xref: /llvm-project/lldb/scripts/macos-setup-codesign.sh (revision a051c7a2f6d386a4c5b072299c6e7e01327d8bc3) 
1*a051c7a2SFrederic Riss#!/bin/bash
2*a051c7a2SFrederic Riss
3*a051c7a2SFrederic RissCERT="lldb_codesign"
4*a051c7a2SFrederic Riss
5*a051c7a2SFrederic Rissfunction error() {
6*a051c7a2SFrederic Riss    echo error: "$@"
7*a051c7a2SFrederic Riss    exit 1
8*a051c7a2SFrederic Riss}
9*a051c7a2SFrederic Riss
10*a051c7a2SFrederic Rissfunction cleanup {
11*a051c7a2SFrederic Riss    # Remove generated files
12*a051c7a2SFrederic Riss    rm -f "$TMPDIR/$CERT.tmpl" "$TMPDIR/$CERT.cer" "$TMPDIR/$CERT.key" > /dev/null 2>&1
13*a051c7a2SFrederic Riss}
14*a051c7a2SFrederic Riss
15*a051c7a2SFrederic Risstrap cleanup EXIT
16*a051c7a2SFrederic Riss
17*a051c7a2SFrederic Riss# Check if the certificate is already present in the system keychain
18*a051c7a2SFrederic Risssecurity find-certificate -Z -p -c "$CERT" /Library/Keychains/System.keychain > /dev/null 2>&1
19*a051c7a2SFrederic Rissif [ $? -eq 0 ]; then
20*a051c7a2SFrederic Riss    echo Certificate has already been generated and installed
21*a051c7a2SFrederic Riss    exit 0
22*a051c7a2SFrederic Rissfi
23*a051c7a2SFrederic Riss
24*a051c7a2SFrederic Riss# Create the certificate template
25*a051c7a2SFrederic Risscat <<EOF >$TMPDIR/$CERT.tmpl
26*a051c7a2SFrederic Riss[ req ]
27*a051c7a2SFrederic Rissdefault_bits       = 2048        # RSA key size
28*a051c7a2SFrederic Rissencrypt_key        = no          # Protect private key
29*a051c7a2SFrederic Rissdefault_md         = sha512      # MD to use
30*a051c7a2SFrederic Rissprompt             = no          # Prompt for DN
31*a051c7a2SFrederic Rissdistinguished_name = codesign_dn # DN template
32*a051c7a2SFrederic Riss[ codesign_dn ]
33*a051c7a2SFrederic RisscommonName         = "$CERT"
34*a051c7a2SFrederic Riss[ codesign_reqext ]
35*a051c7a2SFrederic RisskeyUsage           = critical,digitalSignature
36*a051c7a2SFrederic RissextendedKeyUsage   = critical,codeSigning
37*a051c7a2SFrederic RissEOF
38*a051c7a2SFrederic Riss
39*a051c7a2SFrederic Rissecho Generating and installing lldb_codesign certificate
40*a051c7a2SFrederic Riss
41*a051c7a2SFrederic Riss# Generate a new certificate
42*a051c7a2SFrederic Rissopenssl req -new -newkey rsa:2048 -x509 -days 3650 -nodes -config "$TMPDIR/$CERT.tmpl" -extensions codesign_reqext -batch -out "$TMPDIR/$CERT.cer" -keyout "$TMPDIR/$CERT.key" > /dev/null 2>&1
43*a051c7a2SFrederic Riss[ $? -eq 0 ] || error Something went wrong when generating the certificate
44*a051c7a2SFrederic Riss
45*a051c7a2SFrederic Riss# Install the certificate in the system keychain
46*a051c7a2SFrederic Risssudo security add-trusted-cert -d -r trustRoot -p codeSign -k /Library/Keychains/System.keychain "$TMPDIR/$CERT.cer" > /dev/null 2>&1
47*a051c7a2SFrederic Riss[ $? -eq 0 ] || error Something went wrong when installing the certificate
48*a051c7a2SFrederic Riss
49*a051c7a2SFrederic Riss# Install the key for the certificate in the system keychain
50*a051c7a2SFrederic Risssudo security import "$TMPDIR/$CERT.key" -A -k /Library/Keychains/System.keychain > /dev/null 2>&1
51*a051c7a2SFrederic Riss[ $? -eq 0 ] || error Something went wrong when installing the key
52*a051c7a2SFrederic Riss
53*a051c7a2SFrederic Riss# Kill task_for_pid access control daemon
54*a051c7a2SFrederic Risssudo pkill -f /usr/libexec/taskgated > /dev/null 2>&1
55*a051c7a2SFrederic Riss
56*a051c7a2SFrederic Riss# Exit indicating the certificate is now generated and installed
57*a051c7a2SFrederic Rissexit 0
58