From e71b85867f7325c4c03db10a66f31ee826ddbce2 Mon Sep 17 00:00:00 2001 From: Frank Morgner Date: Mon, 6 Apr 2020 15:42:30 +0200 Subject: [PATCH] macOS: added basic installer signing --- .github/add_signing_key.sh | 28 ++++++++++++++++++++++++++++ .github/remove_signing_key.sh | 8 ++++++++ .github/secrets.tar.enc | Bin 0 -> 7184 bytes .travis.yml | 11 +++++++++++ MacOSX/build-package.in | 32 ++++++++++++++++++++------------ 5 files changed, 67 insertions(+), 12 deletions(-) create mode 100755 .github/add_signing_key.sh create mode 100755 .github/remove_signing_key.sh create mode 100644 .github/secrets.tar.enc diff --git a/.github/add_signing_key.sh b/.github/add_signing_key.sh new file mode 100755 index 00000000..689e2cad --- /dev/null +++ b/.github/add_signing_key.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +set -ex -o xtrace + +pushd .github/ +tar xvf secrets.tar +KEY_CHAIN=mac-build.keychain + +# Create the keychain with a password +security create-keychain -p travis $KEY_CHAIN + +# Make the custom keychain default, so xcodebuild will use it for signing +security default-keychain -s $KEY_CHAIN + +# Unlock the keychain for one hour +security unlock-keychain -p travis $KEY_CHAIN +security set-keychain-settings -t 3600 -u $KEY_CHAIN + +# Add certificates to keychain and allow codesign to access them +curl -L https://developer.apple.com/certificationauthority/AppleWWDRCA.cer > AppleWWDRCA.cer +security import AppleWWDRCA.cer -k ~/Library/Keychains/$KEY_CHAIN -T /usr/bin/codesign +security import certificate.cer -k ~/Library/Keychains/$KEY_CHAIN -T /usr/bin/codesign +security import certificate.p12 -k ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD -T /usr/bin/codesign +security unlock-keychain -p travis $KEY_CHAIN + +# https://docs.travis-ci.com/user/common-build-problems/#mac-macos-sierra-1012-code-signing-errors +security set-key-partition-list -S apple-tool:,apple: -s -k travis $KEY_CHAIN +popd diff --git a/.github/remove_signing_key.sh b/.github/remove_signing_key.sh new file mode 100755 index 00000000..218471c5 --- /dev/null +++ b/.github/remove_signing_key.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +set -ex -o xtrace + +pushd .github/ +security delete-keychain mac-build.keychain +rm -f certificate.cer certificate.p12 +popd diff --git a/.github/secrets.tar.enc b/.github/secrets.tar.enc new file mode 100644 index 0000000000000000000000000000000000000000..20690baa80af59f3f3abce8cda1e8356eb076e5d GIT binary patch literal 7184 zcmV+r9Pi`lsah|RSysDnstcN+J=&3tTuDP%*Y!Ee!NI8aqq_`~7v=DUJh)A>2*eGz zbq}(+^v?tq2sm`xB}M5lHCRO*~%UiU)$wIExj_l*ARU=h`8zVeib15h_(Qefae z5)`6ggve23jZPpNot>#-Zi8Llk_4L~0@K?