Created
December 1, 2020 14:39
-
-
Save espresso3389/5713e2723f60d6ccb99fab51ee1e715d to your computer and use it in GitHub Desktop.
Installing p12 certificate (public-key/private-key combination) to keychain accessible on ssh connection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # Install our provisioning certificates on the runner machine | |
| # | |
| # Reference: https://apple.stackexchange.com/a/285320 | |
| # | |
| # Set $P12_BASE64 and $P12_PASSWORD before invoking the script | |
| MY_KEYCHAIN="temp.keychain" | |
| MY_KEYCHAIN_PASSWORD="secret" | |
| CODESIGN=/usr/bin/codesign | |
| security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN" # Create temp keychain | |
| security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g) # Append temp keychain to the user domain | |
| security set-keychain-settings "$MY_KEYCHAIN" # Remove relock timeout | |
| security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN" # Unlock keychain | |
| # Add certificate to keychain | |
| DIST_P12=$GITHUB_WORKSPACE/apple_dist.p12 | |
| echo "$P12_BASE64" | base64 -d > $DIST_P12 | |
| security import $DIST_P12 -k "$MY_KEYCHAIN" -P "$P12_PASSWORD" -T "$CODESIGN" | |
| # Programmatically derive the identity | |
| CERT_IDENTITY=$(security find-identity -v -p codesigning "$MY_KEYCHAIN" | head -1 | grep '"' | sed -e 's/[^"]*"//' -e 's/".*//') | |
| # Handy to have UUID (just in case) | |
| # CERT_UUID=$(security find-identity -v -p codesigning "$MY_KEYCHAIN" | head -1 | grep '"' | awk '{print $2}') | |
| # Dump certificate details | |
| CERT_TMP=cert.tmp | |
| security find-certificate -c "$CERT_IDENTITY" -p > $CERT_TMP | |
| CERT_TEXT=$(openssl x509 -text -noout -in $CERT_TMP) | |
| echo $CERT_TEXT | |
| # Enable codesigning from a non user interactive shell | |
| security set-key-partition-list -S apple-tool:,apple: -s -k $MY_KEYCHAIN_PASSWORD -D "$CERT_IDENTITY" -t private $MY_KEYCHAIN | |
| # For deinit keychain | |
| echo "REMOVE_TMP_KEYCHAIN=security delete-keychain $MY_KEYCHAIN" >> $GITHUB_ENV | |
| # Certificate serial number | |
| SERIAL_NUMBER=$(echo "$CERT_TEXT" | grep "Serial Number" | awk '{ print $3 }') | |
| echo "CERT_SERIAL_NUMBER=$SERIAL_NUMBER" >> $GITHUB_ENV | |
| # Checking validity of the certificate anyway | |
| security verify-cert -c $CERT_TMP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Installing p12 certificate (public-key/private-key combination) to the GitHub Runner machine
The script creates a new keychain that can be accessible from the current shell session (Normally the access to the default keychain is blocked by keychain popup).
Set
$P12_BASE64and$P12_PASSWORDbefore invoking the script.It set
$REMOVE_TMP_KEYCHAINand$CERT_SERIAL_NUMBERon the file specified by$GITHUB_ENV.After calling the script, you may want to install provisioning profile using mobileprovision.sh.
Generating BASE64-encoded p12 file
Because GitHub Actions only accepts secure inputs from its environment variables, we should set our p12 file content to
$P12_BASE64.You can obtain the value by using base64 command:
And
$P12_PASSWORDshould be the password that protects thecert.p12file.