mirror of
https://github.com/anchore/syft
synced 2024-11-10 06:14:16 +00:00
341288ba29
* refactor signing steps in release/snapshot workflows Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * show signing logs on snapshot or release failure Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update install.sh + tests to account for new goreleaser changes Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update cli tests to account for new goreleaser build names Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix acceptance test to use new snapshot bin path Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add notarization Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * address review comments Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
45 lines
No EOL
2.2 KiB
Bash
Executable file
45 lines
No EOL
2.2 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
set -eu
|
|
|
|
assert_in_ci
|
|
|
|
set +xu
|
|
if [ -z "$APPLE_DEVELOPER_ID_CERT" ]; then
|
|
exit_with_error "APPLE_DEVELOPER_ID_CERT not set"
|
|
fi
|
|
|
|
if [ -z "$APPLE_DEVELOPER_ID_CERT_PASS" ]; then
|
|
exit_with_error "APPLE_DEVELOPER_ID_CERT_PASS not set"
|
|
fi
|
|
set -u
|
|
|
|
# setup_signing
|
|
#
|
|
# preps the MAC_SIGNING_IDENTITY env var for use in the signing process, using production certificate material
|
|
#
|
|
setup_signing() {
|
|
title "setting up production certificate material"
|
|
|
|
# Write signing certificate to disk from environment variable.
|
|
cert_file="$HOME/developer_id_certificate.p12"
|
|
echo -n "$APPLE_DEVELOPER_ID_CERT" | base64 --decode > "$cert_file"
|
|
|
|
# In order to have all keychain interactions avoid an interactive user prompt, we need to control the password for the keychain in question, which means we need to create a new keychain into which we'll import the signing certificate and from which we'll later access this certificate during code signing.
|
|
ephemeral_keychain="ci-ephemeral-keychain"
|
|
ephemeral_keychain_password="$(openssl rand -base64 100)"
|
|
security create-keychain -p "${ephemeral_keychain_password}" "${ephemeral_keychain}"
|
|
|
|
# Import signing certificate into the keychain. (This is a pre-requisite for gon, which is invoked via goreleaser.)
|
|
ephemeral_keychain_full_path="$HOME/Library/Keychains/${ephemeral_keychain}-db"
|
|
security import "${cert_file}" -k "${ephemeral_keychain_full_path}" -P "${APPLE_DEVELOPER_ID_CERT_PASS}" -T "$(command -v codesign)"
|
|
|
|
# Setting the partition list for this certificate's private key to include "apple-tool:" and "apple:" allows the codesign command to access this keychain item without an interactive user prompt. (codesign is invoked by gon.)
|
|
security set-key-partition-list -S "apple-tool:,apple:" -s -k "${ephemeral_keychain_password}" "${ephemeral_keychain_full_path}"
|
|
|
|
# Make this new keychain the user's default keychain, so that codesign will be able to find this certificate when we specify it during signing.
|
|
security default-keychain -d "user" -s "${ephemeral_keychain_full_path}"
|
|
|
|
# TODO: extract this from the certificate material itself
|
|
export MAC_SIGNING_IDENTITY="Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)"
|
|
commentary "setting MAC_SIGNING_IDENTITY=${MAC_SIGNING_IDENTITY}"
|
|
} |