Create a local keychain instead of using the system keychain and drop…

… sudo from most of the build stages
google · Sep 28, 2021 · 6770799 · 6770799
1 parent b2b6cdc
commit 6770799
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 6 deletions.
diff --git a/Testing/build_and_sign.sh b/Testing/build_and_sign.sh
@@ -2,25 +2,26 @@
 set -e
 GIT_ROOT=$(git rev-parse --show-toplevel)
 
+KEYCHAIN="santa-dev-test.keychain"
 SANTAD_PATH=Santa.app/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension/Contents/MacOS/com.google.santa.daemon
 SANTAD_ENTITLEMENTS="$GIT_ROOT/Source/santad/com.google.santa.daemon.systemextension.entitlements"
 SANTA_BIN_PATH=Santa.app/Contents/MacOS
 SIGNING_IDENTITY="localhost"
 
 
 function main() {
-    sudo bazel build --ios_signing_cert_name=$SIGNING_IDENTITY --apple_generate_dsym -c opt --define=SANTA_BUILD_TYPE=ci --define=apple.propagate_embedded_extra_outputs=yes --macos_cpus=x86_64,arm64 //:release
+    bazel build --apple_generate_dsym -c opt --define=SANTA_BUILD_TYPE=ci --define=apple.propagate_embedded_extra_outputs=yes --macos_cpus=x86_64,arm64 //:release
 
     echo "> Build complete, installing santa"
     TMP_DIR=$(mktemp -d)
     tar xvf $GIT_ROOT/bazel-bin/santa-*.tar.gz -C $TMP_DIR
     CS_ARGS="--prefix=EQHXZ8M8AV -fs $SIGNING_IDENTITY --timestamp --options library,kill,runtime"
 
     for bin in $TMP_DIR/binaries/$SANTA_BIN_PATH/*; do
-        sudo codesign --preserve-metadata=entitlements ${CS_ARGS} $bin
+        codesign --keychain $KEYCHAIN --preserve-metadata=entitlements ${CS_ARGS} $bin
     done
 
-    sudo codesign ${CS_ARGS} --entitlements $SANTAD_ENTITLEMENTS $TMP_DIR/binaries/$SANTAD_PATH
+    codesign ${CS_ARGS} --keychain $KEYCHAIN --entitlements $SANTAD_ENTITLEMENTS $TMP_DIR/binaries/$SANTAD_PATH
 
     echo "> Running install.sh"
     (

diff --git a/Testing/init_dev_certs.sh b/Testing/init_dev_certs.sh
@@ -9,6 +9,8 @@ openssl req -new -key ./santa.key -out ./santa.csr -config $CNF_PATH
 openssl x509 -req -days 10 -in ./santa.csr -signkey ./santa.key -out ./santa.crt -extfile $CNF_PATH -extensions codesign
 openssl pkcs12 -export -out santa.p12 -inkey santa.key -in santa.crt -password pass:santa
 
-KEYCHAIN="/Library/Keychains/System.keychain"
-sudo security import ./santa.p12 -k $KEYCHAIN -A -P santa
-sudo security add-trusted-cert -d -r trustRoot -k $KEYCHAIN santa.crt
+#KEYCHAIN="/Library/Keychains/System.keychain"
+KEYCHAIN="santa-dev-test.keychain"
+security create-keychain -p santa $KEYCHAIN
+security import ./santa.p12 -k $KEYCHAIN -A -P santa
+security add-trusted-cert -d -r trustRoot -k $KEYCHAIN santa.crt
diff --git a/Testing/reset.sh b/Testing/reset.sh
@@ -3,3 +3,4 @@ killall moroz
 security delete-identity -c "localhost"
 rm -rf /Applications/Santa.app
 systemextensionsctl reset
+security delete-keychain santa-dev-test.keychain