Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[macOS] Install Apple certificate for Big Sur via swift binary #3311

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions images/macos/provision/configuration/add-certificate.swift
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
import Foundation
import Security

let certInfo: CFDictionary

enum SecurityError: Error {
case generalError
}

func deleteCertificateFromKeyChain(_ certificateLabel: String) -> Bool {
let delQuery: [NSString: Any] = [
kSecClass: kSecClassCertificate,
kSecAttrLabel: certificateLabel,
]
let delStatus: OSStatus = SecItemDelete(delQuery as CFDictionary)

return delStatus == errSecSuccess
}

func saveCertificateToKeyChain(_ certificate: SecCertificate, certificateLabel: String) throws {
SecKeychainSetPreferenceDomain(SecPreferencesDomain.system)
deleteCertificateFromKeyChain(certificateLabel)

let setQuery: [NSString: AnyObject] = [
kSecClass: kSecClassCertificate,
kSecValueRef: certificate,
kSecAttrLabel: certificateLabel as AnyObject,
kSecAttrAccessible: kSecAttrAccessibleWhenUnlocked,
]
let addStatus: OSStatus = SecItemAdd(setQuery as CFDictionary, nil)

guard addStatus == errSecSuccess else {
throw SecurityError.generalError
}

var status = SecTrustSettingsSetTrustSettings(certificate, SecTrustSettingsDomain.admin, nil)
}

func getCertificateFromString(stringData: String) throws -> SecCertificate {
if let data = NSData(base64Encoded: stringData, options: NSData.Base64DecodingOptions.ignoreUnknownCharacters) {
if let certificate = SecCertificateCreateWithData(kCFAllocatorDefault, data) {
return certificate
}
}
throw SecurityError.generalError
}

if CommandLine.arguments.count > 1 {
let fileURL = URL(fileURLWithPath: CommandLine.arguments[1])
do {
let certData = try Data(contentsOf: fileURL)
let certificate = SecCertificateCreateWithData(nil, certData as CFData)
if certificate != nil {
print("Saving certificate")
try? saveCertificateToKeyChain(certificate!, certificateLabel: "Test")
} else {
print("Certificate can't be read")
}
} catch {
print("Unable to read the file \(CommandLine.arguments[1])")
}
} else {
print("Usage: \(CommandLine.arguments[0]) [cert.file]")
}
11 changes: 10 additions & 1 deletion images/macos/provision/configuration/configure-machine.sh
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
#!/bin/bash -e -o pipefail

source ~/utils/utils.sh

echo "Enabling safari driver..."
# https://developer.apple.com/documentation/webkit/testing_with_webdriver_in_safari
# Safari’s executable is located at /usr/bin/safaridriver
Expand All @@ -22,7 +24,14 @@ sudo "/Library/Application Support/VMware Tools/vmware-resolutionSet" 1176 885
# Confirm that the correct intermediate certificate is installed by verifying the expiration date is set to 2030.
# sudo security delete-certificate -Z FF6797793A3CD798DC5B2ABEF56F73EDC9F83A64 /Library/Keychains/System.keychain
curl https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer --output $HOME/AppleWWDRCAG3.cer --silent
sudo security add-trusted-cert -d -r unspecified -k /Library/Keychains/System.keychain $HOME/AppleWWDRCAG3.cer
# Big Sur requires user interaction to add a cert https://developer.apple.com/forums/thread/671582, we need to use a workaround with SecItemAdd swift method
if is_Less_BigSur; then
sudo security add-trusted-cert -d -r unspecified -k /Library/Keychains/System.keychain $HOME/AppleWWDRCAG3.cer
else
swiftc $HOME/image-generation/add-certificate.swift
sudo ./add-certificate $HOME/AppleWWDRCAG3.cer
rm add-certificate
fi
rm $HOME/AppleWWDRCAG3.cer

# Create symlink for tests running
Expand Down
7 changes: 6 additions & 1 deletion images/macos/templates/macOS-11.0.json
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,11 @@
"source": "./helpers",
"destination": "~/image-generation/"
},
{
"type": "file",
"source": "./provision/configuration/add-certificate.swift",
"destination": "~/image-generation/add-certificate.swift"
},
{
"type": "file",
"source": "./provision/configuration/environment/bashrc",
Expand Down Expand Up @@ -109,6 +114,7 @@
"scripts": [
"./provision/configuration/preimagedata.sh",
"./provision/configuration/configure-ssh.sh",
"./provision/core/xcode-clt.sh",
"./provision/configuration/configure-machine.sh"
],
"environment_vars": [
Expand All @@ -127,7 +133,6 @@
"execute_command": "chmod +x {{ .Path }}; {{ .Vars }} {{ .Path }}",
"pause_before": "30s",
"scripts": [
"./provision/core/xcode-clt.sh",
"./provision/core/homebrew.sh",
"./provision/core/powershell.sh",
"./provision/core/dotnet.sh",
Expand Down