curben
/
cloudflared-mirror
mirror of https://github.com/cloudflare/cloudflared.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

TUN-8900: Add import of Apple Developer Certificate Authority to macOS Pipeline 

## Summary
During the renewal of the certificates used to sign the macOS binaries and package,
we faced an issue with the new certificates requiring a specific certification authority
that wasn't available in the keychain of the mac agents. Therefore, this commit adds
an import step that will ensure that the Certificate Authority, usually fetched from
https://www.apple.com/certificateauthority/ is imported into the keychain to validate
the Developer Certificates.

Closes TUN-8900
This commit is contained in:
João "Pisco" Fernandes 2025-01-17 07:10:16 -08:00
parent a1963aed80
commit 25c3f676f4
1 changed files with 71 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
.teamcity/mac/build.sh vendored
View File

@ -22,6 +22,7 @@ TARGET_DIRECTORY=".build"
BINARY_NAME="cloudflared" BINARY_NAME="cloudflared"
VERSION=$(git describe --tags --always --dirty="-dev") VERSION=$(git describe --tags --always --dirty="-dev")
PRODUCT="cloudflared" PRODUCT="cloudflared"
APPLE_CA_CERT="apple_dev_ca.cert"
CODE_SIGN_PRIV="code_sign.p12" CODE_SIGN_PRIV="code_sign.p12"
CODE_SIGN_CERT="code_sign.cer" CODE_SIGN_CERT="code_sign.cer"
INSTALLER_PRIV="installer.p12" INSTALLER_PRIV="installer.p12"
@ -35,15 +36,56 @@ mkdir -p ../src/github.com/cloudflare/
cp -r . ../src/github.com/cloudflare/cloudflared cp -r . ../src/github.com/cloudflare/cloudflared
cd ../src/github.com/cloudflare/cloudflared cd ../src/github.com/cloudflare/cloudflared
# Add code signing private key to the key chain # Imports certificates to the Apple KeyChain
if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then import_certificate() {
if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then local CERTIFICATE_NAME=$1
# write private key to disk and then import it keychain local CERTIFICATE_ENV_VAR=$2
echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV} local CERTIFICATE_FILE_NAME=$3
echo "Importing $CERTIFICATE_NAME"
if [[ ! -z "$CERTIFICATE_ENV_VAR" ]]; then
# write certificate to disk and then import it keychain
echo -n -e ${CERTIFICATE_ENV_VAR} | base64 -D > ${CERTIFICATE_FILE_NAME}
# we set || true here and for every `security import invoke` because the "duplicate SecKeychainItemImport" error # we set || true here and for every `security import invoke` because the "duplicate SecKeychainItemImport" error
# will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below. # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1) || true local out=$(security import ${CERTIFICATE_FILE_NAME} -A 2>&1) || true
exitcode=$? local exitcode=$?
# delete the certificate from disk
rm -rf ${CERTIFICATE_FILE_NAME}
if [ -n "$out" ]; then
if [ $exitcode -eq 0 ]; then
echo "$out"
else
if [ "$out" != "${SEC_DUP_MSG}" ]; then
echo "$out" >&2
exit $exitcode
else
echo "already imported code signing certificate"
fi
fi
fi
fi
}
# Imports private keys to the Apple KeyChain
import_private_keys() {
local PRIVATE_KEY_NAME=$1
local PRIVATE_KEY_ENV_VAR=$2
local PRIVATE_KEY_FILE_NAME=$3
local PRIVATE_KEY_PASS=$4
echo "Importing $PRIVATE_KEY_NAME"
if [[ ! -z "$PRIVATE_KEY_ENV_VAR" ]]; then
if [[ ! -z "$PRIVATE_KEY_PASS" ]]; then
# write private key to disk and then import it keychain
echo -n -e ${PRIVATE_KEY_ENV_VAR} | base64 -D > ${PRIVATE_KEY_FILE_NAME}
# we set || true here and for every `security import invoke` because the "duplicate SecKeychainItemImport" error
# will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
local out=$(security import ${PRIVATE_KEY_FILE_NAME} -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
local exitcode=$?
rm -rf ${PRIVATE_KEY_FILE_NAME}
if [ -n "$out" ]; then if [ -n "$out" ]; then
if [ $exitcode -eq 0 ]; then if [ $exitcode -eq 0 ]; then
echo "$out" echo "$out"
@ -54,72 +96,24 @@ if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
fi fi
fi fi
fi fi
rm ${CODE_SIGN_PRIV}
fi fi
fi fi
}
# Add Apple Root Developer certificate to the key chain
import_certificate "Apple Developer CA" "${APPLE_DEV_CA_CERT}" "${APPLE_CA_CERT}"
# Add code signing private key to the key chain
import_private_keys "Developer ID Application" "${CFD_CODE_SIGN_KEY}" "${CODE_SIGN_PRIV}" "${CFD_CODE_SIGN_PASS}"
# Add code signing certificate to the key chain # Add code signing certificate to the key chain
if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then import_certificate "Developer ID Application" "${CFD_CODE_SIGN_CERT}" "${CODE_SIGN_CERT}"
# write certificate to disk and then import it keychain
echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
out1=$(security import ${CODE_SIGN_CERT} -A 2>&1) || true
exitcode1=$?
if [ -n "$out1" ]; then
if [ $exitcode1 -eq 0 ]; then
echo "$out1"
else
if [ "$out1" != "${SEC_DUP_MSG}" ]; then
echo "$out1" >&2
exit $exitcode1
else
echo "already imported code signing certificate"
fi
fi
fi
rm ${CODE_SIGN_CERT}
fi
# Add package signing private key to the key chain # Add package signing private key to the key chain
if [[ ! -z "$CFD_INSTALLER_KEY" ]]; then import_private_keys "Developer ID Installer" "${CFD_INSTALLER_KEY}" "${INSTALLER_PRIV}" "${CFD_INSTALLER_PASS}"
if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
# write private key to disk and then import it into the keychain
echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1) || true
exitcode2=$?
if [ -n "$out2" ]; then
if [ $exitcode2 -eq 0 ]; then
echo "$out2"
else
if [ "$out2" != "${SEC_DUP_MSG}" ]; then
echo "$out2" >&2
exit $exitcode2
fi
fi
fi
rm ${INSTALLER_PRIV}
fi
fi
# Add package signing certificate to the key chain # Add package signing certificate to the key chain
if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then import_certificate "Developer ID Installer" "${CFD_INSTALLER_CERT}" "${INSTALLER_CERT}"
# write certificate to disk and then import it keychain
echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
out3=$(security import ${INSTALLER_CERT} -A 2>&1) || true
exitcode3=$?
if [ -n "$out3" ]; then
if [ $exitcode3 -eq 0 ]; then
echo "$out3"
else
if [ "$out3" != "${SEC_DUP_MSG}" ]; then
echo "$out3" >&2
exit $exitcode3
else
echo "already imported installer certificate"
fi
fi
fi
rm ${INSTALLER_CERT}
fi
# get the code signing certificate name # get the code signing certificate name
if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then