First attempt to sign Squeak VMs on macOS

OpenSmalltalk · Jan 16, 2018 · e1ccb44 · e1ccb44
1 parent d0dfefc
commit e1ccb44
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -256,3 +256,4 @@ platforms/unix/config/autom4te.cache/
 
 # /products/debug/
 /products/debug/*
+*.p12
diff --git a/deploy/generate-artifacts.sh b/deploy/generate-artifacts.sh
@@ -1,13 +1,34 @@
 #!/bin/bash
 set -e
 
-readonly PRODUCTS_DIR="./products"
+readonly PRODUCTS_DIR="$(pwd)/products"
 if [[ ! -d "${PRODUCTS_DIR}" ]]; then
   echo "No products directory found."
   exit 10
 fi
 readonly REV=$(grep -m1 "SvnRawRevisionString" platforms/Cross/vm/sqSCCSVersion.h | sed 's/[^0-9.]*\([0-9.]*\).*/\1/')
 readonly IDENTIFIER="cog_${ARCH}_${FLAVOR}_${REV}"
+readonly KEY_CHAIN=macos-build.keychain
+
+macos_codesign() {
+  local cert_path=$1
+  local cert_pass=$2
+  local sign_identity=$3
+
+  travis_fold start macos_signing "Signing app bundle..."
+  # Set up keychain
+  security create-keychain -p travis "${KEY_CHAIN}"
+  security default-keychain -s "${KEY_CHAIN}"
+  security unlock-keychain -p travis "${KEY_CHAIN}"
+  security set-keychain-settings -t 3600 -u "${KEY_CHAIN}"
+  security import "${cert_path}" -k ~/Library/Keychains/"${KEY_CHAIN}" -P "${cert_pass}" -T /usr/bin/codesign
+  # Invoke codesign
+  codesign -s "${sign_identity}" --force --deep ./*.app
+  # Remove sensitive files again
+  rm -rf "${cert_path}"
+  security delete-keychain "${KEY_CHAIN}"
+  travis_fold end macos_signing
+}
 
 pushd "${PRODUCTS_DIR}"
 if [[ "${TRAVIS_OS_NAME}" == "linux" ]]; then
@@ -26,8 +47,16 @@ if [[ "${TRAVIS_OS_NAME}" == "linux" ]]; then
     fi
   done
 elif [[ "${TRAVIS_OS_NAME}" == "osx" ]]; then
+  readonly DEPLOY_DIR="${TRAVIS_BUILD_DIR}/deploy"
+  if [[ "${FLAVOR}" == "squeak"* ]]; then
+    openssl aes-256-cbc -k "${SQUEAK_SIGN_PASSWORD}" -in "{DEPLOY_DIR}/squeak/sign.enc" -out "${DEPLOY_DIR}/squeak/sign.p12" -d
+    macos_codesign "${DEPLOY_DIR}/squeak/sign.p12" "${SQUEAK_CERT_PASSWORD}" "${SQUEAK_SIGN_IDENTITY}"
+  elif [[ "${FLAVOR}" == "pharo"* ]]; then
+    # TODO: decrypt Pharo signing certificate and invoke macos_codesign to sign app bundle
+    # macos_codesign "${DEPLOY_DIR}/pharo/sign.p12" "${PHARO_CERT_PASSWORD}" "${PHARO_SIGN_IDENTITY}"
+  fi
   TMP_DMG="temp.dmg"
-  hdiutil create -size 8m -volname "${IDENTIFIER}" -srcfolder "${PRODUCTS_DIR}"/*.app \
+  hdiutil create -size 8m -volname "${IDENTIFIER}" -srcfolder "./"*.app \
       -fs HFS+ -fsargs "-c c=64,a=16,e=16" -format UDRW -nospotlight "${TMP_DMG}"
   DEVICE="$(hdiutil attach -readwrite -noautoopen -nobrowse "${TMP_DMG}" | awk 'NR==1{print$1}')"
   VOLUME="$(mount | grep "$DEVICE" | sed 's/^[^ ]* on //;s/ ([^)]*)$//')"

diff --git a/deploy/squeak/sign.enc b/deploy/squeak/sign.enc