build: auto-generate the codesigning cert used for macOS CI testing runs (#17668) (#23003)

* build: auto-generate the codesigning cert used for macOS CI testing runs

* build: give the cert ALL the trust values

* chore: also import public key

* idek

.circleci/config.yml

@@ -302,7 +302,7 @@ step-install-signing-cert-on-mac: &step-install-signing-cert-on-mac
     command: |
       if [ "`uname`" == "Darwin" ]; then
         cd src/electron
-        ./script/codesign/import-testing-cert-ci.sh
+        ./script/codesign/generate-identity.sh
       fi
 
 step-install-gnutar-on-mac: &step-install-gnutar-on-mac

script/codesign/.gitignore

@@ -0,0 +1 @@
+.working

script/codesign/codesign.cnf

@@ -0,0 +1,18 @@
+[req]
+default_bits = 4096
+encrypt_key = no
+default_md = 512
+distinguished_name = req_distinguished_name
+prompt = no
+
+[req_distinguished_name]
+C = CA
+ST = BC
+L = Vancouver
+O = ElectronJS
+OU = BuildAutomation
+CN = codesign.electronjs.org
+
+[extended]
+keyUsage         = critical,digitalSignature
+extendedKeyUsage = critical,codeSigning

script/codesign/gen-trust.js

@@ -0,0 +1,38 @@
+const cp = require('child_process');
+const fs = require('fs');
+const path = require('path');
+
+const certificatePath = process.argv[2];
+const outPath = process.argv[3];
+const templatePath = path.resolve(__dirname, 'trust.xml');
+
+const template = fs.readFileSync(templatePath, 'utf8');
+
+const fingerprintResult = cp.spawnSync('openssl', ['x509', '-noout', '-fingerprint', '-sha1', '-in', certificatePath]);
+if (fingerprintResult.status !== 0) {
+  console.error(fingerprintResult.stderr.toString());
+  process.exit(1);
+}
+
+const fingerprint = fingerprintResult.stdout.toString().replace(/^SHA1 Fingerprint=/, '').replace(/:/g, '').trim();
+
+const serialResult = cp.spawnSync('openssl', ['x509', '-serial', '-noout', '-in', certificatePath]);
+if (serialResult.status !== 0) {
+  console.error(serialResult.stderr.toString());
+  process.exit(1);
+}
+
+let serialHex = serialResult.stdout.toString().replace(/^serial=/, '').trim();
+// Pad the serial number out to 18 hex chars
+while (serialHex.length < 18) {
+  serialHex = `0${serialHex}`;
+}
+const serialB64 = Buffer.from(serialHex, 'hex').toString('base64');
+
+const trust = template
+  .replace(/{{FINGERPRINT}}/g, fingerprint)
+  .replace(/{{SERIAL_BASE64}}/g, serialB64);
+
+fs.writeFileSync(outPath, trust);
+
+console.log('Generated Trust Settings');

script/codesign/generate-identity.sh

@@ -0,0 +1,46 @@
+#!/bin/sh
+
+set -eo pipefail
+
+dir="$(dirname $0)"/.working
+
+cleanup() {
+    rm -rf "$dir"
+}
+
+# trap cleanup EXIT
+
+# Clean Up
+cleanup
+
+# Create Working Dir
+mkdir -p "$dir"
+
+# Generate Certs
+openssl req -new -newkey rsa:2048 -x509 -days 7300 -nodes -config "$(dirname $0)"/codesign.cnf -extensions extended -batch -out "$dir"/certificate.cer -keyout "$dir"/certificate.key
+sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$dir"/certificate.cer
+sudo security import "$dir"/certificate.key -A -k /Library/Keychains/System.keychain
+
+# restart(reload) taskgated daemon
+sudo pkill -f /usr/libexec/taskgated
+
+# need once
+sudo security authorizationdb write system.privilege.taskport allow
+# need once
+DevToolsSecurity -enable
+
+# openssl req -newkey rsa:2048 -nodes -keyout "$dir"/private.pem -x509 -days 1 -out "$dir"/certificate.pem -extensions extended -config "$(dirname $0)"/codesign.cnf
+# openssl x509 -inform PEM -in "$dir"/certificate.pem -outform DER -out "$dir"/certificate.cer
+# openssl x509 -pubkey -noout -in "$dir"/certificate.pem > "$dir"/public.key
+# rm -f "$dir"/certificate.pem
+
+# Import Certs
+# security import "$dir"/certificate.cer -k $KEY_CHAIN
+# security import "$dir"/private.pem -k $KEY_CHAIN
+# security import "$dir"/public.key -k $KEY_CHAIN
+
+# Generate Trust Settings
+node "$(dirname $0)"/gen-trust.js "$dir"/certificate.cer "$dir"/trust.xml
+
+# Import Trust Settings
+sudo security trust-settings-import -d "$dir/trust.xml"

