status-desktop/scripts/sign-macos-pkg.sh

95 lines
3.0 KiB
Bash
Executable File

#!/usr/bin/env bash
set -e
[[ $(uname) != 'Darwin' ]] && { echo 'This only works on macOS.' >&2; exit 1; }
[[ $# -lt 2 ]] && { echo 'sign-macos-bundle.sh <file_to_sign> <sign_identity>' >&2; exit 1; }
# First is the target file/directory to sign
TARGET="${1}"
# Second argument is the signing identity
CODESIGN_ID="${2}"
# Rest are extra command line flags for codesign
shift 2
CODESIGN_OPTS_EXTRA=("${@}")
[[ ! -e "${TARGET}" ]] && { echo 'Target file does not exist.' >&2; exit 1; }
function clean_up {
STATUS=$?
if [[ "${STATUS}" -eq 0 ]]; then
echo -e "\n###### ERROR: See above for details."
fi
set +e
echo -e "\n###### Cleaning up..."
echo -e "\n### Locking keychain..."
security lock-keychain "${MACOS_KEYCHAIN_FILE}"
echo -e "\n### Restoring default keychain search list..."
security list-keychains -s ${ORIG_KEYCHAIN_LIST}
security list-keychains
exit $STATUS
}
# Flags for codesign
CODESIGN_OPTS=(
"--sign ${CODESIGN_ID}"
"--options runtime"
"--verbose=4"
"--force"
)
# Add extra flags provided via command line
CODESIGN_OPTS+=(
${CODESIGN_OPTS_EXTRA[@]}
)
# Setting MACOS_KEYCHAIN_FILE nd MACOS_KEYCHAIN_PASS is not required because
# MACOS_CODESIGN_IDENT can be found in e.g. your login keychain.
# Those would normally be specified only in CI.
if [[ -n "${MACOS_KEYCHAIN_FILE}" ]]; then
if [[ -z "${MACOS_KEYCHAIN_PASS}" ]]; then
echo "Unable to unlock the keychain without MACOS_KEYCHAIN_PASS!" >&2
exit 1
fi
echo -e "\n### Storing original keychain search list..."
# We want to restore the normal keychains and ignore Jenkis created ones
ORIG_KEYCHAIN_LIST=$(security list-keychains | grep -v -e "^/private" -e "secretFiles" | xargs)
# The keychain file needs to be locked afterwards
trap clean_up EXIT ERR
echo -e "\n### Adding keychain to search list..."
security list-keychains -s ${ORIG_KEYCHAIN_LIST} "${MACOS_KEYCHAIN_FILE}"
security list-keychains
echo -e "\n### Unlocking keychain..."
security unlock-keychain -p "${MACOS_KEYCHAIN_PASS}" "${MACOS_KEYCHAIN_FILE}"
# Add a flag to use the unlocked keychain
CODESIGN_OPTS+=("--keychain ${MACOS_KEYCHAIN_FILE}")
fi
# If 'TARGET' is a directory, we assume it's an app
# bundle, otherwise we consider it to be a dmg.
if [[ -d "${TARGET}" ]]; then
CODESIGN_OPTS+=("--deep")
fi
echo -e "\n### Signing target..."
codesign ${CODESIGN_OPTS[@]} "${TARGET}"
echo -e "\n### Verifying signature..."
codesign --verify --strict=all --deep --verbose=4 "${TARGET}"
echo -e "\n### Assessing Gatekeeper validation..."
if [[ -d "${TARGET}" ]]; then
spctl --assess --type execute --verbose=2 "${TARGET}"
else
echo "WARNING: The 'open' type security assesment is disabled due to lack of 'Notarization'"
# Issue: https://github.com/status-im/status-react/pull/9172
# Details: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
#spctl --assess --type open --context context:primary-signature --verbose=2 "${OBJECT}"
fi
echo -e "\n###### DONE"