -o xtrace + +pushd .github/ +tar xvf secrets.tar +KEY_CHAIN=mac-build.keychain + +# Create the keychain with a password +security create-keychain -p travis $KEY_CHAIN + +# Make the custom keychain default, so xcodebuild will use it for signing +security default-keychain -s $KEY_CHAIN + +# Unlock the keychain for one hour +security unlock-keychain -p travis $KEY_CHAIN +security set-keychain-settings -t 3600 -u $KEY_CHAIN + +# Add certificates to keychain and allow codesign to access them +curl -L https://developer.apple.com/certificationauthority/AppleWWDRCA.cer > AppleWWDRCA.cer +security import AppleWWDRCA.cer -k ~/Library/Keychains/$KEY_CHAIN -T /usr/bin/codesign +security import certificate.cer -k ~/Library/Keychains/$KEY_CHAIN -T /usr/bin/codesign +security import certificate.p12 -k ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD -T /usr/bin/codesign +security unlock-keychain -p travis $KEY_CHAIN + +# https://docs.travis-ci.com/user/common-build-problems/#mac-macos-sierra-1012-code-signing-errors +security set-key-partition-list -S apple-tool:,apple: -s -k travis $KEY_CHAIN +popd diff --git a/.github/remove_signing_key.sh b/.github/remove_signing_key.sh new file mode 100755 index 00000000..218471c5 --- /dev/null +++ b/.github/remove_signing_key.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +set -ex -o xtrace + +pushd .github/ +security delete-keychain mac-build.keychain +rm -f certificate.cer certificate.p12 +popd diff --git a/.github/secrets.tar.enc b/.github/secrets.tar.enc new file mode 100644 index 00000000..20690baa Binary files /dev/null and b/.github/secrets.tar.enc differ diff --git a/.travis.yml b/.travis.yml index 23d5c7e3..873fb530 100644 --- a/.travis.yml +++ b/.travis.yml @@ -65,12 +65,17 @@ addons: before_install: # brew install gengetopt help2man cmocka ccache llvm; # export PATH="/usr/local/opt/ccache/libexec:/usr/local/opt/llvm/bin:$PATH"; + # add magic notarization flags for macOS, see https://github.com/akeru-inc/xcnotary/blob/master/README.md - if [ "$TRAVIS_OS_NAME" = "osx" ]; then brew update; brew uninstall libtool; brew install libtool; brew install gengetopt help2man cmocka ccache; export PATH="/usr/local/opt/ccache/libexec:$PATH"; + openssl aes-256-cbc -K $encrypted_3b9f0b9d36d1_key -iv $encrypted_3b9f0b9d36d1_iv -in .github/secrets.tar.enc -out .github/secrets.tar -d; + .github/add_signing_key.sh; + export OTHER_CODE_SIGN_FLAGS=--timestamp CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual; + git clone https://github.com/frankmorgner/OpenSCToken.git; fi - if [ "${DO_SIMULATION}" = "cac" ]; then sudo apt-get install -y libglib2.0-dev libnss3-dev pkgconf libtool make autoconf autoconf-archive automake libsofthsm2-dev softhsm2 softhsm2-common help2man gnutls-bin libcmocka-dev libusb-dev libudev-dev flex libnss3-tools libssl-dev libpcsclite1; @@ -309,6 +314,10 @@ after_script: git config --global user.name "Travis CI"; .github/push_artifacts.sh "Travis CI build ${TRAVIS_JOB_NUMBER}"; fi + - if [ "$TRAVIS_OS_NAME" = "osx" ]; then + .github/remove_signing_key.sh; + rm -f .github/secrets.tar; + fi before_cache: - brew cleanup @@ -319,6 +328,8 @@ cache: directories: - $HOME/.m2/ - $HOME/Library/Caches/Homebrew + - openssl + - openpace - openssl_bin - openpace_bin - isetup diff --git a/MacOSX/build-package.in b/MacOSX/build-package.in index 53248ac7..fb9979c1 100755 --- a/MacOSX/build-package.in +++ b/MacOSX/build-package.in @@ -19,6 +19,13 @@ SDK_PATH=$(xcrun --sdk macosx --show-sdk-path) # Set SDK path export CFLAGS="$CFLAGS -isysroot $SDK_PATH -arch x86_64" +# xcodebuild doesn't read the environment variables +# transform them into parameters +P1="${CODE_SIGN_IDENTITY:+CODE_SIGN_IDENTITY=${CODE_SIGN_IDENTITY}}" +P2="${OTHER_CODE_SIGN_FLAGS:+OTHER_CODE_SIGN_FLAGS=${OTHER_CODE_SIGN_FLAGS}}" +P3="${CODE_SIGN_INJECT_BASE_ENTITLEMENTS:+CODE_SIGN_INJECT_BASE_ENTITLEMENTS=${CODE_SIGN_INJECT_BASE_ENTITLEMENTS}}" +P4="${CODE_SIGN_STYLE:+CODE_SIGN_STYLE=${CODE_SIGN_STYLE}}" + export SED=/usr/bin/sed PREFIX=/Library/OpenSC export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/lib/pkgconfig @@ -90,7 +97,7 @@ fi if ! test -e NotificationProxy; then git clone http://github.com/frankmorgner/NotificationProxy.git fi -xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/ +xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/ "$P1" "$P2" "$P3" "$P4" mkdir -p "$BUILDPATH/target/Applications" osacompile -o "$BUILDPATH/target/Applications/OpenSC Notify.app" "MacOSX/OpenSC_Notify.applescript" @@ -106,7 +113,7 @@ if (( xcodebuild -version | sed -En 's/Xcode[[:space:]]+([0-9]+)\.[0-9]*/\1/p' < test -L OpenSC.tokend/build/opensc-src || ln -sf ${BUILDPATH}/src OpenSC.tokend/build/opensc-src # Build and copy OpenSC.tokend - xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend + xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend "$P1" $P2 "$P3" "$P4" else # https://github.com/OpenSC/OpenSC.tokend/issues/33 mkdir -p ${BUILDPATH}/target_tokend @@ -139,24 +146,25 @@ if test -e OpenSCToken; then cd OpenSCToken # make sure OpenSCToken builds with the same dependencies as before if ! test -e OpenSC; then - git clone --depth=1 ../../OpenSC + git clone --depth=1 file://$PWD/../../OpenSC else cd OpenSC && git pull && cd .. fi - if ! test -e openssl; then - git clone --depth=1 ../openssl - else - cd openssl && git pull && cd .. + mkdir -p build + if ! test -e build/openssl; then + # build/openssl/lib/libcrypto.a is hardcoded in OpenSCToken + ln -sf $BUILDPATH/openssl_bin/$PREFIX build/openssl + # in OpenSCToken's variant of OpenSC we still use OpenSSL flags from above fi - if ! test -e openpace; then - git clone --depth=1 ../openpace - else - cd openpace && git pull && cd .. + if ! test -e build/openpace; then + # build/openpace/lib/libeac.a is hardcoded in OpenSCToken + ln -sf $BUILDPATH/openpace_bin/$PREFIX build/openpace + # in OpenSCToken's variant of OpenSC we still use OpenPACE flags from above fi BP=${BUILDPATH} . ./bootstrap BUILDPATH=${BP} - xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token + xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token "$P1" "$P2" "$P3" "$P4" cd .. else # if no OpenSCToken is checked out, then we create a dummy package