/
certkeychain.sh
executable file
·66 lines (52 loc) · 1.75 KB
/
certkeychain.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/usr/bin/env bash
set -e
CERTFILE=certificate.p12
KEY_PASS=keypass
KEYCHAIN=build.keychain
KEYCHAINFILE=$HOME/Library/Keychains/$KEYCHAIN-db
help(){ cat <<EOF
$(basename $0) [-h] [-c] CERT PASS
Create build.keychain and import Developer ID certificate.
Creating a separate keychain is necessary in order to set properties of the
keychain that allow it to be accessed without GUI prompt.
Required:
CERT base64 encoded Developer ID certificate and private key
PASS Password used to encode CERT
Options:
-h Display this help
-c Clean up. Delete the certificate file and build.keychain
EOF
}
exec 3>&1
log(){
level="INFO"
date "+%Y-%m-%d %H:%M:%S [$level] [keychain] -> $1" 1>&3
}
while getopts "hc" option; do
case $option in
(h) help; exit ;;
(c) cleanup; exit ;;
esac
done
shift $(($OPTIND - 1))
[[ $# < 2 ]] && log "Certificate and/or certificate password not provided" && exit 1
CERT=$1
PASS=$2
# --- Prepare the certificate
# decode certificate-as-Github-secret back to p12 for import into keychain
log "Decoding Certificate..."
echo $CERT | base64 --decode > $CERTFILE
# --- Create keychain
log "Creating keychain..."
security create-keychain -p $KEY_PASS $KEYCHAIN
# Set keychain to default and unlock it so that we can add the certificate
# without GUI prompt
log "Importing certificate..."
security default-keychain -s $KEYCHAIN
security unlock-keychain -p $KEY_PASS $KEYCHAIN
security import $CERTFILE -k $KEYCHAIN -P $PASS -T /usr/bin/codesign
# Ensure that codesign can access the cert without GUI prompt
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEY_PASS $KEYCHAIN
# verify import
log "Verifying identity..."
security find-identity -p codesigning -v $KEYCHAIN