From 5f5442626d10cadbb002d68efa4b623e51ef5a86 Mon Sep 17 00:00:00 2001 From: demarey Date: Mon, 29 Jun 2020 14:55:31 +0200 Subject: [PATCH 1/3] set ACL on the keychain --- mac/build-dmg.sh | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/mac/build-dmg.sh b/mac/build-dmg.sh index dfcabf93b..96846a4eb 100755 --- a/mac/build-dmg.sh +++ b/mac/build-dmg.sh @@ -59,10 +59,11 @@ fi # Sign the app function sign_mac_version() { - # This function expects that following environment varialbes are available: + # This function expects that following environment variables are available: # - PHARO_CERT_PASSWORD # - PHARO_SIGN_IDENTITY - local key_chain=macos-build.keychain + local keychain_name=macos-ci-build.keychain + local keychain_password=ci local app_dir=$1 local cert_pass=${PHARO_CERT_PASSWORD} local pharo_sign_password=${PHARO_CERT_PASSWORD} @@ -79,23 +80,26 @@ function sign_mac_version() { echo "Signing app bundle..." # Set up keychain - security delete-keychain "${key_chain}" || true - security create-keychain -p ci "${key_chain}" - security default-keychain -s "${key_chain}" - security unlock-keychain -p ci "${key_chain}" - security set-keychain-settings -t 3600 -u "${key_chain}" - security import "${path_cer}" -k ~/Library/Keychains/"${key_chain}" -T /usr/bin/codesign - security import "${path_p12}" -k ~/Library/Keychains/"${key_chain}" -P "${cert_pass}" -T /usr/bin/codesign + security delete-keychain "${keychain_name}" || true + security create-keychain -p ${keychain_password} "${keychain_name}" + security default-keychain -s "${keychain_name}" + security unlock-keychain -p ${keychain_password} "${keychain_name}" + security set-keychain-settings -t 3600 -u "${keychain_name}" + security import "${path_cer}" -k ~/Library/Keychains/"${keychain_name}" -T /usr/bin/codesign + security import "${path_p12}" -k ~/Library/Keychains/"${keychain_name}" -P "${cert_pass}" -T /usr/bin/codesign + # Set ACL on keychain. To avoid to get codesign to yield an errSecInternalComponent you need to get the partition list (ACLs) correct. + # See https://code-examples.net/en/q/1344e6a + security set-key-partition-list -S apple-tool:,apple: -s -k ${keychain_password} "${keychain_name}" # debug echo ${sign_identity} >> "id.txt" # Invoke codesign if [[ -d "${app_dir}/Contents/MacOS/Plugins" ]]; then # Pharo.app does not (yet) have its plugins in Resources dir - codesign -s "${sign_identity}" --keychain "${key_chain}" --force --deep "${app_dir}/Contents/MacOS/Plugins/"* + codesign -s "${sign_identity}" --keychain "${keychain_name}" --force --deep "${app_dir}/Contents/MacOS/Plugins/"* fi - codesign -s "${sign_identity}" --keychain "${key_chain}" --force --deep "${app_dir}" + codesign -s "${sign_identity}" --keychain "${keychain_name}" --force --deep "${app_dir}" # Remove sensitive files again rm -rf "${path_cer}" "${path_p12}" - security delete-keychain "${key_chain}" + security delete-keychain "${keychain_name}" } if [ "$SHOULD_SIGN" = true ] ; then From 17a3bb571c55fc1cedfed94228dcd12eb2e939f7 Mon Sep 17 00:00:00 2001 From: demarey Date: Mon, 29 Jun 2020 15:44:03 +0200 Subject: [PATCH 2/3] add keychain to the search list --- mac/build-dmg.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mac/build-dmg.sh b/mac/build-dmg.sh index 96846a4eb..bc2cd9b8b 100755 --- a/mac/build-dmg.sh +++ b/mac/build-dmg.sh @@ -82,10 +82,14 @@ function sign_mac_version() { # Set up keychain security delete-keychain "${keychain_name}" || true security create-keychain -p ${keychain_password} "${keychain_name}" + # add keychain to the search list + security list-keychains -d user -s "${keychain_name}" security default-keychain -s "${keychain_name}" security unlock-keychain -p ${keychain_password} "${keychain_name}" security set-keychain-settings -t 3600 -u "${keychain_name}" + # Importing certificate security import "${path_cer}" -k ~/Library/Keychains/"${keychain_name}" -T /usr/bin/codesign + # Importing identity security import "${path_p12}" -k ~/Library/Keychains/"${keychain_name}" -P "${cert_pass}" -T /usr/bin/codesign # Set ACL on keychain. To avoid to get codesign to yield an errSecInternalComponent you need to get the partition list (ACLs) correct. # See https://code-examples.net/en/q/1344e6a From 3e57ca8d68115fe47313f3a2723ebac304da65ee Mon Sep 17 00:00:00 2001 From: demarey Date: Mon, 29 Jun 2020 16:25:55 +0200 Subject: [PATCH 3/3] add some links on signing on OS X --- signing/README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/signing/README.md b/signing/README.md index 73d0cca09..10af5f518 100644 --- a/signing/README.md +++ b/signing/README.md @@ -47,6 +47,13 @@ openssl aes-256-cbc -k "${pharo_sign_password}" -in pharo-windows-certificate.p1 The password needed to decrypt them will be stored in an environment variable (secured) on the CI tool (travis or Jenkins). # How to sign on OS X? +Some links: +- [macOS Code Signing In Depth](https://developer.apple.com/library/archive/technotes/tn2206/_index.html) +- [Distribute outside the Mac App Store (macOS)](https://help.apple.com/xcode/mac/current/#/dev033e997ca) +- [Troubleshooting Failed Signature Verification](https://developer.apple.com/library/archive/technotes/tn2318/_index.html#//apple_ref/doc/uid/DTS40013777-CH1-TNTAG2) +- [security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission](https://stackoverflow.com/questions/39868578/security-codesign-in-sierra-keychain-ignores-access-control-settings-and-ui-p/41220140#41220140) + + You need to use codesign (shipped with Xcode): ``` codesign -s "${sign_identity}" --keychain "${key_chain}" --force --deep "${app_dir}/Contents/MacOS/Plugins/"*