%R%7FUoAd!=p z<78vB}q?SyS^EI;?iaeR@*V_07) zQe4x^&j>tywf%6KcA|*Y_jakps-2&7o1EjmFNhljJ3u(su%I7jZ~W}MIGRJhzdF4- z&*{sEsl+u^{fQ^oMJEDm(}}Nw2B6Ia>N+RY=?E*VV>IzI?fCl$rR%wT*LP%%En3x@ zfp5vJeH?i83-|((>o@nZ&)-w00SMPKZa^FifZr{oW)EJoaSk2tR?FI-AI~9nFnl9Z zBc*)S)#@4D%66GwecNlB##?Pn#V(T58_3bZXuR#&h>oX<>C&ce8Z?QT{;K7O!MXsw zH3X&75Tg&3zXehv#wc4w$sg2`WA8ZwKJ;^{U;{ck5<^2sX(5LSL{$LmQUqU5Z@xXw1w)`i z`AgZ1_TLw#q#o|$Ms_4y_C#l(-Tnj)3eSiDVXbA@Ll0>um9TyntopBl@iVhC|+%z+SdlTRud4`b1+# zcad|qgn0q@2@xXy-zAF)6v~UOisQ6HG)|}iY;H=ZSGGSAT;mwm#co2lXdij2Aq^d* zKcfJSq{hMHqhu1io`SY(+-RxwGZViF4ObUkpk%uoBttngZL=so?NsMP zjFmHLk+JtBz;Z55Xegt8pCjM|m%(L-Q#*n#Oc`^6tA&{w@`B;12*bSikq?F#KP2=M zmDA;%Vl|Y8i^&>!S2P0R*vY!jJ(D0GB*de)M!v;TC$&kHDaz_@`W5^#9N+1t@MNh) zior#ydzLGN#Qu2djVjOcH0zwGyoPrm!OZ;_WgC|zif(R73k69h=Fpg3xJKD57&X4T z-?pymPjNU~v9(r3J@zdC%VNXYZ2m1+>d#+Xl~Rghmiw-LS`e?YWcp_hT6%L~9c z(t3kCH4I$;`VyRk9egl8*4~X4)nucmGjNf$P@?nZ&GIWhRgB)Z#XGiDT>?XRGe-G| zf^-oqcTqi^=j56bx(8moW-8vJc?(n$2mW6FfQ?;Yup+-OL>qv}r2PgWz%w)#`B;)o z`L-uq0sTwl!$?+0eg&e#^m1EaG{_MWQY7!<-<;-{!)4>+k8lx~P@ABTk)Ujmjp%or zc$VrD@-RD&Z5Ic@S37X)IN;CF)lv2)yRXRH6La$;APBvwpsA}WcJjIp_m|~|sD{i6 z1Q`tYQ812yGHO>cRb`ocVH127RSbW7LAb{A@asT>#XNrxbc0N~kGzN%hvMX~Vle z${oeVZ_q*$R{fb{*(wzrkJT=i-`|Mj5hwJnq`3u-IM~qJXUt1NDistJoy&-2J*F`? zU{&gAAWY`)sp;RAnl}U_hHd|aK^X}$fi&t&K=3ErIA2mdcnatYZ};wqBZ@F-Z0k>9 z_Fudah&q^&Mkg0~+}y^$AI&Q4GUgQooWt0fEn885Fwc!PgWXjnJaZc|6XOE;Zv|>O;P(AJfz-{d(k{HgDMIwS z;&Q{jKf{aiAvS4eSWnKWlvotfwmwR{mK_76)pF0-i<*ATmXn)or5uiGTvnwNua3+3 znECLlDWShjjr-BysYc*$)$yYoi;fPxxgm^0vy8N4zhk%o#NRJMZW6Xqxo}n{`ko}TT%K2Xik2aTy!&;6yLmi#hY_a$qTt8 zgjt#{4C=6+7FhXD5NE|GC)z+k)!2=S%MO9P>Bts~;OGVvmYCAq0XXnd(0_2vn6pB^ojH#Q5f(qTA<(fjW#7Ilu=hVZ) z`fyjtRLtV_Qf-|9E_HSkPL8OcVG|uKwHGHzK3(IBXBy!6U9&s@5MHAb4%0yO1Rxp? z3bRQv1P1ycRUpZG07oG@d`erB>z&@aaQb)8dm`*edX-I6p_;c(tj9Wn3N8TR~BFRKd|3l2OgoDne8(30_}_aZ3M-GZH>bo5pJ z5JY4WiKj{ckECq77s1r%=+P`?62+SCzF`pBG!4(kL~6C`)n8{pifBW9T@Emlkk&O6 zk|n=?sS=jawh%h|kA=H2^9Tj>ZmZ&rzHBm1x+^0^K6o}x*QfY;ai~d$W_Se}4n_M+ zlk3CAIX?Gitm^Q5jmUrwa1e8pJpt$!Nvc$DO%%~iTy-l6|ENiot4aJW7yQC0TKZY0A! z)-hnkW7HT=WB%N7lpf{LCqL!hgg)HfVm$=>gc>Ra>u8HvdCaV_%yW;*Hl}HT0WfpI zf%%s8*+FnxJo~r6J(9DP_^w648;VFjlgdMb( zI6b@jqQ1KPB|~a33kc0b?o~kitaI9AJ2`DSb9Q7#I$!Tq!vpcF|J!r8xpYO;DSk~^ zKMp*n_ay2jmR==WS$^4xi_onY<)lT?<)YE|nvf-TG(*Y^ zE7^8M0GlMRRrSDt(@vE^mi+UN)$Q)Al5oYf87ZhsL+2vT*hfQ(HSW^8cTZkxV?uaN zWFS14#1_F|$#p9Fr_;x^h`{<#5%x^kX@$_Erx*vDX+YjlyK+F<2dCndHRYE3w!alR zw9UW`qEiEQqiR9qdNr$N zf{(u)kiR6%#NzAUBBFW-r=($d2(H!f-_f@xTa8?sEVcf_e>*gVfM!ZiILpDhOylM_WRSy-rf2G&Z_x#`}1O$7>xI~ZJDl_Y*W!fbY{r0j%K}xd6*}iP=+uiVQm^@EBT8Q+hGy>YgXwsbF7@ zize#Z>r{4O>{F8$+d}o^?