curben
/
cloudflared-mirror
mirror of https://github.com/cloudflare/cloudflared.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Delete keychain

This commit is contained in:
GoncaloGarcia 2025-04-23 18:40:30 +01:00
parent d2c11c0f36
commit 7833eddedb
2 changed files with 24 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitlab-ci.yml
View File

@ -88,7 +88,7 @@ build_cloudflared_macos_tagged_release:
vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
file: false file: false
before_script: before_script:
- sudo apt-get update && apt-get install -y go-boring=1.22.10-1 build-essential python3-dev libffi-dev python3-setuptools python3-pip python3-venv - apt-get update && apt-get install -y go-boring=1.22.10-1 build-essential python3-dev libffi-dev python3-setuptools python3-pip python3-venv
- python3 --version ; pip --version # For debugging - python3 --version ; pip --version # For debugging
- pip install virtualenv - pip install virtualenv
- /home/gitlab-runner/.local/bin/virtualenv venv - /home/gitlab-runner/.local/bin/virtualenv venv

41
.teamcity/mac/build.sh vendored
View File

@ -68,20 +68,21 @@ import_certificate() {
fi fi
} }
create_tmp_keychain() { create_cloudflared_build_keychain() {
# Reusing the private key password as the keychain key # Reusing the private key password as the keychain key
local PRIVATE_KEY_PASS=$1 local PRIVATE_KEY_PASS=$1
# Create temp keychain # Create temp keychain
security create-keychain -p "$PRIVATE_KEY_PASS" tmp_keychain security create-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
# Append temp keychain to the user domain # Append temp keychain to the user domain
security list-keychains -d user -s tmp_keychain $(security list-keychains -d user | sed s/\"//g) security list-keychains -d user -s cloudflared_build_keychain $(security list-keychains -d user | sed s/\"//g)
# Remove relock timeout # Remove relock timeout
security set-keychain-settings tmp_keychain security set-keychain-settings cloudflared_build_keychain
security unlock-keychain -p "$PRIVATE_KEY_PASS" tmp_keychain # Unlock keychain so it doesn't require password
security unlock-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
} }
@ -100,7 +101,7 @@ import_private_keys() {
echo -n -e ${PRIVATE_KEY_ENV_VAR} | base64 -D > ${PRIVATE_KEY_FILE_NAME} echo -n -e ${PRIVATE_KEY_ENV_VAR} | base64 -D > ${PRIVATE_KEY_FILE_NAME}
# we set || true here and for every `security import invoke` because the "duplicate SecKeychainItemImport" error # we set || true here and for every `security import invoke` because the "duplicate SecKeychainItemImport" error
# will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below. # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
local out=$(security import ${PRIVATE_KEY_FILE_NAME} -k tmp_keychain -P "$PRIVATE_KEY_PASS" -T /usr/bin/pkgbuild -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true local out=$(security import ${PRIVATE_KEY_FILE_NAME} -k cloudflared_build_keychain -P "$PRIVATE_KEY_PASS" -T /usr/bin/pkgbuild -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
local exitcode=$? local exitcode=$?
rm -rf ${PRIVATE_KEY_FILE_NAME} rm -rf ${PRIVATE_KEY_FILE_NAME}
if [ -n "$out" ]; then if [ -n "$out" ]; then
@ -117,10 +118,8 @@ import_private_keys() {
fi fi
} }
# Create temp keychain only for this build
create_tmp_keychain "${CFD_CODE_SIGN_PASS}" create_cloudflared_build_keychain "${CFD_CODE_SIGN_PASS}"
security list-keychains
# Add Apple Root Developer certificate to the key chain # Add Apple Root Developer certificate to the key chain
import_certificate "Apple Developer CA" "${APPLE_DEV_CA_CERT}" "${APPLE_CA_CERT}" import_certificate "Apple Developer CA" "${APPLE_DEV_CA_CERT}" "${APPLE_CA_CERT}"
@ -141,8 +140,8 @@ import_certificate "Developer ID Installer" "${CFD_INSTALLER_CERT}" "${INSTALLER
if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}" CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
else else
if [[ -n "$(security find-certificate -c "Developer ID Application" tmp_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then if [[ -n "$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" tmp_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1) CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
else else
CODE_SIGN_NAME="" CODE_SIGN_NAME=""
fi fi
@ -152,8 +151,8 @@ fi
if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
PKG_SIGN_NAME="${CFD_INSTALLER_NAME}" PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
else else
if [[ -n "$(security find-certificate -c "Developer ID Installer" tmp_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then if [[ -n "$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" tmp_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1) PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
else else
PKG_SIGN_NAME="" PKG_SIGN_NAME=""
fi fi
@ -164,12 +163,13 @@ rm -rf "${TARGET_DIRECTORY}"
export TARGET_OS="darwin" export TARGET_OS="darwin"
GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
security set-key-partition-list -S apple-tool:,apple: -s -k "${CFD_CODE_SIGN_PASS}" tmp_keychain # This allows apple tools to use the certificates in the keychain without requiring password input.
# This command always needs to run after the certificates have been loaded into the keychain
security set-key-partition-list -S apple-tool:,apple: -s -k "${CFD_CODE_SIGN_PASS}" cloudflared_build_keychain
# sign the cloudflared binary # sign the cloudflared binary
if [[ ! -z "$CODE_SIGN_NAME" ]]; then if [[ ! -z "$CODE_SIGN_NAME" ]]; then
codesign --keychain /Users/admin/Library/Keychains/tmp_keychain-db -s "${CODE_SIGN_NAME}" -fv --options runtime --timestamp ${BINARY_NAME} codesign --keychain /Users/admin/Library/Keychains/cloudflared_build_keychain-db -s "${CODE_SIGN_NAME}" -fv --options runtime --timestamp ${BINARY_NAME}
# notarize the binary # notarize the binary
# TODO: TUN-5789 # TODO: TUN-5789
@ -196,7 +196,7 @@ if [[ ! -z "$PKG_SIGN_NAME" ]]; then
--scripts ${ARCH_TARGET_DIRECTORY}/scripts \ --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
--root ${ARCH_TARGET_DIRECTORY}/contents \ --root ${ARCH_TARGET_DIRECTORY}/contents \
--install-location /usr/local/bin \ --install-location /usr/local/bin \
--keychain tmp_keychain \ --keychain cloudflared_build_keychain \
--sign "${PKG_SIGN_NAME}" \ --sign "${PKG_SIGN_NAME}" \
${PKGNAME} ${PKGNAME}
@ -214,3 +214,8 @@ fi
# cleanup build directory because this script is not ran within containers, # cleanup build directory because this script is not ran within containers,
# which might lead to future issues in subsequent runs. # which might lead to future issues in subsequent runs.
rm -rf "${TARGET_DIRECTORY}" rm -rf "${TARGET_DIRECTORY}"
# cleanup the keychain
security default-keychain -d user -s login.keychain-db
security list-keychains -d user -s login.keychain-db
security delete-keychain cloudflared_build_keychain