Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: refactor codesign testing (#1010)
* chore: test Travis/macOS with xcode10.1 * chore: copy codesign setup from electron/electron * chore: only run codesign test on macOS hosts
- Loading branch information
Showing
10 changed files
with
258 additions
and
69 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
[req] | ||
distinguished_name = req_distinguished_name | ||
prompt = no | ||
|
||
[req_distinguished_name] | ||
C = CA | ||
ST = BC | ||
L = Vancouver | ||
O = ElectronJS | ||
OU = BuildAutomation | ||
CN = codesign.electronjs.org | ||
|
||
[extended] | ||
keyUsage = critical,digitalSignature | ||
extendedKeyUsage = critical,codeSigning | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
'use strict' | ||
|
||
const cp = require('child_process') | ||
const fs = require('fs') | ||
const path = require('path') | ||
|
||
const certificatePath = process.argv[2] | ||
const outPath = process.argv[3] | ||
const templatePath = path.resolve(__dirname, 'trust.xml') | ||
|
||
const template = fs.readFileSync(templatePath, 'utf8') | ||
|
||
const fingerprintResult = cp.spawnSync('openssl', ['x509', '-noout', '-fingerprint', '-sha1', '-inform', 'der', '-in', certificatePath]) | ||
if (fingerprintResult.status !== 0) { | ||
console.error(fingerprintResult.stderr.toString()) | ||
process.exit(1) | ||
} | ||
|
||
const fingerprint = fingerprintResult.stdout.toString().replace(/^SHA1 Fingerprint=/, '').replace(/:/g, '').trim() | ||
|
||
const serialResult = cp.spawnSync('openssl', ['x509', '-serial', '-noout', '-inform', 'der', '-in', certificatePath]) | ||
if (serialResult.status !== 0) { | ||
console.error(serialResult.stderr.toString()) | ||
process.exit(1) | ||
} | ||
|
||
let serialHex = serialResult.stdout.toString().replace(/^serial=/, '').trim() | ||
// Pad the serial number out to 18 hex chars | ||
while (serialHex.length < 18) { | ||
serialHex = `0${serialHex}` | ||
} | ||
const serialB64 = Buffer.from(serialHex, 'hex').toString('base64') | ||
|
||
const trust = template | ||
.replace(/{{FINGERPRINT}}/g, fingerprint) | ||
.replace(/{{SERIAL_BASE64}}/g, serialB64) | ||
|
||
fs.writeFileSync(outPath, trust) | ||
|
||
console.log('Generated Trust Settings') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
#!/bin/sh | ||
|
||
set -eo pipefail | ||
|
||
dir="$(dirname $0)"/.working | ||
|
||
cleanup() { | ||
rm -rf "$dir" | ||
} | ||
|
||
trap cleanup EXIT | ||
|
||
# Clean Up | ||
cleanup | ||
|
||
# Create Working Dir | ||
mkdir -p "$dir" | ||
|
||
# Generate Certs | ||
openssl req -newkey rsa:2048 -nodes -keyout "$dir"/private.pem -x509 -days 1 -out "$dir"/certificate.pem -extensions extended -config "$(dirname $0)"/codesign.cnf | ||
openssl x509 -inform PEM -in "$dir"/certificate.pem -outform DER -out "$dir"/certificate.cer | ||
rm -f "$dir"/certificate.pem | ||
|
||
# Import Certs | ||
security import "$dir"/certificate.cer -k $KEY_CHAIN -T /usr/bin/codesign | ||
security import "$dir"/private.pem -k $KEY_CHAIN -T /usr/bin/codesign | ||
|
||
# Generate Trust Settings | ||
node "$(dirname $0)"/gen-trust.js "$dir"/certificate.cer "$dir"/trust.xml | ||
|
||
# Import Trust Settings | ||
sudo security trust-settings-import -d "$dir/trust.xml" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
#!/bin/sh | ||
|
||
export KEY_CHAIN=mac-build.keychain | ||
KEYCHAIN_PASSWORD=unsafe_keychain_pass | ||
security create-keychain -p $KEYCHAIN_PASSWORD $KEY_CHAIN | ||
# Make the keychain the default so identities are found | ||
security default-keychain -s $KEY_CHAIN | ||
# Unlock the keychain | ||
security unlock-keychain -p $KEYCHAIN_PASSWORD $KEY_CHAIN | ||
# Set keychain locking timeout to 3600 seconds | ||
security set-keychain-settings -t 3600 -u $KEY_CHAIN | ||
|
||
echo "Add keychain to keychain-list" | ||
security list-keychains -s mac-build.keychain | ||
|
||
echo Generating Identity | ||
"$(dirname $0)"/generate-identity.sh | ||
|
||