$u%HIL#_`N9HaZGtKLV{e}?=f_*NUlmvCk07M}BdHj?u zqq)@klj09K++N8fq2-nO*7#X@KtY{hPyV6oiv-GV^V-ZxT8#-E3y8C~m3yc8gZcfg zFP(9Jn%KNXKN+PlYFx@XpmZ`rGn9}?TQJx9_Ms=OH6K^(L+eU$v^bJNQHkOExQ$SO zRgGduW1hj6e0Mdf*`4Ky^HGCuC(g0emZknECO=-WB!XP6jJ)@+J}YBAqF87ESkv(( zhc!lloWE$ZL`t){+9pqgw%vFK62AbI_Od3d{`6jDXRwFhsEB9XPOh(Smdz6!$e%lj zltygLpLBdWA$REWY6k6LU)-35iD{M!B)xcq-#|NswY(qyjy#|=cFtm=!O@DfHF8b& z3?`Q@@gCWe4}0xeCwGwPUG47=@87T0%y5&` z1NQKpH~^ul+N5sPsyO|^qx9dtMgq~T0&_Dhba-du4$}JUsP5RJA#X+LhX44qswQ#t zF^j)vICW>bd3Ub{7xqU}%ja%}lXCYpvu{8k65#Q%*10k{23?==GM)y1t!$VkC605(BuNb0ggZ`M3-_BedHD>UF zVcZyas-RltvZT93Gg-K?M%Da-4_Q>n6we}$`1tB))53ALX(aqdw(Uq~S$~QKxgbw}S`p7m+r^W}?VrxR& zu-?BZ=LSn-^)qn04>Kr(T%p>0q*KVhiN)}^x#X>Tl8)Azjpp7>?|^bS@ZP%u6?sQ` z-;O>6DVC?^r!)6jAVD5F@)hd2`}P2`l_#j$I({1y(PUx7@LhDqedy4Ugi|QT5mBp>Bg9NCGVV3Akm7?y#7JV|-2o1oJuoE(5==(gAvA`ExiIP2Pn(N#_ z^>|3h6AvbG(7b>CUcPj4Wxmb(%93fIkR7fhq$y&1MEvS&zll?TnhIod8FGL>)77^P z9t0{mF`PX(>P;|s3+4f&E1|P>76g2H9wb61)}AZgpzuFUev$cfX!NATB<$x}J5|&b z0g9||$Zyu!NdX;rcbu$U9j_f^1RD@*e}3%;(yRM0=Ky-Al0pP;QsM>~%S0@R<90p$ z#BLe6*VKO)vc0J=#TZ<)Rcme}yXWfW8_ltIku=zDHPQLQ3=!Y5tn#x=LkVj>tWnM7 ziuu>peS9NEnh#a){(PDWYPjI(JjQ%fLub-f!@bzK8q!bcfIMAXG9ZcnasYc`VmGlR zlOV>+vU(D@gn}_UT4`L_MYLt*+8!Uc@hyom^VZD}ygeJ9(rJ&!EX9CE6Ge!&a10{W zUZh)yS=3l-)YAPHjeOl+_KkYzBa4eXtBR}<(t3)-K=G+ghJ0fAn%xcB0#sVld31YCVhkGVfq5D4eE@T{w0$kOC2`5M4earYw)flWEzt;_h7rxj31ouNgHl@T&hb*yKD%sf; zoJC>8K|wmrBkMk!PDZ=q1{KkLVnqcFWH2$YmVv(`S3G4KY_L#XlhT8iCa%)eE$RZ; zLI8sPt)^k3v?_8`w1WY5?7;q_mU)46Jh@W2q0vC-pRoAwC2qg3amzGbD%14z5ey!m zACIR=bRa%(u0zPm|C6-WL&BU3=X}Pj^4u${$_i+0Gm!U&DONHNr=)xiT*EDFsp9sB zS^{g>~d0XhV3sC^xDmvO2Hebk$dXHAYio&%O^om`s>A-jrbBP zJnZRQdwaOl*IxDB2$_=q2?77Nbrg29BOu)A)j^5a9k09#0N|><7W+wcoH@{js_T{n ze%$;EAe7nTo&x$*;A^3jo|DDBqB)5y!^eDmOG{Mva~6p0RzvOTGB~#1W>MP4@^L(f z`Qn>wa&RwKN_Y8(AU)uxkcsP?*p!KAtIx5>2M{}%MMt9c1gGhCMDAO_Xaa9AFQ z{fKuz(+SRX?)@QC9AXnQkUNsAxU0SD@F1I2J@Iv-$=?^>t$XVyi4=Mm@s|1a9Wg_7 z!&7{wnNSNRVxL!?Nz37Z&zcIJ7A(-xzQ5JoX=~$Q>wt(y$}P)K>GU3>n9Ur&Ok$2_ zNglhWAJ(coaUxO>l=Nb_va1uKOk^Gc+%BMljgDm zKsEmS!}A!tTitR4nK!8jUD)FUs^9$|ZjdCRxH_mJL?ea7q&T63;4O)f6HqEivYZ+y z@{Kt)$sd;kcPkx=nDI1Z`k@z&vpUwDI9hw*y=g03cuO^sq{9Osg>cz)eCIUP#8ZkF zQDPtut(VwBKES(t4An70J`;VgrU~w_sSN(_cJFq(30B8>xdc#}yJjB|fEX)>4~@Kd zyu`#4QuM?l4AiN~C_4EfTs_>R;z>V#W(nHW;CW8)jb6DgSygKu!CCYd@A_3q)xgFa zLG|4}4Ri~@8bBE(fZl(jWp}@v5>|`PCAk|^VH1&F#pdcBu~}uQFyC6K6{p;WCOL#x zzp&as){L!>p5N03WPsz7C0&(iY{#nZ&oJuH2t?U)x6zrj9^!ZHo*9@Fa5x(dK=H7I zgA3x3jeu<@?lUoCldRvhfc9@J&k`;7r|#!