-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a bash script to create a certificate and sign delve's executable on macOS #758
Comments
As a curiosity thought, which kind of certificate are you meaning? Are you meaning an OSX developer cert, used for signing releases so Gatekeeper doesn't complain? If so, it might rely on people having paid the $99 to Apple for developer membership. Not sure if that's a workable thing or not. Doing the signing bit with that kind of certificate is fairly easy though: |
Yes. Our homebrew formula creates a self signed certificate using openssl, adds it to the keychain then uses it to sign dlv with codesign. The last bit is easy but creating the certificate isn't. There should be a script do to that without having to use homebrew. See: https://github.com/go-delve/homebrew-delve/blob/master/Formula/delve.rb |
k, so converting the commands in the Homebrew formula gives this:
Running that, it does generate a key + cert, then import them both into the system keychain. I'm not sure where the delve executable would be in relation to this script being run, so in the above it's left as $1. eg it assumes the executable path is passed on the command line. If the executable is at a known location instead, it might be better to hard code that location. |
For reference, the cert generated here seems ok:
|
Also note the complete lack of error checking in the script. Probably wouldn't hurt to at least add some minimial catches for non zero error codes (etc). |
Codesigning is actually done in the makefile: I don't know if it is better to tell the user to run the script after Either way the script should check if the certificate already exists, like the brew recipe does. For error checking you can change the shell to PS. you should post this as a pull request. |
Oops, yep. Missed the lines for checking if it's already there. With this script, the commands could be incorporated directly into the Makefile itself, just before the |
it could be a script, let's say in |
No worries at all, sounds workable. 😄 |
Interestingly, this turns up a bug in existing Makefile. 😉 Creating an issue for it now. |
Ported from formula: #!/bin/bash
set -o errexit
cert=dlv-cert
cat <<EOF >${cert}.cfg
[ req ]
default_bits = 2048 # RSA key size
encrypt_key = no # Protect private key
default_md = sha512 # MD to use
prompt = no # Prompt for DN
distinguished_name = codesign_dn # DN template
[ codesign_dn ]
commonName = "dlv-cert"
[ codesign_reqext ]
keyUsage = critical,digitalSignature
extendedKeyUsage = critical,codeSigning
EOF
if $(security find-certificate -Z -p -c "$cert" /Library/Keychains/System.keychain 2>&1 | egrep -o '^SHA-1' >/dev/null); then
echo "$cert is already installed, no need to create it"
else
echo "Generating $cert"
openssl req -new -newkey rsa:2048 -x509 -days 3650 -nodes -config "${cert}.cfg" -extensions codesign_reqext -batch -out "${cert}.pem" -keyout "${cert}.key"
echo "[SUDO] Installing ${cert} as root"
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${cert}.pem"
sudo security import "${cert}.key" -A -k /Library/Keychains/System.keychain
echo "[SUDO] Killing taskgated"
sudo pkill -f /usr/libexec/taskgated
fi |
Ahhh, the EOF approach is probably better. I'll update my PR to use that. 😄 |
This can probably be closed, now that #760 is merged. 😄 |
Some people do not want to use homebrew to install go (#753 and go-delve/homebrew-delve#9). We should make a bash script that can be run with sudo after
go get
that:The text was updated successfully, but these errors were encountered: