mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
280dc6c97b
A particular version of Xcode locks in particular versions of SDKs to build against. If we hardcode this, the benefit is that we have a predictable and repeatable build environment. The downside is whenever GitHub updates its macOS runner images, we could fail to build due to a version mismatch. In general, drift between Xcode versions isn't a problem, and tracking the latest will more closely track developer's machines.
85 lines
2.3 KiB
Bash
Executable File
85 lines
2.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
set -e
|
|
|
|
# See https://docs.github.com/en/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development
|
|
function setup_runner() {
|
|
local app_profile="$1"
|
|
local app_profile_file="$2"
|
|
local ne_profile="$3"
|
|
local ne_profile_file="$4"
|
|
profiles_path="$HOME/Library/Developer/Xcode/UserData/Provisioning Profiles"
|
|
keychain_pass=$(openssl rand -base64 32)
|
|
keychain_path="$(mktemp -d)/app-signing.keychain-db"
|
|
|
|
# Install provisioning profiles
|
|
mkdir -p "$profiles_path"
|
|
base64_decode "$app_profile" "$profiles_path/$app_profile_file"
|
|
base64_decode "$ne_profile" "$profiles_path/$ne_profile_file"
|
|
|
|
# Create a keychain to use for signing
|
|
security create-keychain -p "$keychain_pass" "$keychain_path"
|
|
|
|
# Set it as the default keychain so Xcode can find the signing certs
|
|
security default-keychain -s "$keychain_path"
|
|
|
|
# Ensure it stays unlocked during the build
|
|
security set-keychain-settings -lut 21600 "$keychain_path"
|
|
|
|
# Unlock the keychain for use
|
|
security unlock-keychain -p "$keychain_pass" "$keychain_path"
|
|
|
|
# Install signing certs
|
|
install_cert \
|
|
"$BUILD_CERT" \
|
|
"$BUILD_CERT_PASS" \
|
|
"$keychain_pass" \
|
|
"$keychain_path"
|
|
install_cert \
|
|
"$INSTALLER_CERT" \
|
|
"$INSTALLER_CERT_PASS" \
|
|
"$keychain_pass" \
|
|
"$keychain_path"
|
|
install_cert \
|
|
"$STANDALONE_BUILD_CERT" \
|
|
"$STANDALONE_BUILD_CERT_PASS" \
|
|
"$keychain_pass" \
|
|
"$keychain_path"
|
|
}
|
|
|
|
function base64_decode() {
|
|
local input_stdin="$1"
|
|
local output_path="$2"
|
|
|
|
echo -n "$input_stdin" | base64 --decode -o "$output_path"
|
|
}
|
|
|
|
function install_cert() {
|
|
local cert_path
|
|
local cert="$1"
|
|
local pass="$2"
|
|
local keychain_pass="$3"
|
|
local keychain_path="$4"
|
|
|
|
cert_path="$(mktemp -d)/cert.p12"
|
|
|
|
base64_decode "$cert" "$cert_path"
|
|
|
|
# Import cert into keychain
|
|
security import "$cert_path" \
|
|
-P "$pass" \
|
|
-A \
|
|
-t cert \
|
|
-f pkcs12 \
|
|
-k "$keychain_path"
|
|
|
|
# Prevent the keychain from asking for password to access the cert
|
|
security set-key-partition-list \
|
|
-S apple-tool:,apple: \
|
|
-k "$keychain_pass" \
|
|
"$keychain_path"
|
|
|
|
# Clean up
|
|
rm "$cert_path"
|
|
}
|