>AD90Ph_2O=|ZP2GJ2V=VkHWX;_DqmWsV<}9yl@3r&) z{b5uBXyv{RK2O@+G^Q-zheQPu zsC%65PybHW3#4w?L9HJTrW8Z@<0z5?pw%{~BpMI8 ze?5$qJG|=&{<9@l?sY`tLp@J0HZOO) zr5WV#_nYVpqze9#$400RH6BnwMF1R92DtJ5vdp-7USTiGoBg~ZsZm?VSOMP3e0mgX zG-E-pT~XMe&Y!;uHTZ_A?)qg43^@A%Py@oKvqZ&MpAsf^1#GVf#(%J+yj>uLv58G% zdG2VXE;c1E9_@$5yG0Ru`rk+@vl#@q>Q|)#K=V@G#GDPdw^p*c8RwTct(Xznw?At4 zMK#Sjd(0k1fK84DbKv=frAlF6E(}x<-DkAbSmL(*#S}1ru3rH=-8{_+F20VmoAY!Z_Co3J_6D#hmLB0HjK$! z^7ro_QM&^kdf9Dvb2pz@mNCHZ^rw5vu+we|on4ok!;o0@tAlRt&X?x$u!X8FZkZo114*6+7O?#l1f_!0H%1V8UPZK&kZ+z^gr5 z)B`Rd6;L`Eac6830UnNZy@0{kd(vik9U?j6Z=_-F?;()CY4nIASz`c0k3r-E{a8-z zaPAc)Sb3pPV5~S+Ozvt{AcqDK9HH#&wkp%a1lRVwFXiuFwDDO^XmZF*5)lcu0Q35F zcHP^eM&Z1~e&ke+k&b}&J|7oT&UZMI1~zNp35XF#KPZqG9~b@jfs!vQKURoyDBZI* SaBxZ)51E~=H*~x>W!D!)c?@#^ literal 0 HcmV?d00001 diff --git a/.travis.yml b/.travis.yml index 23d5c7e3..873fb530 100644 --- a/.travis.yml +++ b/.travis.yml @@ -65,12 +65,17 @@ addons: before_install: # brew install gengetopt help2man cmocka ccache llvm; # export PATH="/usr/local/opt/ccache/libexec:/usr/local/opt/llvm/bin:$PATH"; + # add magic notarization flags for macOS, see https://github.com/akeru-inc/xcnotary/blob/master/README.md - if [ "$TRAVIS_OS_NAME" = "osx" ]; then brew update; brew uninstall libtool; brew install libtool; brew install gengetopt help2man cmocka ccache; export PATH="/usr/local/opt/ccache/libexec:$PATH"; + openssl aes-256-cbc -K $encrypted_3b9f0b9d36d1_key -iv $encrypted_3b9f0b9d36d1_iv -in .github/secrets.tar.enc -out .github/secrets.tar -d; + .github/add_signing_key.sh; + export OTHER_CODE_SIGN_FLAGS=--timestamp CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual; + git clone https://github.com/frankmorgner/OpenSCToken.git; fi - if [ "${DO_SIMULATION}" = "cac" ]; then sudo apt-get install -y libglib2.0-dev libnss3-dev pkgconf libtool make autoconf autoconf-archive automake libsofthsm2-dev softhsm2 softhsm2-common help2man gnutls-bin libcmocka-dev libusb-dev libudev-dev flex libnss3-tools libssl-dev libpcsclite1; @@ -309,6 +314,10 @@ after_script: git config --global user.name "Travis CI"; .github/push_artifacts.sh "Travis CI build ${TRAVIS_JOB_NUMBER}"; fi + - if [ "$TRAVIS_OS_NAME" = "osx" ]; then + .github/remove_signing_key.sh; + rm -f .github/secrets.tar; + fi before_cache: - brew cleanup @@ -319,6 +328,8 @@ cache: directories: - $HOME/.m2/ - $HOME/Library/Caches/Homebrew + - openssl + - openpace - openssl_bin - openpace_bin - isetup diff --git a/MacOSX/build-package.in b/MacOSX/build-package.in index 53248ac7..fb9979c1 100755 --- a/MacOSX/build-package.in +++ b/MacOSX/build-package.in @@ -19,6 +19,13 @@ SDK_PATH=$(xcrun --sdk macosx --show-sdk-path) # Set SDK path export CFLAGS="$CFLAGS -isysroot $SDK_PATH -arch x86_64" +# xcodebuild doesn't read the environment