TUN-8900: Add import of Apple Developer Certificate Authority to macOS Pipeline
## Summary During the renewal of the certificates used to sign the macOS binaries and package, we faced an issue with the new certificates requiring a specific certification authority that wasn't available in the keychain of the mac agents. Therefore, this commit adds an import step that will ensure that the Certificate Authority, usually fetched from https://www.apple.com/certificateauthority/ is imported into the keychain to validate the Developer Certificates. Closes TUN-8900
This commit is contained in:
João "Pisco" Fernandes
parent
a1963aed80
commit
25c3f676f4
|
|
@ -22,6 +22,7 @@ TARGET_DIRECTORY=".build"
|
||||||
BINARY_NAME="cloudflared"
|
BINARY_NAME="cloudflared"
|
||||||
VERSION=$(git describe --tags --always --dirty="-dev")
|
VERSION=$(git describe --tags --always --dirty="-dev")
|
||||||
PRODUCT="cloudflared"
|
PRODUCT="cloudflared"
|
||||||
|
APPLE_CA_CERT="apple_dev_ca.cert"
|
||||||
CODE_SIGN_PRIV="code_sign.p12"
|
CODE_SIGN_PRIV="code_sign.p12"
|
||||||
CODE_SIGN_CERT="code_sign.cer"
|
CODE_SIGN_CERT="code_sign.cer"
|
||||||
INSTALLER_PRIV="installer.p12"
|
INSTALLER_PRIV="installer.p12"
|
||||||
|
|
@ -35,15 +36,56 @@ mkdir -p ../src/github.com/cloudflare/
|
||||||
cp -r . ../src/github.com/cloudflare/cloudflared
|
cp -r . ../src/github.com/cloudflare/cloudflared
|
||||||
cd ../src/github.com/cloudflare/cloudflared
|
cd ../src/github.com/cloudflare/cloudflared
|
||||||
|
|
||||||
# Add code signing private key to the key chain
|
# Imports certificates to the Apple KeyChain
|
||||||
if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
|
import_certificate() {
|
||||||
if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
|
local CERTIFICATE_NAME=$1
|
||||||
# write private key to disk and then import it keychain
|
local CERTIFICATE_ENV_VAR=$2
|
||||||
echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
|
local CERTIFICATE_FILE_NAME=$3
|
||||||
|
|
||||||
|
echo "Importing $CERTIFICATE_NAME"
|
||||||
|
|
||||||
|
if [[ ! -z "$CERTIFICATE_ENV_VAR" ]]; then
|
||||||
|
# write certificate to disk and then import it keychain
|
||||||
|
echo -n -e ${CERTIFICATE_ENV_VAR} | base64 -D > ${CERTIFICATE_FILE_NAME}
|
||||||
# we set || true here and for every `security import invoke` because the "duplicate SecKeychainItemImport" error
|
# we set || true here and for every `security import invoke` because the "duplicate SecKeychainItemImport" error
|
||||||
# will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
|
# will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
|
||||||
out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1) || true
|
local out=$(security import ${CERTIFICATE_FILE_NAME} -A 2>&1) || true
|
||||||
exitcode=$?
|
local exitcode=$?
|
||||||
|
# delete the certificate from disk
|
||||||
|
rm -rf ${CERTIFICATE_FILE_NAME}
|
||||||
|
if [ -n "$out" ]; then
|
||||||
|
if [ $exitcode -eq 0 ]; then
|
||||||
|
echo "$out"
|
||||||
|
else
|
||||||
|
if [ "$out" != "${SEC_DUP_MSG}" ]; then
|
||||||
|
echo "$out" >&2
|
||||||
|
exit $exitcode
|
||||||
|
else
|
||||||
|
echo "already imported code signing certificate"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Imports private keys to the Apple KeyChain
|
||||||
|
import_private_keys() {
|
||||||
|
local PRIVATE_KEY_NAME=$1
|
||||||
|
local PRIVATE_KEY_ENV_VAR=$2
|
||||||
|
local PRIVATE_KEY_FILE_NAME=$3
|
||||||
|
local PRIVATE_KEY_PASS=$4
|
||||||
|
|
||||||
|
echo "Importing $PRIVATE_KEY_NAME"
|
||||||
|
|
||||||
|
if [[ ! -z "$PRIVATE_KEY_ENV_VAR" ]]; then
|
||||||
|
if [[ ! -z "$PRIVATE_KEY_PASS" ]]; then
|
||||||
|
# write private key to disk and then import it keychain
|
||||||
|
echo -n -e ${PRIVATE_KEY_ENV_VAR} | base64 -D > ${PRIVATE_KEY_FILE_NAME}
|
||||||
|
# we set || true here and for every `security import invoke` because the "duplicate SecKeychainItemImport" error
|
||||||
|
# will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
|
||||||
|
local out=$(security import ${PRIVATE_KEY_FILE_NAME} -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
|
||||||
|
local exitcode=$?
