On Thu, Jun 14, 2018 at 11:04 AM, Frederic Riss via lldb-commits <lldb-commits@lists.llvm.org> wrote: > Author: friss > Date: Thu Jun 14 11:04:13 2018 > New Revision: 334743 > > URL: http://llvm.org/viewvc/llvm-project?rev=334743&view=rev > Log: > Add a script to setup codesigning on macOS. > > I've been using this script on a couple machines and it seems to work > so I'm putting it out there, maybe other people will find it useful. > It is strongly inspired from a similar script in the delve project. > > Added: > lldb/trunk/scripts/macos-setup-codesign.sh (with props) > > Added: lldb/trunk/scripts/macos-setup-codesign.sh > URL: > http://llvm.org/viewvc/llvm-project/lldb/trunk/scripts/macos-setup-codesign.sh?rev=334743&view=auto > ============================================================================== > --- lldb/trunk/scripts/macos-setup-codesign.sh (added) > +++ lldb/trunk/scripts/macos-setup-codesign.sh Thu Jun 14 11:04:13 2018 > @@ -0,0 +1,57 @@ > +#!/bin/bash > + > +CERT="lldb_codesign" > + > +function error() { > + echo error: "$@" > + exit 1 > +} > + > +function cleanup { > + # Remove generated files > + rm -f "$TMPDIR/$CERT.tmpl" "$TMPDIR/$CERT.cer" "$TMPDIR/$CERT.key" > > /dev/null 2>&1 > +} > + > +trap cleanup EXIT > + > +# Check if the certificate is already present in the system keychain > +security find-certificate -Z -p -c "$CERT" > /Library/Keychains/System.keychain > /dev/null 2>&1 > +if [ $? -eq 0 ]; then > + echo Certificate has already been generated and installed > + exit 0 > +fi > + > +# Create the certificate template > +cat <<EOF >$TMPDIR/$CERT.tmpl > +[ req ] > +default_bits = 2048 # RSA key size > +encrypt_key = no # Protect private key > +default_md = sha512 # MD to use > +prompt = no # Prompt for DN > +distinguished_name = codesign_dn # DN template > +[ codesign_dn ] > +commonName = "$CERT" > +[ codesign_reqext ] > +keyUsage = critical,digitalSignature > +extendedKeyUsage = critical,codeSigning > +EOF > + > +echo Generating and installing lldb_codesign certificate > + > +# Generate a new certificate > +openssl req -new -newkey rsa:2048 -x509 -days 3650 -nodes -config > "$TMPDIR/$CERT.tmpl" -extensions codesign_reqext -batch -out > "$TMPDIR/$CERT.cer" -keyout "$TMPDIR/$CERT.key" > /dev/null 2>&1 > +[ $? -eq 0 ] || error Something went wrong when generating the certificate > + > +# Install the certificate in the system keychain > +sudo security add-trusted-cert -d -r trustRoot -p codeSign -k > /Library/Keychains/System.keychain "$TMPDIR/$CERT.cer" > /dev/null 2>&1 > +[ $? -eq 0 ] || error Something went wrong when installing the certificate > + > +# Install the key for the certificate in the system keychain > +sudo security import "$TMPDIR/$CERT.key" -A -k > /Library/Keychains/System.keychain > /dev/null 2>&1 > +[ $? -eq 0 ] || error Something went wrong when installing the key > + > +# Kill task_for_pid access control daemon > +sudo pkill -f /usr/libexec/taskgated > /dev/null 2>&1 > + > +# Exit indicating the certificate is now generated and installed > +exit 0 > > Propchange: lldb/trunk/scripts/macos-setup-codesign.sh > ------------------------------------------------------------------------------ > svn:executable = * >
I just tested on my freshly installed OS and it works :) Thank you very much, I really quite didn't like the manual dance. Should we update code_signing.txt to point to this? (and fallback to the old manual method) Best, -- Davide _______________________________________________ lldb-commits mailing list lldb-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-commits