variables +# transform them into parameters +P1="${CODE_SIGN_IDENTITY:+CODE_SIGN_IDENTITY=${CODE_SIGN_IDENTITY}}" +P2="${OTHER_CODE_SIGN_FLAGS:+OTHER_CODE_SIGN_FLAGS=${OTHER_CODE_SIGN_FLAGS}}" +P3="${CODE_SIGN_INJECT_BASE_ENTITLEMENTS:+CODE_SIGN_INJECT_BASE_ENTITLEMENTS=${CODE_SIGN_INJECT_BASE_ENTITLEMENTS}}" +P4="${CODE_SIGN_STYLE:+CODE_SIGN_STYLE=${CODE_SIGN_STYLE}}" + export SED=/usr/bin/sed PREFIX=/Library/OpenSC export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/lib/pkgconfig @@ -90,7 +97,7 @@ fi if ! test -e NotificationProxy; then git clone http://github.com/frankmorgner/NotificationProxy.git fi -xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/ +xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/ "$P1" "$P2" "$P3" "$P4" mkdir -p "$BUILDPATH/target/Applications" osacompile -o "$BUILDPATH/target/Applications/OpenSC Notify.app" "MacOSX/OpenSC_Notify.applescript" @@ -106,7 +113,7 @@ if (( xcodebuild -version | sed -En 's/Xcode[[:space:]]+([0-9]+)\.[0-9]*/\1/p' < test -L OpenSC.tokend/build/opensc-src || ln -sf ${BUILDPATH}/src OpenSC.tokend/build/opensc-src # Build and copy OpenSC.tokend - xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend + xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend "$P1" $P2 "$P3" "$P4" else # https://github.com/OpenSC/OpenSC.tokend/issues/33 mkdir -p ${BUILDPATH}/target_tokend @@ -139,24 +146,25 @@ if test -e OpenSCToken; then cd OpenSCToken # make sure OpenSCToken builds with the same dependencies as before if ! test -e OpenSC; then - git clone --depth=1 ../../OpenSC + git clone --depth=1 file://$PWD/../../OpenSC else cd OpenSC && git pull && cd .. fi - if ! test -e openssl; then - git clone --depth=1 ../openssl - else - cd openssl && git pull && cd .. + mkdir -p build + if ! test -e build/openssl; then + # build/openssl/lib/libcrypto.a is hardcoded in OpenSCToken + ln -sf $BUILDPATH/openssl_bin/$PREFIX build/openssl + # in OpenSCToken's variant of OpenSC we still use OpenSSL flags from above fi - if ! test -e openpace; then - git clone --depth=1 ../openpace - else - cd openpace && git pull && cd .. + if ! test -e build/openpace; then + # build/openpace/lib/libeac.a is hardcoded in OpenSCToken + ln -sf $BUILDPATH/openpace_bin/$PREFIX build/openpace + # in OpenSCToken's variant of OpenSC we still use OpenPACE flags from above fi BP=${BUILDPATH} . ./bootstrap BUILDPATH=${BP} - xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token + xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token "$P1" "$P2" "$P3" "$P4" cd .. else # if no OpenSCToken is checked out, then we create a dummy package