Skip to content

Instantly share code, notes, and snippets.

@espresso3389
Created December 1, 2020 14:39
Show Gist options
  • Save espresso3389/5713e2723f60d6ccb99fab51ee1e715d to your computer and use it in GitHub Desktop.
Save espresso3389/5713e2723f60d6ccb99fab51ee1e715d to your computer and use it in GitHub Desktop.
Installing p12 certificate (public-key/private-key combination) to keychain accessible on ssh connection
#!/bin/sh
#
# Install our provisioning certificates on the runner machine
#
# Reference: https://apple.stackexchange.com/a/285320
#
# Set $P12_BASE64 and $P12_PASSWORD before invoking the script
MY_KEYCHAIN="temp.keychain"
MY_KEYCHAIN_PASSWORD="secret"
CODESIGN=/usr/bin/codesign
security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN" # Create temp keychain
security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g) # Append temp keychain to the user domain
security set-keychain-settings "$MY_KEYCHAIN" # Remove relock timeout
security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN" # Unlock keychain
# Add certificate to keychain
DIST_P12=$GITHUB_WORKSPACE/apple_dist.p12
echo "$P12_BASE64" | base64 -d > $DIST_P12
security import $DIST_P12 -k "$MY_KEYCHAIN" -P "$P12_PASSWORD" -T "$CODESIGN"
# Programmatically derive the identity
CERT_IDENTITY=$(security find-identity -v -p codesigning "$MY_KEYCHAIN" | head -1 | grep '"' | sed -e 's/[^"]*"//' -e 's/".*//')
# Handy to have UUID (just in case)
# CERT_UUID=$(security find-identity -v -p codesigning "$MY_KEYCHAIN" | head -1 | grep '"' | awk '{print $2}')
# Dump certificate details
CERT_TMP=cert.tmp
security find-certificate -c "$CERT_IDENTITY" -p > $CERT_TMP
CERT_TEXT=$(openssl x509 -text -noout -in $CERT_TMP)
echo $CERT_TEXT
# Enable codesigning from a non user interactive shell
security set-key-partition-list -S apple-tool:,apple: -s -k $MY_KEYCHAIN_PASSWORD -D "$CERT_IDENTITY" -t private $MY_KEYCHAIN
# For deinit keychain
echo "REMOVE_TMP_KEYCHAIN=security delete-keychain $MY_KEYCHAIN" >> $GITHUB_ENV
# Certificate serial number
SERIAL_NUMBER=$(echo "$CERT_TEXT" | grep "Serial Number" | awk '{ print $3 }')
echo "CERT_SERIAL_NUMBER=$SERIAL_NUMBER" >> $GITHUB_ENV
# Checking validity of the certificate anyway
security verify-cert -c $CERT_TMP
@espresso3389
Copy link
Author

espresso3389 commented Dec 1, 2020

Installing p12 certificate (public-key/private-key combination) to the GitHub Runner machine

The script creates a new keychain that can be accessible from the current shell session (Normally the access to the default keychain is blocked by keychain popup).

Set $P12_BASE64 and $P12_PASSWORD before invoking the script.
It set $REMOVE_TMP_KEYCHAIN and $CERT_SERIAL_NUMBER on the file specified by $GITHUB_ENV.

After calling the script, you may want to install provisioning profile using mobileprovision.sh.

Generating BASE64-encoded p12 file

Because GitHub Actions only accepts secure inputs from its environment variables, we should set our p12 file content to $P12_BASE64.
You can obtain the value by using base64 command:

base64 cert.p12

And $P12_PASSWORD should be the password that protects the cert.p12 file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment