CI apache codesigning

phusion · Oct 9, 2024 · 5990424 · 5990424
1 parent 2ec5a83
commit 5990424
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 3 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -181,14 +181,49 @@ jobs:
       - name: Setup misc
         run: |
           sudo chmod 755 "$HOME"
-          sed "s|_USER_|$(whoami)|" ${{ matrix.config_file }} > test/config.json
+          sed "s|_USER_|$(whoami)|; s|_SOURCE_ROOT_|$(pwd)|" ${{ matrix.config_file }} > test/config.json
 
       - name: Setup Linux dependencies
         run: >
           sudo apt update &&
           sudo apt install -y libcurl4-openssl-dev apache2-dev libapr1-dev libaprutil1-dev
         if: matrix.name == 'Linux'
 
+      - name: Setup macOS code signing
+        run: |
+          exec 2>&1
+          set -x
+
+          cat "$OPENSSL_CONFIG" > cert_config.cnf
+          openssl req -new -newkey rsa:2048 -nodes -keyout github-ci.key -out github-ci.csr -config cert_config.cnf
+          openssl x509 -req -in github-ci.csr -signkey github-ci.key -out github-ci.crt -days 3650 -extensions req_ext -extfile cert_config.cnf
+
+          sudo security authorizationdb write com.apple.trust-settings.admin allow
+          security create-keychain -p mypassword mykeychain.keychain
+          security set-keychain-settings -lut 21600 mykeychain.keychain
+          security unlock-keychain -p mypassword mykeychain.keychain
+
+          security import github-ci.key -k mykeychain.keychain -A
+          security set-key-partition-list -S apple-tool:,apple: -k mypassword mykeychain.keychain
+          security add-trusted-cert -d -r trustRoot -k mykeychain.keychain github-ci.crt
+          security list-keychain -d user -s mykeychain.keychain
+        if: matrix.name == 'macOS'
+        env:
+          OPENSSL_CONFIG: |
+            [ req ]
+            default_bits = 2048
+            prompt = no
+            default_md = sha256
+            distinguished_name = req_distinguished_name
+            req_extensions = req_ext
+
+            [ req_distinguished_name ]
+            CN = Github CI
+
+            [ req_ext ]
+            keyUsage = critical, digitalSignature, keyEncipherment
+            extendedKeyUsage = codeSigning
+
       - name: Setup hosts entries
         run: |
           echo 127.0.0.1 passenger.test | sudo tee -a /etc/hosts

diff --git a/test/config.json.github-ci-macos b/test/config.json.github-ci-macos
@@ -9,7 +9,7 @@
   "nonexistant_group": "xxxxxxxxxxxxxxxxxxx",
   "nonexistant_uid": 9999,
   "nonexistant_gid": 9999,
-  "codesigning_identity": "_AUTHORITY_",
-  "codesigning_keychain": "_KEYCHAIN_",
+  "codesigning_identity": "Github CI",
+  "codesigning_keychain": "_SOURCE_ROOT_/mykeychain.keychain",
   "nginx": "/tmp/nginx/sbin/nginx"
 }