-
Notifications
You must be signed in to change notification settings - Fork 587
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Resolve security warning for macOS users (#194)
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
- Loading branch information
Showing
8 changed files
with
116 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
#!/usr/bin/env bash | ||
set -eu | ||
|
||
CI_HOME="/Users/runner" | ||
if [[ "${HOME}" != "${CI_HOME}" ]]; then | ||
printf "WARNING! It looks like this isn't the CI environment. This script modifies the macOS Keychain setup in ways you probably wouldn't want for your own machine. It also requires an Apple Developer ID Certificate that you shouldn't have outside of the CI environment.\n\nExiting early to make sure nothing bad happens.\n" | ||
exit 1 | ||
fi | ||
|
||
# Install gon (see https://github.com/mitchellh/gon for details). | ||
brew tap mitchellh/gon | ||
brew install mitchellh/gon/gon | ||
|
||
# Write signing certificate to disk from environment variable. | ||
CERT_FILE="$HOME/developer_id_certificate.p12" | ||
echo -n "$APPLE_DEVELOPER_ID_CERT" | base64 --decode > "$CERT_FILE" | ||
|
||
# In order to have all keychain interactions avoid an interactive user prompt, we need to control the password for the keychain in question, which means we need to create a new keychain into which we'll import the signing certificate and from which we'll later access this certificate during code signing. | ||
EPHEMERAL_KEYCHAIN="ci-ephemeral-keychain" | ||
EPHEMERAL_KEYCHAIN_PASSWORD="$(openssl rand -base64 100)" | ||
security create-keychain -p "${EPHEMERAL_KEYCHAIN_PASSWORD}" "${EPHEMERAL_KEYCHAIN}" | ||
|
||
# Import signing certificate into the keychain. (This is a pre-requisite for gon, which is invoked via goreleaser.) | ||
EPHEMERAL_KEYCHAIN_FULL_PATH="$HOME/Library/Keychains/${EPHEMERAL_KEYCHAIN}-db" | ||
security import "${CERT_FILE}" -k "${EPHEMERAL_KEYCHAIN_FULL_PATH}" -P "${APPLE_DEVELOPER_ID_CERT_PASS}" -T "$(command -v codesign)" | ||
|
||
# Setting the partition list for this certificate's private key to include "apple-tool:" and "apple:" allows the codesign command to access this keychain item without an interactive user prompt. (codesign is invoked by gon.) | ||
security set-key-partition-list -S "apple-tool:,apple:" -s -k "${EPHEMERAL_KEYCHAIN_PASSWORD}" "${EPHEMERAL_KEYCHAIN_FULL_PATH}" | ||
|
||
# Make this new keychain the user's default keychain, so that codesign will be able to find this certificate when we specify it during signing. | ||
security default-keychain -d "user" -s "${EPHEMERAL_KEYCHAIN_FULL_PATH}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
#!/usr/bin/env bash | ||
set -eu | ||
|
||
IS_SNAPSHOT="$1" # e.g. "true", "false" | ||
|
||
if [[ "${IS_SNAPSHOT}" == "true" ]]; then | ||
# This is a snapshot build —— skipping signing and notarization... | ||
exit 0 | ||
fi | ||
|
||
GON_CONFIG="$2" # e.g. "gon.hcl" | ||
NEW_DMG_NAME="$3" # e.g. "./dist/syft-0.1.0.dmg" | ||
ORIGINAL_DMG_NAME="./dist/output.dmg" # This should match dmg output_path in the gon config file. | ||
|
||
gon "${GON_CONFIG}" | ||
mv -v "${ORIGINAL_DMG_NAME}" "${NEW_DMG_NAME}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
source = ["./dist/grype-macos_darwin_amd64/grype"] # The 'dist' directory path should ideally reference an env var, where the source of truth is the Makefile. I wasn't able to figure out how to solve this. | ||
bundle_id = "com.anchore.toolbox.grype" | ||
|
||
sign { | ||
application_identity = "Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)" | ||
} | ||
|
||
dmg { | ||
output_path = "./dist/output.dmg" | ||
volume_name = "Grype" | ||
} |