mirror of
https://github.com/coder/coder.git
synced 2025-03-14 10:09:57 +00:00
51 lines
1.6 KiB
Bash
Executable File
51 lines
1.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# This script signs the provided darwin binary with an Apple Developer
|
|
# certificate.
|
|
#
|
|
# Usage: ./sign_darwin.sh path/to/binary binary_identifier
|
|
#
|
|
# On success, the input file will be signed using the Apple Developer
|
|
# certificate.
|
|
#
|
|
# For the Coder CLI, the binary_identifier should be "com.coder.cli".
|
|
# For the CoderVPN `.dylib`, the binary_identifier should be "com.coder.Coder-Desktop.VPN.dylib".
|
|
#
|
|
# You can check if a binary is signed by running the following command on a Mac:
|
|
# codesign -dvv path/to/binary
|
|
#
|
|
# You can also run the following command to verify the signature on other
|
|
# systems, but it may be less accurate:
|
|
# rcodesign verify path/to/binary
|
|
#
|
|
# Depends on the rcodesign utility. Requires the following environment variables
|
|
# to be set:
|
|
# - $AC_CERTIFICATE_FILE: The path to the Apple Developer P12 certificate file.
|
|
# - $AC_CERTIFICATE_PASSWORD_FILE: The path to the file containing the password
|
|
# for the Apple Developer certificate.
|
|
|
|
set -euo pipefail
|
|
# shellcheck source=scripts/lib.sh
|
|
source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
|
|
|
|
if [[ "$#" -lt 2 ]]; then
|
|
echo "Usage: $0 path/to/binary binary_identifier"
|
|
exit 1
|
|
fi
|
|
|
|
BINARY_PATH="$1"
|
|
BINARY_IDENTIFIER="$2"
|
|
|
|
# Check dependencies
|
|
dependencies rcodesign
|
|
requiredenvs AC_CERTIFICATE_FILE AC_CERTIFICATE_PASSWORD_FILE
|
|
|
|
# -v is quite verbose, the default output is pretty good on it's own.
|
|
rcodesign sign \
|
|
--binary-identifier "$BINARY_IDENTIFIER" \
|
|
--p12-file "$AC_CERTIFICATE_FILE" \
|
|
--p12-password-file "$AC_CERTIFICATE_PASSWORD_FILE" \
|
|
--code-signature-flags runtime \
|
|
"$BINARY_PATH" \
|
|
1>&2
|