diff --git a/Source/santad/BUILD b/Source/santad/BUILD index 87d2250c0..6f78bbfe3 100644 --- a/Source/santad/BUILD +++ b/Source/santad/BUILD @@ -93,7 +93,6 @@ macos_bundle( infoplists = ["Info.plist"], linkopts = ["-execute"], minimum_os_version = "10.9", - entitlements = "com.google.santa.daemon.systemextension.entitlements", codesignopts = [ "--timestamp", "--force", diff --git a/Source/santad/com.google.santa.daemon.systemextension.entitlements b/Source/santad/com.google.santa.daemon.systemextension.entitlements index 46a73e743..54d538483 100644 --- a/Source/santad/com.google.santa.daemon.systemextension.entitlements +++ b/Source/santad/com.google.santa.daemon.systemextension.entitlements @@ -2,6 +2,10 @@ + com.apple.application-identifier + $(TeamIdentifierPrefix)com.google.santa.daemon + com.apple.developer.team-identifier + EQHXZ8M8AV com.apple.developer.endpoint-security.client diff --git a/Testing/build_and_sign.sh b/Testing/build_and_sign.sh index 88416e76d..24641b35a 100755 --- a/Testing/build_and_sign.sh +++ b/Testing/build_and_sign.sh @@ -2,21 +2,27 @@ set -e GIT_ROOT=$(git rev-parse --show-toplevel) +KEYCHAIN="santa-dev-test.keychain" SANTAD_PATH=Santa.app/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension/Contents/MacOS/com.google.santa.daemon +SANTAD_ENTITLEMENTS="$GIT_ROOT/Source/santad/com.google.santa.daemon.systemextension.entitlements" SANTA_BIN_PATH=Santa.app/Contents/MacOS SIGNING_IDENTITY="localhost" + function main() { - sudo bazel build --ios_signing_cert_name=$SIGNING_IDENTITY --apple_generate_dsym -c opt --define=SANTA_BUILD_TYPE=ci --define=apple.propagate_embedded_extra_outputs=yes --macos_cpus=x86_64,arm64 //:release + bazel build --apple_generate_dsym -c opt --define=SANTA_BUILD_TYPE=ci --define=apple.propagate_embedded_extra_outputs=yes --macos_cpus=x86_64,arm64 //:release echo "> Build complete, installing santa" TMP_DIR=$(mktemp -d) tar xvf $GIT_ROOT/bazel-bin/santa-*.tar.gz -C $TMP_DIR + CS_ARGS="--prefix=EQHXZ8M8AV -fs $SIGNING_IDENTITY --timestamp --options library,kill,runtime" - for bin in $TMP_DIR/binaries/$SANTA_BIN_PATH/* $TMP_DIR/binaries/$SANTAD_PATH; do - sudo codesign --prefix=EQHXZ8M8AV --preserve-metadata=entitlements -fs $SIGNING_IDENTITY --timestamp --options library,kill,runtime $bin + for bin in $TMP_DIR/binaries/$SANTA_BIN_PATH/*; do + codesign --keychain $KEYCHAIN --preserve-metadata=entitlements ${CS_ARGS} $bin done + codesign ${CS_ARGS} --keychain $KEYCHAIN --entitlements $SANTAD_ENTITLEMENTS $TMP_DIR/binaries/$SANTAD_PATH + echo "> Running install.sh" ( cd $TMP_DIR diff --git a/Testing/init_dev_certs.sh b/Testing/init_dev_certs.sh index 3374e1f12..369d266ba 100755 --- a/Testing/init_dev_certs.sh +++ b/Testing/init_dev_certs.sh @@ -9,6 +9,7 @@ openssl req -new -key ./santa.key -out ./santa.csr -config $CNF_PATH openssl x509 -req -days 10 -in ./santa.csr -signkey ./santa.key -out ./santa.crt -extfile $CNF_PATH -extensions codesign openssl pkcs12 -export -out santa.p12 -inkey santa.key -in santa.crt -password pass:santa -KEYCHAIN="/Library/Keychains/System.keychain" -sudo security import ./santa.p12 -k $KEYCHAIN -A -P santa -sudo security add-trusted-cert -d -r trustRoot -k $KEYCHAIN santa.crt +KEYCHAIN="santa-dev-test.keychain" +security create-keychain -p santa $KEYCHAIN +security import ./santa.p12 -k $KEYCHAIN -A -P santa +security add-trusted-cert -d -r trustRoot -k $KEYCHAIN santa.crt diff --git a/Testing/reset.sh b/Testing/reset.sh index 23304ae30..1e83b9d73 100755 --- a/Testing/reset.sh +++ b/Testing/reset.sh @@ -3,3 +3,4 @@ killall moroz security delete-identity -c "localhost" rm -rf /Applications/Santa.app systemextensionsctl reset +security delete-keychain santa-dev-test.keychain