Add cross signature support for apple

With sign.sh it can be created signatures for OSX packages from linux.

5 files changed, 33 insertions, 0 deletions

diff --git a/apple/README b/apple/README
index 4ab3039..3dfe172 100644
--- a/apple/README
+++ b/apple/README
@@ -24,3 +24,6 @@ leap-developer-id-application
 leap-developer-id-installer
   This is used for distributing an installer outside the app store.
 
+
+To cross sign from linux use:
+  ./sign.sh $PATH_REPO/deploy/RiseupVPN-$VERSION_unsigned.pkg
diff --git a/apple/certs/cert00 b/apple/certs/cert00
new file mode 100644
index 0000000..7730fce
--- /dev/null
+++ b/apple/certs/cert00
diff --git a/apple/certs/cert01 b/apple/certs/cert01
new file mode 100644
index 0000000..d333739
--- /dev/null
+++ b/apple/certs/cert01
diff --git a/apple/certs/cert02 b/apple/certs/cert02
new file mode 100644
index 0000000..8a9ff24
--- /dev/null
+++ b/apple/certs/cert02
diff --git a/apple/sign.sh b/apple/sign.sh
new file mode 100755
index 0000000..3523b6f
--- /dev/null
+++ b/apple/sign.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+# From: http://users.wfu.edu/cottrell/productsign/productsign_linux.html
+
+PKG=$1
+
+mkdir tmp
+# extract the private key from certs.p12 (requires passphrase)
+openssl pkcs12 -in leap-developer-id-installer.key.p12 -nodes | openssl rsa -out tmp/key.pem
+
+# determine the size of the signature
+: | openssl dgst -sign tmp/key.pem -binary | wc -c > tmp/siglen.txt
+
+# prepare data for signing -- may have to adjust depending
+# on the contents of the certs subdir in your case
+xar --sign -f $PKG --digestinfo-to-sign tmp/digestinfo.dat \
+    --sig-size `cat tmp/siglen.txt` \
+    --cert-loc certs/cert00 \
+    --cert-loc certs/cert01 \
+    --cert-loc certs/cert02
+
+# create the signature
+openssl rsautl -sign -inkey tmp/key.pem -in tmp/digestinfo.dat \
+	 -out tmp/signature.dat
+
+# stuff it into the archive 
+xar --inject-sig tmp/signature.dat -f $PKG
+
+# and clean up
+rm -rf tmp
+