github.com/defang-io/defang/src@v0.0.0-20240505002154-bdf411911834/bin/codesign.sh (about) 1 #!/bin/sh 2 set -e 3 4 # Bail if we didn't get one (and only one) argument 5 if [ $# -ne 1 ]; then 6 echo "Usage: $0 <path to app to sign>" 7 exit 1 8 fi 9 10 if [ -z "$MACOS_CERTIFICATE_NAME" ]; then 11 echo "Error: missing env var MACOS_CERTIFICATE_NAME" 12 exit 2 13 fi 14 15 [ "$ACTIONS_STEP_DEBUG" = 'true' ] || [ "$DEBUG" = 'true' ] && set -x 16 17 # We need to create a temporary keychain to store our certificate and provisioning profile, but only in CI 18 if [ -n "$RUNNER_TEMP" ]; then 19 # assume MACOS_P12_BASE64, KEYCHAIN_PASSWORD, MACOS_P12_PASSWORD are set in the env 20 21 # create variables 22 TMP_CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 23 TMP_KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db 24 25 # import certificate and provisioning profile from secrets 26 echo $MACOS_P12_BASE64 | base64 --decode > "$TMP_CERTIFICATE_PATH" 27 28 # We need to create a new keychain, otherwise using the certificate will prompt 29 # with a UI dialog asking for the certificate password, which we can't 30 # use in a headless CI environment 31 security create-keychain -p "$KEYCHAIN_PASSWORD" "$TMP_KEYCHAIN_PATH" || true 32 # security set-keychain-settings -lut 21600 "$TMP_KEYCHAIN_PATH" 33 # security default-keychain -s "$TMP_KEYCHAIN_PATH" 34 security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$TMP_KEYCHAIN_PATH" 35 36 # import certificate to keychain 37 security import "$TMP_CERTIFICATE_PATH" -P "$MACOS_P12_PASSWORD" -t cert -f pkcs12 -k "$TMP_KEYCHAIN_PATH" -T /usr/bin/codesign 38 security list-keychain -d user -s "$TMP_KEYCHAIN_PATH" 39 40 security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$TMP_KEYCHAIN_PATH" 41 fi 42 43 # We finally codesign our app bundle. Add '--options runtime' for the Hardened runtime option (required for notarization) 44 codesign --force -s "$MACOS_CERTIFICATE_NAME" "$1" -v --timestamp --options runtime,library