Skip to content

Commit 2a8f0f4

Browse files
dilyevskydilyevsky
committed
[ci] extract leaf cert from p12 to avoid rcodesign picking intermediate
1 parent 964105a commit 2a8f0f4

File tree

1 file changed

+7
-6
lines changed

1 file changed

+7
-6
lines changed

ci/main.go

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -311,7 +311,7 @@ func (m *ApoxyCli) SignDarwinBinary(
311311
From("ubuntu:22.04").
312312
WithEnvVariable("DEBIAN_FRONTEND", "noninteractive").
313313
WithExec([]string{"apt-get", "update"}).
314-
WithExec([]string{"apt-get", "install", "-y", "wget", "zip"}).
314+
WithExec([]string{"apt-get", "install", "-y", "wget", "zip", "openssl"}).
315315
// Install rcodesign.
316316
WithExec([]string{"sh", "-c", fmt.Sprintf(
317317
"wget -qO- '%s' | tar xzf - -C /usr/local/bin --strip-components=1 --wildcards '*/rcodesign'",
@@ -321,20 +321,21 @@ func (m *ApoxyCli) SignDarwinBinary(
321321
WithMountedSecret("/secrets/developer-id.p12", appleP12).
322322
WithMountedSecret("/secrets/p12-password", appleP12Password).
323323
WithMountedSecret("/secrets/notary-key.json", appleNotaryKey).
324+
// Extract leaf cert and key from .p12 (avoids rcodesign picking the intermediate cert).
325+
WithExec([]string{"sh", "-c", "openssl pkcs12 -in /secrets/developer-id.p12 -clcerts -nokeys -passin file:/secrets/p12-password -out /tmp/cert.pem -legacy"}).
326+
WithExec([]string{"sh", "-c", "openssl pkcs12 -in /secrets/developer-id.p12 -nocerts -nodes -passin file:/secrets/p12-password -out /tmp/key.pem -legacy"}).
324327
// Copy unsigned binary.
325328
WithFile("/work/apoxy", binary).
326-
// Sign with hardened runtime.
329+
// Sign with hardened runtime using extracted PEM files.
327330
WithExec([]string{
328331
"rcodesign", "sign",
329-
"--p12-file", "/secrets/developer-id.p12",
330-
"--p12-password-file", "/secrets/p12-password",
332+
"--pem-source", "/tmp/cert.pem",
333+
"--pem-source", "/tmp/key.pem",
331334
"--code-signature-flags", "runtime",
332335
"--timestamp-url", "http://timestamp.apple.com/ts01",
333336
"/work/apoxy",
334337
}).
335338
// Notarize: wrap in ZIP (required by Apple), submit, and wait.
336-
// Note: skipping rcodesign verify — it has known bugs (self-reported).
337-
// Apple's notarization validates the signature server-side.
338339
WithExec([]string{"sh", "-c", "cd /work && zip apoxy.zip apoxy"}).
339340
WithExec([]string{
340341
"rcodesign", "notary-submit",

0 commit comments

Comments
 (0)