From 7833eddedb8d96135f052b238db814e2eced7b80 Mon Sep 17 00:00:00 2001
From: GoncaloGarcia <ggarcia@cloudflare.com>
Date: Wed, 23 Apr 2025 18:40:30 +0100
Subject: [PATCH] Delete keychain

---
 .gitlab-ci.yml         |  2 +-
 .teamcity/mac/build.sh | 41 +++++++++++++++++++++++------------------
 2 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index aea2e19e..d5fd19dc 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -88,7 +88,7 @@ build_cloudflared_macos_tagged_release:
       vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
       file: false
   before_script:
-    - sudo apt-get update && apt-get install -y go-boring=1.22.10-1 build-essential python3-dev libffi-dev python3-setuptools python3-pip python3-venv
+    - apt-get update && apt-get install -y go-boring=1.22.10-1 build-essential python3-dev libffi-dev python3-setuptools python3-pip python3-venv
     - python3 --version ; pip --version  # For debugging
     - pip install virtualenv
     - /home/gitlab-runner/.local/bin/virtualenv venv
diff --git a/.teamcity/mac/build.sh b/.teamcity/mac/build.sh
index 9f133773..47cd3b1c 100755
--- a/.teamcity/mac/build.sh
+++ b/.teamcity/mac/build.sh
@@ -68,20 +68,21 @@ import_certificate() {
     fi
 }
 
-create_tmp_keychain() {
+create_cloudflared_build_keychain() {
   # Reusing the private key password as the keychain key
   local PRIVATE_KEY_PASS=$1
 
   # Create temp keychain
-  security create-keychain -p "$PRIVATE_KEY_PASS" tmp_keychain
+  security create-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
 
   # Append temp keychain to the user domain
-  security list-keychains -d user -s tmp_keychain $(security list-keychains -d user | sed s/\"//g)
+  security list-keychains -d user -s cloudflared_build_keychain $(security list-keychains -d user | sed s/\"//g)
 
   # Remove relock timeout
-  security set-keychain-settings tmp_keychain
+  security set-keychain-settings cloudflared_build_keychain
 
-  security unlock-keychain -p "$PRIVATE_KEY_PASS" tmp_keychain
+  # Unlock keychain so it doesn't require password
+  security unlock-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
 
 }
 
@@ -100,7 +101,7 @@ import_private_keys() {
         echo -n -e ${PRIVATE_KEY_ENV_VAR} | base64 -D > ${PRIVATE_KEY_FILE_NAME}
         # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
         # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
-        local out=$(security import ${PRIVATE_KEY_FILE_NAME} -k tmp_keychain -P "$PRIVATE_KEY_PASS" -T /usr/bin/pkgbuild -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
+        local out=$(security import ${PRIVATE_KEY_FILE_NAME} -k cloudflared_build_keychain -P "$PRIVATE_KEY_PASS" -T /usr/bin/pkgbuild -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
         local exitcode=$?
         rm -rf ${PRIVATE_KEY_FILE_NAME}
         if [ -n "$out" ]; then
@@ -117,10 +118,8 @@ import_private_keys() {
     fi
 }
 
-
-create_tmp_keychain "${CFD_CODE_SIGN_PASS}"
-
-security list-keychains
+# Create temp keychain only for this build
+create_cloudflared_build_keychain "${CFD_CODE_SIGN_PASS}"
 
 # Add Apple Root Developer certificate to the key chain
 import_certificate "Apple Developer CA" "${APPLE_DEV_CA_CERT}" "${APPLE_CA_CERT}"
@@ -141,8 +140,8 @@ import_certificate "Developer ID Installer" "${CFD_INSTALLER_CERT}" "${INSTALLER
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
   CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
-  if [[ -n "$(security find-certificate -c "Developer ID Application" tmp_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
-    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" tmp_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
+  if [[ -n "$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
+    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
   else
     CODE_SIGN_NAME=""
   fi
@@ -152,8 +151,8 @@ fi
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
   PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
-  if [[ -n "$(security find-certificate -c "Developer ID Installer" tmp_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
-    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" tmp_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
+  if [[ -n "$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
+    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
   else
     PKG_SIGN_NAME=""
   fi
@@ -164,12 +163,13 @@ rm -rf "${TARGET_DIRECTORY}"
 export TARGET_OS="darwin"
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 
-security set-key-partition-list -S apple-tool:,apple: -s -k "${CFD_CODE_SIGN_PASS}" tmp_keychain
-
+# This allows apple tools to use the certificates in the keychain without requiring password input.
+# This command always needs to run after the certificates have been loaded into the keychain
+security set-key-partition-list -S apple-tool:,apple: -s -k "${CFD_CODE_SIGN_PASS}" cloudflared_build_keychain
 
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
-  codesign --keychain /Users/admin/Library/Keychains/tmp_keychain-db -s "${CODE_SIGN_NAME}" -fv --options runtime --timestamp ${BINARY_NAME}
+  codesign --keychain /Users/admin/Library/Keychains/cloudflared_build_keychain-db -s "${CODE_SIGN_NAME}" -fv --options runtime --timestamp ${BINARY_NAME}
 
  # notarize the binary
  # TODO: TUN-5789
@@ -196,7 +196,7 @@ if [[ ! -z "$PKG_SIGN_NAME" ]]; then
       --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
       --root ${ARCH_TARGET_DIRECTORY}/contents \
       --install-location /usr/local/bin \
-      --keychain tmp_keychain \
+      --keychain cloudflared_build_keychain \
       --sign "${PKG_SIGN_NAME}" \
       ${PKGNAME}
 
@@ -214,3 +214,8 @@ fi
 # cleanup build directory because this script is not ran within containers,
 # which might lead to future issues in subsequent runs.
 rm -rf "${TARGET_DIRECTORY}"
+
+# cleanup the keychain
+security default-keychain -d user -s login.keychain-db
+security list-keychains -d user -s login.keychain-db
+security delete-keychain cloudflared_build_keychain