|
||||||
|
rm -rf ${PRIVATE_KEY_FILE_NAME}
|
||||||
if [ -n "$out" ]; then
|
if [ -n "$out" ]; then
|
||||||
if [ $exitcode -eq 0 ]; then
|
if [ $exitcode -eq 0 ]; then
|
||||||
echo "$out"
|
echo "$out"
|
||||||
|
|
@ -54,72 +96,24 @@ if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
rm ${CODE_SIGN_PRIV}
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Add Apple Root Developer certificate to the key chain
|
||||||
|
import_certificate "Apple Developer CA" "${APPLE_DEV_CA_CERT}" "${APPLE_CA_CERT}"
|
||||||
|
|
||||||
|
# Add code signing private key to the key chain
|
||||||
|
import_private_keys "Developer ID Application" "${CFD_CODE_SIGN_KEY}" "${CODE_SIGN_PRIV}" "${CFD_CODE_SIGN_PASS}"
|
||||||
|
|
||||||
# Add code signing certificate to the key chain
|
# Add code signing certificate to the key chain
|
||||||
if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then
|
import_certificate "Developer ID Application" "${CFD_CODE_SIGN_CERT}" "${CODE_SIGN_CERT}"
|
||||||
# write certificate to disk and then import it keychain
|
|
||||||
echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
|
|
||||||
out1=$(security import ${CODE_SIGN_CERT} -A 2>&1) || true
|
|
||||||
exitcode1=$?
|
|
||||||
if [ -n "$out1" ]; then
|
|
||||||
if [ $exitcode1 -eq 0 ]; then
|
|
||||||
echo "$out1"
|
|
||||||
else
|
|
||||||
if [ "$out1" != "${SEC_DUP_MSG}" ]; then
|
|
||||||
echo "$out1" >&2
|
|
||||||
exit $exitcode1
|
|
||||||
else
|
|
||||||
echo "already imported code signing certificate"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
rm ${CODE_SIGN_CERT}
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Add package signing private key to the key chain
|
# Add package signing private key to the key chain
|
||||||
if [[ ! -z "$CFD_INSTALLER_KEY" ]]; then
|
import_private_keys "Developer ID Installer" "${CFD_INSTALLER_KEY}" "${INSTALLER_PRIV}" "${CFD_INSTALLER_PASS}"
|
||||||
if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
|
|
||||||
# write private key to disk and then import it into the keychain
|
|
||||||
echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
|
|
||||||
out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1) || true
|
|
||||||
exitcode2=$?
|
|
||||||
if [ -n "$out2" ]; then
|
|
||||||
if [ $exitcode2 -eq 0 ]; then
|
|
||||||
echo "$out2"
|
|
||||||
else
|
|
||||||
if [ "$out2" != "${SEC_DUP_MSG}" ]; then
|
|
||||||
echo "$out2" >&2
|
|
||||||
exit $exitcode2
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
rm ${INSTALLER_PRIV}
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Add package signing certificate to the key chain
|
# Add package signing certificate to the key chain
|
||||||
if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then
|
import_certificate "Developer ID Installer" "${CFD_INSTALLER_CERT}" "${INSTALLER_CERT}"
|
||||||
# write certificate to disk and then import it keychain
|
|
||||||
echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
|
|
||||||
out3=$(security import ${INSTALLER_CERT} -A 2>&1) || true
|
|
||||||
exitcode3=$?
|
|
||||||
if [ -n "$out3" ]; then
|
|
||||||
if [ $exitcode3 -eq 0 ]; then
|
|
||||||
echo "$out3"
|
|
||||||
else
|
|
||||||
if [ "$out3" != "${SEC_DUP_MSG}" ]; then
|
|
||||||
echo "$out3" >&2
|
|
||||||
exit $exitcode3
|
|
||||||
else
|
|
||||||
echo "already imported installer certificate"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
rm ${INSTALLER_CERT}
|
|
||||||
fi
|
|
||||||
|
|
||||||
# get the code signing certificate name
|
# get the code signing certificate name
|
||||||
if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
|
if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue