Last active
May 30, 2025 08:58
-
-
Save Integralist/85e4cd0d0f227a84be3068ec12f9bf72 to your computer and use it in GitHub Desktop.
Revisions
-
Integralist revised this gist
May 29, 2025 . No changes.There are no files selected for viewing
-
May 26, 2025 . No changes.There are no files selected for viewing
-
Jan 10, 2025 . No changes.There are no files selected for viewing
-
Oct 17, 2024 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,5 @@ # 0. Have a binary to codesign. # NOTE: I use `if os.Getenv("SKIP_FTP") != "" { t.Skip("...") }` to allow skipping the test when running the full test suite. go test -c -o ./path/to/package/test_binary ./path/to/package -
Oct 17, 2024 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Oct 17, 2024 . 2 changed files with 1 addition and 1 deletion.There are no files selected for viewing
File renamed without changes.This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -37,7 +37,7 @@ test: codesigning ## Run project's test suite with race detection codesign -f -s "ExampleTestBinaryCodeSigningIdentity" ./path/to/package/test_binary; \ trap "rm -f ./path/to/package/test_binary" EXIT; \ cd ./path/to/package/ && { ./test_binary; cd -; } || cd -; \ # SKIP_FTP forces the go toolchain to skip the problematic test that uses the network; \ SKIP_FTP=true go test -race -v -count=1 $(GO_BUILDARGS) $(GO_TESTARGS) $(APP_TESTARGS); \ else \ go test -race -v -count=1 $(GO_BUILDARGS) $(GO_TESTARGS) $(APP_TESTARGS); \ -
Oct 17, 2024 . 1 changed file with 44 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,44 @@ .PHONY: codesigning codesigning: ID=ExampleTestBinaryCodeSigningIdentity codesigning: CERT_PSW=whatever codesigning: @if [ $$(uname) == "Darwin" ] && [ "$$(security find-certificate -a -c "$(ID)" -p)" == "" ]; then \ echo ""; \ echo "⚠️ no code-signing certificate found in your keychain (so we'll try to generate that for you)"; \ echo ""; \ openssl req -new -x509 -days 365 -nodes \ -keyout $(ID).key -out $(ID).crt \ -subj "/CN=$(ID)" \ -addext "keyUsage=digitalSignature,keyEncipherment" \ -addext "extendedKeyUsage=codeSigning"; \ openssl pkcs12 -export \ -out $(ID).p12 \ -inkey $(ID).key \ -in $(ID).crt \ -legacy \ -passout pass:$(CERT_PSW); \ trap "rm -f $(ID)*" EXIT; \ kc=$$(security list | awk '/login.keychain/ { gsub(/^ *| *$$/, ""); print $$1 }' | sed 's/"//g'); \ security import $(ID).p12 \ -k "$$kc" \ -P $(CERT_PSW) \ -T /usr/bin/codesign; \ security add-trusted-cert -d -r trustRoot -k $$kc $(ID).crt; \ if security find-identity -p codesigning -v | grep '0 valid identities found'; then \ echo "🚨 failed to find a valid code-signing identity"; \ exit 1; \ fi \ fi .PHONY: test test: codesigning ## Run project's test suite with race detection @if [ $$(uname) == "Darwin" ]; then \ go test -c -o ./path/to/package/test_binary ./path/to/package; \ codesign -f -s "ExampleTestBinaryCodeSigningIdentity" ./path/to/package/test_binary; \ trap "rm -f ./path/to/package/test_binary" EXIT; \ cd ./path/to/package/ && { ./test_binary; cd -; } || cd -; \ # SKIP_FTP forces the go toolchain to skip the problematic test that uses the network; \ SKIP_FTP=true go test -race -v -count=1 $(GO_BUILDARGS) $(GO_TESTARGS) $(APP_TESTARGS); \ else \ go test -race -v -count=1 $(GO_BUILDARGS) $(GO_TESTARGS) $(APP_TESTARGS); \ fi -
Oct 17, 2024 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,6 +30,7 @@ openssl pkcs12 -info -nokeys -in ExampleTestBinaryCodeSigning.p12 -legacy -passw openssl pkcs12 -info -noout -in ExampleTestBinaryCodeSigning.p12 -legacy -password pass:whatever # 4. List your keychains so you know which one you're going to reference and where it is located. # It can be extracted automatically using `security list | awk '/login.keychain/ { print $1 }'` security list -
