status-im/status-desktop
2
0
Fork 0
mirror of https://github.com/status-im/status-desktop.git synced 2025-01-11 14:54:48 +00:00
Code Issues Projects Releases Wiki Activity
status-desktop/scripts/sign-macos-pkg.sh
Jakub Sokołowski 2df6def7f9 ci: add scripts/sign-linux-tarball.sh for GPG signing 
Adds `scripts/sign-linux-file.sh` which expectes the following variables set:

* `LINUX_GPG_PRIVATE_KEY_FILE` - Path to the GPG export of private key.
* `LINUX_GPG_PRIVATE_KEY_PASS` - Password necessary to use the private key.

Given a file it creates a file with a `.asc` suffix containing the signature:
```
 > wget -q https://status-im-prs.ams3.digitaloceanspaces.com/StatusIm-210809-104514-156806-pr.tar.gz

 > tar xvf StatusIm-210809-104514-156806-pr.tar.gz
StatusIm-210809-104514-156806-pr.AppImage
StatusIm-210809-104514-156806-pr.AppImage.asc

 > gpg --verify StatusIm-210809-104514-156806-pr.AppImage.asc
gpg: assuming signed data in 'StatusIm-210809-104514-156806-pr.AppImage'
gpg: Signature made Mon 09 Aug 2021 12:54:49 PM CEST using RSA key ID E20B4DFD
gpg: Good signature from "Status.im Devel Signing (GPG key for signing Status.im development builds.) <devel@status.im>" [ultimate]
Primary key fingerprint: BBF0 5F92 536B ED19 30A9  FD44 009F B3BF E20B 4DFD
```

Issue: https://github.com/status-im/infra-ci/issues/25
Requires: https://github.com/status-im/status-jenkins-lib/pull/32

Signed-off-by: Jakub Sokołowski <jakub@status.im>
2021-08-16 11:21:36 -04:00

95 lines
3.0 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -e
[[ $(uname) != 'Darwin' ]] && { echo 'This only works on macOS.' >&2; exit 1; }
[[ $# -lt 2 ]] && { echo 'sign-macos-bundle.sh <file_to_sign> <sign_identity>' >&2; exit 1; }
# First is the target file/directory to sign
TARGET="${1}"
# Second argument is the signing identity
CODESIGN_ID="${2}"
# Rest are extra command line flags for codesign
shift 2
CODESIGN_OPTS_EXTRA=("${@}")
[[ ! -e "${TARGET}" ]] && { echo 'Target file does not exist.' >&2; exit 1; }
function clean_up {
STATUS=$?
if [[ "${STATUS}" -eq 0 ]]; then
echo -e "\n###### ERROR: See above for details."
fi
set +e
echo -e "\n###### Cleaning up..."
echo -e "\n### Locking keychain..."
security lock-keychain "${MACOS_KEYCHAIN_FILE}"
echo -e "\n### Restoring default keychain search list..."
security list-keychains -s ${ORIG_KEYCHAIN_LIST}
security list-keychains
exit $STATUS
}
# Flags for codesign
CODESIGN_OPTS=(
"--sign ${CODESIGN_ID}"
"--options runtime"
"--verbose=4"
"--force"
)
# Add extra flags provided via command line
CODESIGN_OPTS+=(
${CODESIGN_OPTS_EXTRA[@]}
)
# Setting MACOS_KEYCHAIN_FILE nd MACOS_KEYCHAIN_PASS is not required because
# MACOS_CODESIGN_IDENT can be found in e.g. your login keychain.
# Those would normally be specified only in CI.
if [[ -n "${MACOS_KEYCHAIN_FILE}" ]]; then
if [[ -z "${MACOS_KEYCHAIN_PASS}" ]]; then
echo "Unable to unlock the keychain without MACOS_KEYCHAIN_PASS!" >&2
exit 1
fi
echo -e "\n### Storing original keychain search list..."
# We want to restore the normal keychains and ignore Jenkis created ones
ORIG_KEYCHAIN_LIST=$(security list-keychains | grep -v -e "^/private" -e "secretFiles" | xargs)
# The keychain file needs to be locked afterwards
trap clean_up EXIT ERR
echo -e "\n### Adding keychain to search list..."
security list-keychains -s ${ORIG_KEYCHAIN_LIST} "${MACOS_KEYCHAIN_FILE}"
security list-keychains
echo -e "\n### Unlocking keychain..."
security unlock-keychain -p "${MACOS_KEYCHAIN_PASS}" "${MACOS_KEYCHAIN_FILE}"
# Add a flag to use the unlocked keychain
CODESIGN_OPTS+=("--keychain ${MACOS_KEYCHAIN_FILE}")
fi
# If 'TARGET' is a directory, we assume it's an app
# bundle, otherwise we consider it to be a dmg.
if [[ -d "${TARGET}" ]]; then
CODESIGN_OPTS+=("--deep")
fi
echo -e "\n### Signing target..."
codesign ${CODESIGN_OPTS[@]} "${TARGET}"
echo -e "\n### Verifying signature..."
codesign --verify --strict=all --deep --verbose=4 "${TARGET}"
echo -e "\n### Assessing Gatekeeper validation..."
if [[ -d "${TARGET}" ]]; then
spctl --assess --type execute --verbose=2 "${TARGET}"
else
echo "WARNING: The 'open' type security assesment is disabled due to lack of 'Notarization'"
# Issue: https://github.com/status-im/status-react/pull/9172
# Details: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
#spctl --assess --type open --context context:primary-signature --verbose=2 "${OBJECT}"
fi
echo -e "\n###### DONE"
Reference in New Issue View Git Blame Copy Permalink