Last active
November 3, 2019 16:43
-
-
Save gretel/99bc84729c9b5298c277dad326d578c6 to your computer and use it in GitHub Desktop.
shellscript to codesign `nwjs` (from version 0.42.2 up) apps for distribution. not getting accepted on the apple store, though..
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
# tom hensel <code@jitter.eu> | |
# | |
# | |
# variables and composition | |
# | |
CERTIFICATE_P12="sign/SomeCert.p12" | |
KEYCHAIN="build.keychain" | |
ENTITLEMENTS_CHILD="sign/entitlements-child.plist" | |
ENTITLEMENTS_PARENT="sign/entitlements-parent.plist" | |
APP_PATH="apps/whateverapp/osx64/whateverapp.app" | |
# | |
# sanity checks | |
# | |
if [ ! -d "${APP_PATH}" ]; then | |
echo "unable to find application at: ${APP_PATH}" | |
exit 2 | |
fi | |
if [ -z "${APP_IDENTITY}" ]; then | |
echo "required variable APP_IDENTITY not set" | |
exit 3 | |
fi | |
if [ -z "${BUNDLE_ID}" ]; then | |
echo "required variable BUNDLE_ID not set" | |
exit 4 | |
fi | |
if [ ! -d "${APP_PATH}" ]; then | |
echo "unable to find application at: ${APP_PATH}" | |
exit 6 | |
fi | |
if [ ! -f "${CERTIFICATE_P12}" ]; then | |
echo "unable to find certifacte at: ${CERTIFICATE_P12}" | |
exit 7 | |
fi | |
if [ ! -f "${ENTITLEMENTS_CHILD}" ]; then | |
echo "unable to find entitlement at: ${ENTITLEMENTS_CHILD}" | |
exit 8 | |
fi | |
if [ ! -f "${ENTITLEMENTS_PARENT}" ]; then | |
echo "unable to find entitlement at: ${ENTITLEMENTS_PARENT}" | |
exit 9 | |
fi | |
# | |
# keychain | |
# | |
if [ "${TRAVIS_OS_NAME}" == "osx" ]; then | |
security create-keychain -p "${KEYC_PASS}" "${KEYCHAIN}" | |
security default-keychain -s "${KEYCHAIN}" | |
security unlock-keychain -p "${KEYC_PASS}" "${KEYCHAIN}" | |
echo "import cert to keychain" | |
security import "${CERTIFICATE_P12}" -k "${KEYCHAIN}" -P "${CERT_PASS}" -T /usr/bin/codesign || exit 3 | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${KEYC_PASS}" "${KEYCHAIN}" | |
else | |
echo "not running on travis and/or osx. skipping 'keychain' part" | |
fi | |
# | |
# extended attributes | |
# | |
# TODO: check if this is any effective | |
echo "recursively remove quarantine attribute" | |
xattr -r -d com.apple.quarantine "${APP_PATH}" | |
# | |
# bundle id | |
# | |
/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier ${BUNDLE_ID}" "${APP_PATH}/Contents/Info.plist" | |
# | |
# signing | |
# | |
codesign --verbose --force --sign "${APP_IDENTITY}" --entitlements "${ENTITLEMENTS_PARENT}" --deep "${APP_PATH}" | |
codesign --verbose --verify --strict --deep "${APP_PATH}" | |
# | |
# check | |
# | |
# should result in 'satisfies its Designated Requirement' at least | |
spctl --assess --type execute "${APP_PATH}" || true | |
spctl --assess --verbose=4 "${APP_PATH}" || true | |
exit 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>com.apple.security.app-sandbox</key> | |
<false/> | |
<key>com.apple.security.inherit</key> | |
<true/> | |
</dict> | |
</plist> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>com.apple.security.app-sandbox</key> | |
<false/> | |
<key>com.apple.security.device.serial</key> | |
<true/> | |
<key>com.apple.security.files.user-selected.read-write</key> | |
<true/> | |
<key>com.apple.security.network.client</key> | |
<true/> | |
</dict> | |
</plist> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment