macOS: added basic installer signing
This commit is contained in:
parent
3af52cd1c6
commit
e71b85867f
|
@ -0,0 +1,28 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -ex -o xtrace
|
||||
|
||||
pushd .github/
|
||||
tar xvf secrets.tar
|
||||
KEY_CHAIN=mac-build.keychain
|
||||
|
||||
# Create the keychain with a password
|
||||
security create-keychain -p travis $KEY_CHAIN
|
||||
|
||||
# Make the custom keychain default, so xcodebuild will use it for signing
|
||||
security default-keychain -s $KEY_CHAIN
|
||||
|
||||
# Unlock the keychain for one hour
|
||||
security unlock-keychain -p travis $KEY_CHAIN
|
||||
security set-keychain-settings -t 3600 -u $KEY_CHAIN
|
||||
|
||||
# Add certificates to keychain and allow codesign to access them
|
||||
curl -L https://developer.apple.com/certificationauthority/AppleWWDRCA.cer > AppleWWDRCA.cer
|
||||
security import AppleWWDRCA.cer -k ~/Library/Keychains/$KEY_CHAIN -T /usr/bin/codesign
|
||||
security import certificate.cer -k ~/Library/Keychains/$KEY_CHAIN -T /usr/bin/codesign
|
||||
security import certificate.p12 -k ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD -T /usr/bin/codesign
|
||||
security unlock-keychain -p travis $KEY_CHAIN
|
||||
|
||||
# https://docs.travis-ci.com/user/common-build-problems/#mac-macos-sierra-1012-code-signing-errors
|
||||
security set-key-partition-list -S apple-tool:,apple: -s -k travis $KEY_CHAIN
|
||||
popd
|
|
@ -0,0 +1,8 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -ex -o xtrace
|
||||
|
||||
pushd .github/
|
||||
security delete-keychain mac-build.keychain
|
||||
rm -f certificate.cer certificate.p12
|
||||
popd
|
Binary file not shown.
11
.travis.yml
11
.travis.yml
|
@ -65,12 +65,17 @@ addons:
|
|||
before_install:
|
||||
# brew install gengetopt help2man cmocka ccache llvm;
|
||||
# export PATH="/usr/local/opt/ccache/libexec:/usr/local/opt/llvm/bin:$PATH";
|
||||
# add magic notarization flags for macOS, see https://github.com/akeru-inc/xcnotary/blob/master/README.md
|
||||
- if [ "$TRAVIS_OS_NAME" = "osx" ]; then
|
||||
brew update;
|
||||
brew uninstall libtool;
|
||||
brew install libtool;
|
||||
brew install gengetopt help2man cmocka ccache;
|
||||
export PATH="/usr/local/opt/ccache/libexec:$PATH";
|
||||
openssl aes-256-cbc -K $encrypted_3b9f0b9d36d1_key -iv $encrypted_3b9f0b9d36d1_iv -in .github/secrets.tar.enc -out .github/secrets.tar -d;
|
||||
.github/add_signing_key.sh;
|
||||
export OTHER_CODE_SIGN_FLAGS=--timestamp CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual;
|
||||
git clone https://github.com/frankmorgner/OpenSCToken.git;
|
||||
fi
|
||||
- if [ "${DO_SIMULATION}" = "cac" ]; then
|
||||
sudo apt-get install -y libglib2.0-dev libnss3-dev pkgconf libtool make autoconf autoconf-archive automake libsofthsm2-dev softhsm2 softhsm2-common help2man gnutls-bin libcmocka-dev libusb-dev libudev-dev flex libnss3-tools libssl-dev libpcsclite1;
|
||||
|
@ -309,6 +314,10 @@ after_script:
|
|||
git config --global user.name "Travis CI";
|
||||
.github/push_artifacts.sh "Travis CI build ${TRAVIS_JOB_NUMBER}";
|
||||
fi
|
||||
- if [ "$TRAVIS_OS_NAME" = "osx" ]; then
|
||||
.github/remove_signing_key.sh;
|
||||
rm -f .github/secrets.tar;
|
||||
fi
|
||||
|
||||
before_cache:
|
||||
- brew cleanup
|
||||
|
@ -319,6 +328,8 @@ cache:
|
|||
directories:
|
||||
- $HOME/.m2/
|
||||