script/codesign/import-testing-cert-ci.sh

@@ -1,25 +0,0 @@
-#!/bin/sh
-
-KEY_CHAIN=mac-build.keychain
-KEYCHAIN_PASSWORD=unsafe_keychain_pass
-security create-keychain -p $KEYCHAIN_PASSWORD $KEY_CHAIN
-# Make the keychain the default so identities are found
-security default-keychain -s $KEY_CHAIN
-# Unlock the keychain
-security unlock-keychain -p $KEYCHAIN_PASSWORD $KEY_CHAIN
-# Set keychain locking timeout to 3600 seconds
-security set-keychain-settings -t 3600 -u $KEY_CHAIN
-
-# Add certificates to keychain and allow codesign to access them
-security import "$(dirname $0)"/signing.cer -k $KEY_CHAIN -A /usr/bin/codesign
-security import "$(dirname $0)"/signing.pem -k $KEY_CHAIN -A /usr/bin/codesign
-security import "$(dirname $0)"/signing.p12 -k $KEY_CHAIN -P $SPEC_KEY_PASSWORD -A /usr/bin/codesign
-
-echo "Add keychain to keychain-list"
-security list-keychains -s mac-build.keychain
-
-echo "Setting key partition list"
-security set-key-partition-list -S apple-tool:,apple: -s -k $KEYCHAIN_PASSWORD $KEY_CHAIN
-
-echo "Trusting self-signed certificate"
-sudo security trust-settings-import -d "$(dirname $0)"/trust-settings.plist

script/codesign/signing.pem

@@ -1,9 +0,0 @@
------BEGIN RSA PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw91mumcVpai94X7PASje
-R9+meqEHsavRsKQmtVV5JkJk9ZZbWTdpXgOjy1hhGQURrbp3li9lmi3MFHVqZjuQ
-H8omufj0iFiUD0bBY9EZeQjmcXd/ZgP8SoFfMS3BSAeRzXI5UQ5zFq86CWyzBh4k
-lgRN+iuhmxxZ/8PUcuEQ49fzNWVtRskkX+ZDwj8mn9YYRQMm3nl+bB+lYbpgVnkX
-WztXvSdRxCMjvjzLtoSJQhG36DEz6Sv7XeEAfYi70diQIwr/yCtgCpYUTadjOdzO
-h0W/rpC2DTVE/yC3xZxg2uVjEa9siC8+DX9F6luAytkx2TgUGF6KdVblPVVCYkxW
-QQIDAQAB
------END RSA PUBLIC KEY-----

