[Lldb-commits] [lldb] r334743 - Add a script to setup codesigning on macOS.
Davide Italiano via lldb-commits
lldb-commits at lists.llvm.org
Thu Jun 14 14:01:11 PDT 2018
On Thu, Jun 14, 2018 at 11:04 AM, Frederic Riss via lldb-commits
<lldb-commits at lists.llvm.org> wrote:
> Author: friss
> Date: Thu Jun 14 11:04:13 2018
> New Revision: 334743
>
> URL: http://llvm.org/viewvc/llvm-project?rev=334743&view=rev
> Log:
> Add a script to setup codesigning on macOS.
>
> I've been using this script on a couple machines and it seems to work
> so I'm putting it out there, maybe other people will find it useful.
> It is strongly inspired from a similar script in the delve project.
>
> Added:
> lldb/trunk/scripts/macos-setup-codesign.sh (with props)
>
> Added: lldb/trunk/scripts/macos-setup-codesign.sh
> URL: http://llvm.org/viewvc/llvm-project/lldb/trunk/scripts/macos-setup-codesign.sh?rev=334743&view=auto
> ==============================================================================
> --- lldb/trunk/scripts/macos-setup-codesign.sh (added)
> +++ lldb/trunk/scripts/macos-setup-codesign.sh Thu Jun 14 11:04:13 2018
> @@ -0,0 +1,57 @@
> +#!/bin/bash
> +
> +CERT="lldb_codesign"
> +
> +function error() {
> + echo error: "$@"
> + exit 1
> +}
> +
> +function cleanup {
> + # Remove generated files
> + rm -f "$TMPDIR/$CERT.tmpl" "$TMPDIR/$CERT.cer" "$TMPDIR/$CERT.key" > /dev/null 2>&1
> +}
> +
> +trap cleanup EXIT
> +
> +# Check if the certificate is already present in the system keychain
> +security find-certificate -Z -p -c "$CERT" /Library/Keychains/System.keychain > /dev/null 2>&1
> +if [ $? -eq 0 ]; then
> + echo Certificate has already been generated and installed
> + exit 0
> +fi
> +
> +# Create the certificate template
> +cat <<EOF >$TMPDIR/$CERT.tmpl
> +[ req ]
> +default_bits = 2048 # RSA key size
> +encrypt_key = no # Protect private key
> +default_md = sha512 # MD to use
> +prompt = no # Prompt for DN
> +distinguished_name = codesign_dn # DN template
> +[ codesign_dn ]
> +commonName = "$CERT"
> +[ codesign_reqext ]
> +keyUsage = critical,digitalSignature
> +extendedKeyUsage = critical,codeSigning
> +EOF
> +
> +echo Generating and installing lldb_codesign certificate
> +
> +# Generate a new certificate
> +openssl req -new -newkey rsa:2048 -x509 -days 3650 -nodes -config "$TMPDIR/$CERT.tmpl" -extensions codesign_reqext -batch -out "$TMPDIR/$CERT.cer" -keyout "$TMPDIR/$CERT.key" > /dev/null 2>&1
> +[ $? -eq 0 ] || error Something went wrong when generating the certificate
> +
> +# Install the certificate in the system keychain
> +sudo security add-trusted-cert -d -r trustRoot -p codeSign -k /Library/Keychains/System.keychain "$TMPDIR/$CERT.cer" > /dev/null 2>&1
> +[ $? -eq 0 ] || error Something went wrong when installing the certificate
> +
> +# Install the key for the certificate in the system keychain
> +sudo security import "$TMPDIR/$CERT.key" -A -k /Library/Keychains/System.keychain > /dev/null 2>&1
> +[ $? -eq 0 ] || error Something went wrong when installing the key
> +
> +# Kill task_for_pid access control daemon
> +sudo pkill -f /usr/libexec/taskgated > /dev/null 2>&1
> +
> +# Exit indicating the certificate is now generated and installed
> +exit 0
>
> Propchange: lldb/trunk/scripts/macos-setup-codesign.sh
> ------------------------------------------------------------------------------
> svn:executable = *
>
I just tested on my freshly installed OS and it works :)
Thank you very much, I really quite didn't like the manual dance.
Should we update code_signing.txt to point to this? (and fallback to
the old manual method)
Best,
--
Davide
More information about the lldb-commits
mailing list