Oct 17, 2024 . 1 changed file with 13 additions and 18 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,8 @@ go test -c -o ./path/to/package/test_binary ./path/to/package # 1. Create self-signed private key and certificate # IMPORTANT: The `-addext` flags are essential for codesigning purposes. openssl req -new -x509 -days 365 -nodes \ -keyout ExampleTestBinaryCodeSigning.key -out ExampleTestBinaryCodeSigning.crt \ @@ -11,26 +12,18 @@ openssl req -new -x509 -days 365 -nodes \ -addext "extendedKeyUsage=codeSigning" # 2. Export private key and certificate as p12. # IMPORTANT: The `-legacy` flag is essential if using OpenSSL 3.x on macOS. # OpenSSL 3.x changed its default algorithm in pkcs12. # Which is not compatible with embedded Security frameworks in macOS/iOS. # So you either downgrade to OpenSSL 1.1 or use -legacy flag. openssl pkcs12 -export \ -out ExampleTestBinaryCodeSigning.p12 \ -inkey ExampleTestBinaryCodeSigning.key \ -in ExampleTestBinaryCodeSigning.crt \ -legacy \ -passout pass:whatever # 3. Validate the password has been set on your p12 (-nokeys vs -noout == just different output) openssl pkcs12 -info -nokeys -in ExampleTestBinaryCodeSigning.p12 -legacy -password pass:whatever @@ -44,23 +37,25 @@ security list security import ExampleTestBinaryCodeSigning.p12 -k ~/Library/Keychains/login.keychain-db -P whatever -T /usr/bin/codesign # 6. Find the certificate in your keychain. security find-certificate -a -c "ExampleTestBinaryCodeSigning" -p # 7. Check the details of the certificate in the keychain. security find-certificate -c "ExampleTestBinaryCodeSigning" # 8. Set the certificate to be trusted. # Only possible if you still have the cert. # Otherwise you have to manually trust it via the "Keychain Access" GUI. security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain-db ./ExampleTestBinaryCodeSigning.crt # 9. Validate you have 'valid' identities. security find-identity -v security find-identity -p codesigning -v # 10. Now you may codesign your binary. codesign -f -s "ExampleTestBinaryCodeSigning" ./path/to/package/test_binary -
Oct 17, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ # 0. Have a binary to codesign. go test -c -o ./path/to/package/test_binary ./path/to/package # 1. Create self-signed private key and certificate. -
Oct 17, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,66 @@ # 0. Have a binary to codesign. go test -c -o ./path/to/package/test_binary ./path/to/package; # 1. Create self-signed private key and certificate. openssl req -new -x509 -days 365 -nodes \ -keyout ExampleTestBinaryCodeSigning.key -out ExampleTestBinaryCodeSigning.crt \ -subj "/CN=ExampleTestBinaryCodeSigning" \ -addext "keyUsage=digitalSignature,keyEncipherment" \ -addext "extendedKeyUsage=codeSigning" # 2. Export private key and certificate as p12. # BAD (no -legacy flag) openssl pkcs12 -export \ -out ExampleTestBinaryCodeSigning.p12 \ -inkey ExampleTestBinaryCodeSigning.key \ -in ExampleTestBinaryCodeSigning.crt \ -passout pass:whatever # GOOD (includes -legacy flag) openssl pkcs12 -export \ -out ExampleTestBinaryCodeSigning.p12 \ -inkey ExampleTestBinaryCodeSigning.key \ -in ExampleTestBinaryCodeSigning.crt \ -legacy \ -passout pass:whatever # OpenSSL 3.x changed its default algorithm in pkcs12. # Which is not compatible with embedded Security frameworks in macOS/iOS. # So you either downgrade to OpenSSL 1.1 or use -legacy flag. # 3. Validate the password has been set on your p12 (-nokeys vs -noout == just different output) openssl pkcs12 -info -nokeys -in ExampleTestBinaryCodeSigning.p12 -legacy -password pass:whatever openssl pkcs12 -info -noout -in ExampleTestBinaryCodeSigning.p12 -legacy -password pass:whatever # 4. List your keychains so you know which one you're going to reference and where it is located. security list # 5. Import your p12 into your keychain. security import ExampleTestBinaryCodeSigning.p12 -k ~/Library/Keychains/login.keychain-db -P whatever -T /usr/bin/codesign # 6. FIND THE CERTIFICATE IN THE KEYCHAIN security find-certificate -a -c "ExampleTestBinaryCodeSigning" -p # 7. CHECK DETAILS OF CERTIFICATE IN THE KEYCHAIN security find-certificate -c "ExampleTestBinaryCodeSigning" # 8. SET THE CERTIFICATE TO BE TRUSTED (ONLY POSSIBLE IF YOU STILL HAVE THE CERT, OTHERWISE YOU HAVE TO DO MANUALLY VIA "Keychain Access" GUI) security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain-db ./ExampleTestBinaryCodeSigning.crt # 9. VALIDATE YOU NOW HAVE 'VALID' IDENTITIES security find-identity -v security find-identity -p codesigning -v # 10. NOW CODESIGN YOUR BINARY codesign -f -s "ExampleTestBinaryCodeSigning" ./path/to/package/test_binary