script/codesign/trust-settings.plist

@@ -1,138 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>trustList</key>
-	<dict>
-		<key>80079C1EC6AED92C03B4C67E9A94B0B05E854AC8</key>
-		<dict>
-			<key>issuerName</key>
-			<data>
-			MIGIMSYwJAYDVQQDDB1FbGVjdHJvblNlbGZTaWduZWRTcGVjU2ln
-			bmluZzEUMBIGA1UECgwLRWxlY3Ryb24gSlMxEDAOBgNVBAsMB1Rl
-			c3RpbmcxCzAJBgNVBAYTAlVTMSkwJwYJKoZIhvcNAQkBFhpjb2Rl
-			c2lnbmluZ0BlbGVjdHJvbmpzLm9yZw==
-			</data>
-			<key>modDate</key>
-			<date>2019-03-19T02:33:38Z</date>
-			<key>serialNumber</key>
-			<data>
-			AQ==
-			</data>
-			<key>trustSettings</key>
-			<array>
-				<dict>
-					<key>kSecTrustSettingsAllowedError</key>
-					<integer>-2147409654</integer>
-					<key>kSecTrustSettingsPolicy</key>
-					<data>
-					KoZIhvdjZAED
-					</data>
-					<key>kSecTrustSettingsPolicyName</key>
-					<string>sslServer</string>
-					<key>kSecTrustSettingsResult</key>
-					<integer>1</integer>
-				</dict>
-				<dict>
-					<key>kSecTrustSettingsAllowedError</key>
-					<integer>-2147408896</integer>
-					<key>kSecTrustSettingsPolicy</key>
-					<data>
-					KoZIhvdjZAED
-					</data>
-					<key>kSecTrustSettingsPolicyName</key>
-					<string>sslServer</string>
-					<key>kSecTrustSettingsResult</key>
-					<integer>1</integer>
-				</dict>
-				<dict>
-					<key>kSecTrustSettingsAllowedError</key>
-					<integer>-2147409654</integer>
-					<key>kSecTrustSettingsPolicy</key>
-					<data>
-					KoZIhvdjZAEI
-					</data>
-					<key>kSecTrustSettingsPolicyName</key>
-					<string>SMIME</string>
-					<key>kSecTrustSettingsResult</key>
-					<integer>1</integer>
-				</dict>
-				<dict>
-					<key>kSecTrustSettingsAllowedError</key>
-					<integer>-2147408872</integer>
-					<key>kSecTrustSettingsPolicy</key>
-					<data>
-					KoZIhvdjZAEI
-					</data>
-					<key>kSecTrustSettingsPolicyName</key>
-					<string>SMIME</string>
-					<key>kSecTrustSettingsResult</key>
-					<integer>1</integer>
-				</dict>
-				<dict>
-					<key>kSecTrustSettingsAllowedError</key>
-					<integer>-2147409654</integer>
-					<key>kSecTrustSettingsPolicy</key>
-					<data>
-					KoZIhvdjZAEJ
-					</data>
-					<key>kSecTrustSettingsPolicyName</key>
-					<string>eapServer</string>
-					<key>kSecTrustSettingsResult</key>
-					<integer>1</integer>
-				</dict>
-				<dict>
-					<key>kSecTrustSettingsAllowedError</key>
-					<integer>-2147409654</integer>
-					<key>kSecTrustSettingsPolicy</key>
-					<data>
-					KoZIhvdjZAEL
-					</data>
-					<key>kSecTrustSettingsPolicyName</key>
-					<string>ipsecServer</string>
-					<key>kSecTrustSettingsResult</key>
-					<integer>1</integer>
-				</dict>
-				<dict>
-					<key>kSecTrustSettingsAllowedError</key>
-					<integer>-2147409654</integer>
-					<key>kSecTrustSettingsPolicy</key>
-					<data>
-					KoZIhvdjZAEQ
-					</data>
-					<key>kSecTrustSettingsPolicyName</key>
-					<string>CodeSigning</string>
-					<key>kSecTrustSettingsResult</key>
-					<integer>1</integer>
-				</dict>
-				<dict>
-					<key>kSecTrustSettingsAllowedError</key>
-					<integer>-2147409654</integer>
-					<key>kSecTrustSettingsPolicy</key>
-					<data>
-					KoZIhvdjZAEU
-					</data>
-					<key>kSecTrustSettingsPolicyName</key>
-					<string>AppleTimeStamping</string>
-					<key>kSecTrustSettingsResult</key>
-					<integer>1</integer>
-				</dict>
-				<dict>
-					<key>kSecTrustSettingsAllowedError</key>
-					<integer>-2147409654</integer>
-					<key>kSecTrustSettingsPolicy</key>
-					<data>
-					KoZIhvdjZAEC
-					</data>
-					<key>kSecTrustSettingsPolicyName</key>
-					<string>basicX509</string>
-					<key>kSecTrustSettingsResult</key>
-					<integer>1</integer>
-				</dict>
-			</array>
-		</dict>
-	</dict>
-	<key>trustVersion</key>
-	<integer>1</integer>
-</dict>
-</plist>