echo "Setting key partition list" | ||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD $KEY_CHAIN |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,138 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | ||
<plist version="1.0"> | ||
<dict> | ||
<key>trustList</key> | ||
<dict> | ||
<key>{{FINGERPRINT}}</key> | ||
<dict> | ||
<key>issuerName</key> | ||
<data> | ||
MH8xCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJCQzESMBAGA1UEBwwJ | ||
VmFuY291dmVyMRMwEQYDVQQKDApFbGVjdHJvbkpTMRgwFgYDVQQL | ||
DA9CdWlsZEF1dG9tYXRpb24xIDAeBgNVBAMMF2NvZGVzaWduLmVs | ||
ZWN0cm9uanMub3Jn | ||
</data> | ||
<key>modDate</key> | ||
<date>2019-01-01T00:00:00Z</date> | ||
<key>serialNumber</key> | ||
<data> | ||
{{SERIAL_BASE64}} | ||
</data> | ||
<key>trustSettings</key> | ||
<array> | ||
<dict> | ||
<key>kSecTrustSettingsAllowedError</key> | ||
<integer>-2147409654</integer> | ||
<key>kSecTrustSettingsPolicy</key> | ||
<data> | ||
KoZIhvdjZAED | ||
</data> | ||
<key>kSecTrustSettingsPolicyName</key> | ||
<string>sslServer</string> | ||
<key>kSecTrustSettingsResult</key> | ||
<integer>1</integer> | ||
</dict> | ||
<dict> | ||
<key>kSecTrustSettingsAllowedError</key> | ||
<integer>-2147408896</integer> | ||
<key>kSecTrustSettingsPolicy</key> | ||
<data> | ||
KoZIhvdjZAED | ||
</data> | ||
<key>kSecTrustSettingsPolicyName</key> | ||
<string>sslServer</string> | ||
<key>kSecTrustSettingsResult</key> | ||
<integer>1</integer> | ||
</dict> | ||
<dict> | ||
<key>kSecTrustSettingsAllowedError</key> | ||
<integer>-2147409654</integer> | ||
<key>kSecTrustSettingsPolicy</key> | ||
<data> | ||
KoZIhvdjZAEI | ||
</data> | ||
<key>kSecTrustSettingsPolicyName</key> | ||
<string>SMIME</string> | ||
<key>kSecTrustSettingsResult</key> | ||
<integer>1</integer> | ||
</dict> | ||
<dict> | ||
<key>kSecTrustSettingsAllowedError</key> | ||
<integer>-2147408872</integer> | ||
<key>kSecTrustSettingsPolicy</key> | ||
<data> | ||
KoZIhvdjZAEI | ||
</data> | ||
<key>kSecTrustSettingsPolicyName</key> | ||
<string>SMIME</string> | ||
<key>kSecTrustSettingsResult</key> | ||
<integer>1</integer> | ||
</dict> | ||
<dict> | ||
<key>kSecTrustSettingsAllowedError</key> | ||
<integer>-2147409654</integer> | ||
<key>kSecTrustSettingsPolicy</key> | ||
<data> | ||
KoZIhvdjZAEJ | ||
</data> | ||
<key>kSecTrustSettingsPolicyName</key> | ||
<string>eapServer</string> | ||
<key>kSecTrustSettingsResult</key> | ||
<integer>1</integer> | ||
</dict> | ||
<dict> | ||
<key>kSecTrustSettingsAllowedError</key> | ||
<integer>-2147409654</integer> | ||
<key>kSecTrustSettingsPolicy</key> | ||
<data> | ||
KoZIhvdjZAEL | ||
</data> | ||
<key>kSecTrustSettingsPolicyName</key> | ||
<string>ipsecServer</string> | ||
<key>kSecTrustSettingsResult</key> | ||
<integer>1</integer> | ||
</dict> | ||
<dict> | ||
<key>kSecTrustSettingsAllowedError</key> | ||
<integer>-2147409654</integer> | ||
<key>kSecTrustSettingsPolicy</key> | ||
<data> | ||
KoZIhvdjZAEQ | ||
</data> | ||
<key>kSecTrustSettingsPolicyName</key> | ||
<string>CodeSigning</string> | ||
<key>kSecTrustSettingsResult</key> | ||
<integer>1</integer> | ||
</dict> | ||
<dict> | ||
<key>kSecTrustSettingsAllowedError</key> | ||
<integer>-2147409654</integer> | ||
<key>kSecTrustSettingsPolicy</key> | ||
<data> | ||
KoZIhvdjZAEU | ||
</data> | ||
<key>kSecTrustSettingsPolicyName</key> | ||
<string>AppleTimeStamping</string> | ||
<key>kSecTrustSettingsResult</key> | ||
<integer>1</integer> | ||
</dict> | ||
<dict> | ||
<key>kSecTrustSettingsAllowedError</key> | ||
<integer>-2147409654</integer> | ||
<key>kSecTrustSettingsPolicy</key> | ||
<data> | ||
KoZIhvdjZAEC | ||
</data> | ||
<key>kSecTrustSettingsPolicyName</key> | ||
<string>basicX509</string> | ||
<key>kSecTrustSettingsResult</key> | ||
<integer>1</integer> | ||
</dict> | ||
</array> | ||
</dict> | ||
</dict> | ||
<key>trustVersion</key> | ||
<integer>1</integer> | ||
</dict> | ||
</plist> |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters