95 lines
3.0 KiB
Bash
Executable File
95 lines
3.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
set -e
|
|
|
|
[[ $(uname) != 'Darwin' ]] && { echo 'This only works on macOS.' >&2; exit 1; }
|
|
[[ $# -lt 2 ]] && { echo 'sign-macos-bundle.sh <file_to_sign> <sign_identity>' >&2; exit 1; }
|
|
|
|
# First is the target file/directory to sign
|
|
TARGET="${1}"
|
|
# Second argument is the signing identity
|
|
CODESIGN_ID="${2}"
|
|
# Rest are extra command line flags for codesign
|
|
shift 2
|
|
CODESIGN_OPTS_EXTRA=("${@}")
|
|
|
|
[[ ! -e "${TARGET}" ]] && { echo 'Target file does not exist.' >&2; exit 1; }
|
|
|
|
function clean_up {
|
|
STATUS=$?
|
|
if [[ "${STATUS}" -eq 0 ]]; then
|
|
echo -e "\n###### ERROR: See above for details."
|
|
fi
|
|
set +e
|
|
|
|
echo -e "\n###### Cleaning up..."
|
|
echo -e "\n### Locking keychain..."
|
|
security lock-keychain "${MACOS_KEYCHAIN_FILE}"
|
|
echo -e "\n### Restoring default keychain search list..."
|
|
security list-keychains -s ${ORIG_KEYCHAIN_LIST}
|
|
security list-keychains
|
|
|
|
exit $STATUS
|
|
}
|
|
|
|
# Flags for codesign
|
|
CODESIGN_OPTS=(
|
|
"--sign ${CODESIGN_ID}"
|
|
"--options runtime"
|
|
"--verbose=4"
|
|
"--force"
|
|
)
|
|
# Add extra flags provided via command line
|
|
CODESIGN_OPTS+=(
|
|
${CODESIGN_OPTS_EXTRA[@]}
|
|
)
|
|
|
|
# Setting MACOS_KEYCHAIN_FILE nd MACOS_KEYCHAIN_PASS is not required because
|
|
# MACOS_CODESIGN_IDENT can be found in e.g. your login keychain.
|
|
# Those would normally be specified only in CI.
|
|
if [[ -n "${MACOS_KEYCHAIN_FILE}" ]]; then
|
|
if [[ -z "${MACOS_KEYCHAIN_PASS}" ]]; then
|
|
echo "Unable to unlock the keychain without MACOS_KEYCHAIN_PASS!" >&2
|
|
exit 1
|
|
fi
|
|
echo -e "\n### Storing original keychain search list..."
|
|
# We want to restore the normal keychains and ignore Jenkis created ones
|
|
ORIG_KEYCHAIN_LIST=$(security list-keychains | grep -v -e "^/private" -e "secretFiles" | xargs)
|
|
|
|
# The keychain file needs to be locked afterwards
|
|
trap clean_up EXIT ERR
|
|
|
|
echo -e "\n### Adding keychain to search list..."
|
|
security list-keychains -s ${ORIG_KEYCHAIN_LIST} "${MACOS_KEYCHAIN_FILE}"
|
|
security list-keychains
|
|
echo -e "\n### Unlocking keychain..."
|
|
security unlock-keychain -p "${MACOS_KEYCHAIN_PASS}" "${MACOS_KEYCHAIN_FILE}"
|
|
|
|
# Add a flag to use the unlocked keychain
|
|
CODESIGN_OPTS+=("--keychain ${MACOS_KEYCHAIN_FILE}")
|
|
fi
|
|
|
|
# If 'TARGET' is a directory, we assume it's an app
|
|
# bundle, otherwise we consider it to be a dmg.
|
|
if [[ -d "${TARGET}" ]]; then
|
|
CODESIGN_OPTS+=("--deep")
|
|
fi
|
|
|
|
echo -e "\n### Signing target..."
|
|
codesign ${CODESIGN_OPTS[@]} "${TARGET}"
|
|
|
|
echo -e "\n### Verifying signature..."
|
|
codesign --verify --strict=all --deep --verbose=4 "${TARGET}"
|
|
|
|
echo -e "\n### Assessing Gatekeeper validation..."
|
|
if [[ -d "${TARGET}" ]]; then
|
|
spctl --assess --type execute --verbose=2 "${TARGET}"
|
|
else
|
|
echo "WARNING: The 'open' type security assesment is disabled due to lack of 'Notarization'"
|
|
# Issue: https://github.com/status-im/status-react/pull/9172
|
|
# Details: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
|
|
#spctl --assess --type open --context context:primary-signature --verbose=2 "${OBJECT}"
|
|
fi
|
|
|
|
echo -e "\n###### DONE"
|