script/codesign/trust.xml

@@ -0,0 +1,138 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>trustList</key>
+		<dict>
+			<key>{{FINGERPRINT}}</key>
+			<dict>
+				<key>issuerName</key>
+				<data>
+					MH8xCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJCQzESMBAGA1UEBwwJ
+					VmFuY291dmVyMRMwEQYDVQQKDApFbGVjdHJvbkpTMRgwFgYDVQQL
+					DA9CdWlsZEF1dG9tYXRpb24xIDAeBgNVBAMMF2NvZGVzaWduLmVs
+					ZWN0cm9uanMub3Jn
+				</data>
+				<key>modDate</key>
+				<date>2019-01-01T00:00:00Z</date>
+				<key>serialNumber</key>
+				<data>
+					{{SERIAL_BASE64}}
+				</data>
+				<key>trustSettings</key>
+				<array>
+					<dict>
+						<key>kSecTrustSettingsAllowedError</key>
+						<integer>-2147409654</integer>
+						<key>kSecTrustSettingsPolicy</key>
+						<data>
+							KoZIhvdjZAED
+						</data>
+						<key>kSecTrustSettingsPolicyName</key>
+						<string>sslServer</string>
+						<key>kSecTrustSettingsResult</key>
+						<integer>1</integer>
+					</dict>
+					<dict>
+						<key>kSecTrustSettingsAllowedError</key>
+						<integer>-2147408896</integer>
+						<key>kSecTrustSettingsPolicy</key>
+						<data>
+							KoZIhvdjZAED
+						</data>
+						<key>kSecTrustSettingsPolicyName</key>
+						<string>sslServer</string>
+						<key>kSecTrustSettingsResult</key>
+						<integer>1</integer>
+					</dict>
+					<dict>
+						<key>kSecTrustSettingsAllowedError</key>
+						<integer>-2147409654</integer>
+						<key>kSecTrustSettingsPolicy</key>
+						<data>
+							KoZIhvdjZAEI
+						</data>
+						<key>kSecTrustSettingsPolicyName</key>
+						<string>SMIME</string>
+						<key>kSecTrustSettingsResult</key>
+						<integer>1</integer>
+					</dict>
+					<dict>
+						<key>kSecTrustSettingsAllowedError</key>
+						<integer>-2147408872</integer>
+						<key>kSecTrustSettingsPolicy</key>
+						<data>
+							KoZIhvdjZAEI
+						</data>
+						<key>kSecTrustSettingsPolicyName</key>
+						<string>SMIME</string>
+						<key>kSecTrustSettingsResult</key>
+						<integer>1</integer>
+					</dict>
+					<dict>
+						<key>kSecTrustSettingsAllowedError</key>
+						<integer>-2147409654</integer>
+						<key>kSecTrustSettingsPolicy</key>
+						<data>
+							KoZIhvdjZAEJ
+						</data>
+						<key>kSecTrustSettingsPolicyName</key>
+						<string>eapServer</string>
+						<key>kSecTrustSettingsResult</key>
+						<integer>1</integer>
+					</dict>
+					<dict>
+						<key>kSecTrustSettingsAllowedError</key>
+						<integer>-2147409654</integer>
+						<key>kSecTrustSettingsPolicy</key>
+						<data>
+							KoZIhvdjZAEL
+						</data>
+						<key>kSecTrustSettingsPolicyName</key>
+						<string>ipsecServer</string>
+						<key>kSecTrustSettingsResult</key>
+						<integer>1</integer>
+					</dict>
+					<dict>
+						<key>kSecTrustSettingsAllowedError</key>
+						<integer>-2147409654</integer>
+						<key>kSecTrustSettingsPolicy</key>
+						<data>
+							KoZIhvdjZAEQ
+						</data>
+						<key>kSecTrustSettingsPolicyName</key>
+						<string>CodeSigning</string>
+						<key>kSecTrustSettingsResult</key>
+						<integer>1</integer>
+					</dict>
+					<dict>
+						<key>kSecTrustSettingsAllowedError</key>
+						<integer>-2147409654</integer>
+						<key>kSecTrustSettingsPolicy</key>
+						<data>
+							KoZIhvdjZAEU
+						</data>
+						<key>kSecTrustSettingsPolicyName</key>
+						<string>AppleTimeStamping</string>
+						<key>kSecTrustSettingsResult</key>
+						<integer>1</integer>
+					</dict>
+					<dict>
+						<key>kSecTrustSettingsAllowedError</key>
+						<integer>-2147409654</integer>
+						<key>kSecTrustSettingsPolicy</key>
+						<data>
+							KoZIhvdjZAEC
+						</data>
+						<key>kSecTrustSettingsPolicyName</key>
+						<string>basicX509</string>
+						<key>kSecTrustSettingsResult</key>
+						<integer>1</integer>
+					</dict>
+				</array>
+			</dict>
+		</dict>
+		<key>trustVersion</key>
+		<integer>1</integer>
+	</dict>
+</plist>