Merge remote-tracking branch 'origin/dev' into dev

Author: demarey

mac/build-dmg.sh

@@ -59,10 +59,11 @@ fi
 
 # Sign the app
 function sign_mac_version() {
-  # This function expects that following environment varialbes are available:
+  # This function expects that following environment variables are available:
   # - PHARO_CERT_PASSWORD
   # - PHARO_SIGN_IDENTITY
-  local key_chain=macos-build.keychain
+  local keychain_name=macos-ci-build.keychain
+  local keychain_password=ci
   local app_dir=$1
   local cert_pass=${PHARO_CERT_PASSWORD}
   local pharo_sign_password=${PHARO_CERT_PASSWORD}
@@ -79,23 +80,30 @@ function sign_mac_version() {
 
   echo "Signing app bundle..."
   # Set up keychain
-  security delete-keychain "${key_chain}" || true
-  security create-keychain -p ci "${key_chain}"
-  security default-keychain -s "${key_chain}"
-  security unlock-keychain -p ci "${key_chain}"
-  security set-keychain-settings -t 3600 -u "${key_chain}"
-  security import "${path_cer}" -k ~/Library/Keychains/"${key_chain}" -T /usr/bin/codesign
-  security import "${path_p12}" -k ~/Library/Keychains/"${key_chain}" -P "${cert_pass}" -T /usr/bin/codesign
+  security delete-keychain "${keychain_name}" || true
+  security create-keychain -p ${keychain_password} "${keychain_name}"
+  # add keychain to the search list
+  security list-keychains -d user -s "${keychain_name}"
+  security default-keychain -s "${keychain_name}"
+  security unlock-keychain -p ${keychain_password} "${keychain_name}"
+  security set-keychain-settings -t 3600 -u "${keychain_name}"
+  # Importing certificate
+  security import "${path_cer}" -k ~/Library/Keychains/"${keychain_name}" -T /usr/bin/codesign
+  # Importing identity
+  security import "${path_p12}" -k ~/Library/Keychains/"${keychain_name}" -P "${cert_pass}" -T /usr/bin/codesign
+  # Set ACL on keychain. To avoid to get codesign to yield an errSecInternalComponent you need to get the partition list (ACLs) correct.
+  # See https://code-examples.net/en/q/1344e6a
+  security set-key-partition-list -S apple-tool:,apple: -s -k ${keychain_password} "${keychain_name}"
   # debug
   echo ${sign_identity} >> "id.txt"
   # Invoke codesign
   if [[ -d "${app_dir}/Contents/MacOS/Plugins" ]]; then # Pharo.app does not (yet) have its plugins in Resources dir
-    codesign -s "${sign_identity}" --keychain "${key_chain}" --force --deep "${app_dir}/Contents/MacOS/Plugins/"*
+    codesign -s "${sign_identity}" --keychain "${keychain_name}" --force --deep "${app_dir}/Contents/MacOS/Plugins/"*
   fi
-  codesign -s "${sign_identity}"  --keychain "${key_chain}" --force --deep "${app_dir}"
+  codesign -s "${sign_identity}"  --keychain "${keychain_name}" --force --deep "${app_dir}"
   # Remove sensitive files again
   rm -rf "${path_cer}" "${path_p12}"
-  security delete-keychain "${key_chain}"
+  security delete-keychain "${keychain_name}"
 }
 
 if [ "$SHOULD_SIGN" = true ] ; then

signing/README.md

@@ -47,6 +47,13 @@ openssl aes-256-cbc -k "${pharo_sign_password}" -in pharo-windows-certificate.p1
 The password needed to decrypt them will be stored in an environment variable (secured) on the CI tool (travis or Jenkins).
 
 # How to sign on OS X?
+Some links:
+- [macOS Code Signing In Depth](https://developer.apple.com/library/archive/technotes/tn2206/_index.html)
+- [Distribute outside the Mac App Store (macOS)](https://help.apple.com/xcode/mac/current/#/dev033e997ca)
+- [Troubleshooting Failed Signature Verification](https://developer.apple.com/library/archive/technotes/tn2318/_index.html#//apple_ref/doc/uid/DTS40013777-CH1-TNTAG2)
+- [security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission](https://stackoverflow.com/questions/39868578/security-codesign-in-sierra-keychain-ignores-access-control-settings-and-ui-p/41220140#41220140)
+
+
 You need to use codesign (shipped with Xcode):
 ```
 codesign -s "${sign_identity}" --keychain "${key_chain}" --force --deep "${app_dir}/Contents/MacOS/Plugins/"*