This commit is contained in:
@@ -82,7 +82,7 @@ jobs:
|
||||
|
||||
probe_binary="$RUNNER_TEMP/codesign-probe"
|
||||
cp /usr/bin/true "$probe_binary"
|
||||
codesign --force --dryrun --keychain "$keychain_path" --sign "$codesign_identity" --options runtime --timestamp "$probe_binary"
|
||||
codesign --force --dryrun --sign "$codesign_identity" --keychain "$keychain_path" --options runtime --timestamp "$probe_binary"
|
||||
|
||||
echo "CUSTOM_RELEASE_CODESIGN_IDENTITY=$codesign_identity" >> "$GITHUB_ENV"
|
||||
echo "CUSTOM_RELEASE_CODESIGN_IDENTITY_SHA1=$codesign_identity_sha1" >> "$GITHUB_ENV"
|
||||
|
||||
@@ -62,7 +62,7 @@ setup() {
|
||||
run rg -n 'CUSTOM_RELEASE_KEYCHAIN_PASSWORD=\$keychain_password' "$WORKFLOW"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run rg -n 'codesign --force --dryrun --keychain "\$keychain_path" --sign "\$codesign_identity" --options runtime --timestamp "\$probe_binary"' "$WORKFLOW"
|
||||
run rg -n 'codesign --force --dryrun --sign "\$codesign_identity" --keychain "\$keychain_path" --options runtime --timestamp "\$probe_binary"' "$WORKFLOW"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run rg -n 'CUSTOM_RELEASE_CODESIGN_IDENTITY: "Developer ID Application' "$WORKFLOW"
|
||||
@@ -90,12 +90,15 @@ setup() {
|
||||
}
|
||||
|
||||
@test "custom release signs darwin assets with hardened runtime and timestamp" {
|
||||
run rg -n 'codesign_args\+=\(--sign "\$codesign_identity" --options runtime --timestamp\)' "$RELEASE_SCRIPT"
|
||||
run rg -n 'codesign_args=\(--force --sign "\$codesign_identity"\)' "$RELEASE_SCRIPT"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run rg -n -- '--keychain "\$CUSTOM_RELEASE_KEYCHAIN_PATH"' "$RELEASE_SCRIPT"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run rg -n 'codesign_args\+=\(--options runtime --timestamp\)' "$RELEASE_SCRIPT"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run rg -n 'security unlock-keychain -p "\$CUSTOM_RELEASE_KEYCHAIN_PASSWORD" "\$CUSTOM_RELEASE_KEYCHAIN_PATH"' "$RELEASE_SCRIPT"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
@@ -103,10 +106,10 @@ setup() {
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run awk '
|
||||
/codesign_args=\(--force\)/ { base = NR }
|
||||
/codesign_args=\(--force --sign "\$codesign_identity"\)/ { sign = NR }
|
||||
/codesign_args\+=\(--keychain "\$CUSTOM_RELEASE_KEYCHAIN_PATH"\)/ { keychain = NR }
|
||||
/codesign_args\+=\(--sign "\$codesign_identity" --options runtime --timestamp\)/ { sign = NR }
|
||||
END { exit !(base && keychain && sign && base < keychain && keychain < sign) }
|
||||
/codesign_args\+=\(--options runtime --timestamp\)/ { options = NR }
|
||||
END { exit !(sign && keychain && options && sign < keychain && keychain < options) }
|
||||
' "$RELEASE_SCRIPT"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
|
||||
@@ -302,7 +302,7 @@ sign_and_validate_darwin_binary() {
|
||||
|
||||
[[ -n "$codesign_identity" ]] || die "CUSTOM_RELEASE_CODESIGN_IDENTITY is required for darwin builds"
|
||||
|
||||
codesign_args=(--force)
|
||||
codesign_args=(--force --sign "$codesign_identity")
|
||||
if [[ -n "${CUSTOM_RELEASE_KEYCHAIN_PATH:-}" ]]; then
|
||||
if [[ -n "${CUSTOM_RELEASE_KEYCHAIN_PASSWORD:-}" ]]; then
|
||||
security unlock-keychain -p "$CUSTOM_RELEASE_KEYCHAIN_PASSWORD" "$CUSTOM_RELEASE_KEYCHAIN_PATH"
|
||||
@@ -310,7 +310,7 @@ sign_and_validate_darwin_binary() {
|
||||
security find-identity -v -p codesigning "$CUSTOM_RELEASE_KEYCHAIN_PATH"
|
||||
codesign_args+=(--keychain "$CUSTOM_RELEASE_KEYCHAIN_PATH")
|
||||
fi
|
||||
codesign_args+=(--sign "$codesign_identity" --options runtime --timestamp)
|
||||
codesign_args+=(--options runtime --timestamp)
|
||||
codesign "${codesign_args[@]}" "$binary"
|
||||
|
||||
version_output="$("$binary" --version)"
|
||||
|
||||
Reference in New Issue
Block a user