- $HOME/Library/Caches/Homebrew
|
||||
- openssl
|
||||
- openpace
|
||||
- openssl_bin
|
||||
- openpace_bin
|
||||
- isetup
|
||||
|
|
|
@ -19,6 +19,13 @@ SDK_PATH=$(xcrun --sdk macosx --show-sdk-path)
|
|||
# Set SDK path
|
||||
export CFLAGS="$CFLAGS -isysroot $SDK_PATH -arch x86_64"
|
||||
|
||||
# xcodebuild doesn't read the environment variables
|
||||
# transform them into parameters
|
||||
P1="${CODE_SIGN_IDENTITY:+CODE_SIGN_IDENTITY=${CODE_SIGN_IDENTITY}}"
|
||||
P2="${OTHER_CODE_SIGN_FLAGS:+OTHER_CODE_SIGN_FLAGS=${OTHER_CODE_SIGN_FLAGS}}"
|
||||
P3="${CODE_SIGN_INJECT_BASE_ENTITLEMENTS:+CODE_SIGN_INJECT_BASE_ENTITLEMENTS=${CODE_SIGN_INJECT_BASE_ENTITLEMENTS}}"
|
||||
P4="${CODE_SIGN_STYLE:+CODE_SIGN_STYLE=${CODE_SIGN_STYLE}}"
|
||||
|
||||
export SED=/usr/bin/sed
|
||||
PREFIX=/Library/OpenSC
|
||||
export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/lib/pkgconfig
|
||||
|
@ -90,7 +97,7 @@ fi
|
|||
if ! test -e NotificationProxy; then
|
||||
git clone http://github.com/frankmorgner/NotificationProxy.git
|
||||
fi
|
||||
xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/
|
||||
xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/ "$P1" "$P2" "$P3" "$P4"
|
||||
mkdir -p "$BUILDPATH/target/Applications"
|
||||
osacompile -o "$BUILDPATH/target/Applications/OpenSC Notify.app" "MacOSX/OpenSC_Notify.applescript"
|
||||
|
||||
|
@ -106,7 +113,7 @@ if (( xcodebuild -version | sed -En 's/Xcode[[:space:]]+([0-9]+)\.[0-9]*/\1/p' <
|
|||
test -L OpenSC.tokend/build/opensc-src || ln -sf ${BUILDPATH}/src OpenSC.tokend/build/opensc-src
|
||||
|
||||
# Build and copy OpenSC.tokend
|
||||
xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend
|
||||
xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend "$P1" $P2 "$P3" "$P4"
|
||||
else
|
||||
# https://github.com/OpenSC/OpenSC.tokend/issues/33
|
||||
mkdir -p ${BUILDPATH}/target_tokend
|
||||
|
@ -139,24 +146,25 @@ if test -e OpenSCToken; then
|
|||
cd OpenSCToken
|
||||
# make sure OpenSCToken builds with the same dependencies as before
|
||||
if ! test -e OpenSC; then
|
||||
git clone --depth=1 ../../OpenSC
|
||||
git clone --depth=1 file://$PWD/../../OpenSC
|
||||
else
|
||||
cd OpenSC && git pull && cd ..
|
||||
fi
|
||||
if ! test -e openssl; then
|
||||
git clone --depth=1 ../openssl
|
||||
else
|
||||
cd openssl && git pull && cd ..
|
||||
mkdir -p build
|
||||
if ! test -e build/openssl; then
|
||||
# build/openssl/lib/libcrypto.a is hardcoded in OpenSCToken
|
||||
ln -sf $BUILDPATH/openssl_bin/$PREFIX build/openssl
|
||||
# in OpenSCToken's variant of OpenSC we still use OpenSSL flags from above
|
||||
fi
|
||||
if ! test -e openpace; then
|
||||
git clone --depth=1 ../openpace
|
||||
else
|
||||
cd openpace && git pull && cd ..
|
||||
if ! test -e build/openpace; then
|
||||
# build/openpace/lib/libeac.a is hardcoded in OpenSCToken
|
||||
ln -sf $BUILDPATH/openpace_bin/$PREFIX build/openpace
|
||||
# in OpenSCToken's variant of OpenSC we still use OpenPACE flags from above
|
||||
fi
|
||||
BP=${BUILDPATH}
|
||||
. ./bootstrap
|
||||
BUILDPATH=${BP}
|
||||
xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token
|
||||
xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token "$P1" "$P2" "$P3" "$P4"
|
||||
cd ..
|
||||
else
|
||||
# if no OpenSCToken is checked out, then we create a dummy package
|
||||
|
|
Loading…
Reference in New Issue