github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5cb6d278d15212e6554e267bab52e19d570596cf
firezone/scripts/build/lib.sh
Jamil 091b52ef07 ci: Prevent having to manually update provisioning profile UUIDs (#9074) 
When updating the provisioning profiles (i.e. when changing anything the
Apple Developer Portal), we needed to manually update these build
scripts to point to the new UUIDs.

This can be made simpler to automatically pull it out of the profiles in
CI.
2025-05-11 22:54:14 +00:00

100 lines
2.8 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -e
# See https://docs.github.com/en/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development
function setup_runner() {
local app_profile="$1"
local app_profile_file="$2"
local ne_profile="$3"
local ne_profile_file="$4"
# Use the latest version of Xcode - matches what we typically use for development
sudo xcode-select --switch "$(ls -d /Applications/Xcode*.app | sort -V | tail -n 1)"
profiles_path="$HOME/Library/Developer/Xcode/UserData/Provisioning Profiles"
keychain_pass=$(openssl rand -base64 32)
keychain_path="$(mktemp -d)/app-signing.keychain-db"
# Install provisioning profiles
mkdir -p "$profiles_path"
base64_decode "$app_profile" "$profiles_path/$app_profile_file"
base64_decode "$ne_profile" "$profiles_path/$ne_profile_file"
# Create a keychain to use for signing
security create-keychain -p "$keychain_pass" "$keychain_path"
# Set it as the default keychain so Xcode can find the signing certs
security default-keychain -s "$keychain_path"
# Ensure it stays unlocked during the build
security set-keychain-settings -lut 21600 "$keychain_path"
# Unlock the keychain for use
security unlock-keychain -p "$keychain_pass" "$keychain_path"
# Install signing certs
install_cert \
"$BUILD_CERT" \
"$BUILD_CERT_PASS" \
"$keychain_pass" \
"$keychain_path"
install_cert \
"$INSTALLER_CERT" \
"$INSTALLER_CERT_PASS" \
"$keychain_pass" \
"$keychain_path"
install_cert \
"$STANDALONE_BUILD_CERT" \
"$STANDALONE_BUILD_CERT_PASS" \
"$keychain_pass" \
"$keychain_path"
install_cert \
"$STANDALONE_INSTALLER_CERT" \
"$STANDALONE_INSTALLER_CERT_PASS" \
"$keychain_pass" \
"$keychain_path"
}
function extract_uuid() {
local b64_profile="$1"
echo "$b64_profile" | base64 --decode | security cms -D | plutil -extract UUID raw -o - -
}
function base64_decode() {
local input_stdin="$1"
local output_path="$2"
echo -n "$input_stdin" | base64 --decode -o "$output_path"
}
function install_cert() {
local cert_path
local cert="$1"
local pass="$2"
local keychain_pass="$3"
local keychain_path="$4"
cert_path="$(mktemp -d)/cert.p12"
base64_decode "$cert" "$cert_path"
# Import cert into keychain
security import "$cert_path" \
-P "$pass" \
-A \
-t cert \
-f pkcs12 \
-k "$keychain_path"
# Prevent the keychain from asking for password to access the cert
security set-key-partition-list \
-S apple-tool:,apple: \
-k "$keychain_pass" \
"$keychain_path"
# Clean up
rm "$cert_path"
}
Reference in New Issue View Git Blame Copy Permalink