summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRuben Pollan <meskio@sindominio.net>2020-01-22 18:56:46 -0600
committerRuben Pollan <meskio@sindominio.net>2020-01-22 18:56:46 -0600
commit8356ad58ab95e3f695af34f65975510f2f5200ed (patch)
treec58d6c0101b0505754e1cce082cdf2f0900841ce
parent9599e5b4137ce9628500659b3289fc6a7b15d2d8 (diff)
Add cross signature support for apple
With sign.sh it can be created signatures for OSX packages from linux.
-rw-r--r--apple/README3
-rw-r--r--apple/certs/cert00bin0 -> 1433 bytes
-rw-r--r--apple/certs/cert01bin0 -> 1032 bytes
-rw-r--r--apple/certs/cert02bin0 -> 1215 bytes
-rwxr-xr-xapple/sign.sh30
5 files changed, 33 insertions, 0 deletions
diff --git a/apple/README b/apple/README
index 4ab3039..3dfe172 100644
--- a/apple/README
+++ b/apple/README
@@ -24,3 +24,6 @@ leap-developer-id-application
leap-developer-id-installer
This is used for distributing an installer outside the app store.
+
+To cross sign from linux use:
+ ./sign.sh $PATH_REPO/deploy/RiseupVPN-$VERSION_unsigned.pkg
diff --git a/apple/certs/cert00 b/apple/certs/cert00
new file mode 100644
index 0000000..7730fce
--- /dev/null
+++ b/apple/certs/cert00
Binary files differ
diff --git a/apple/certs/cert01 b/apple/certs/cert01
new file mode 100644
index 0000000..d333739
--- /dev/null
+++ b/apple/certs/cert01
Binary files differ
diff --git a/apple/certs/cert02 b/apple/certs/cert02
new file mode 100644
index 0000000..8a9ff24
--- /dev/null
+++ b/apple/certs/cert02
Binary files differ
diff --git a/apple/sign.sh b/apple/sign.sh
new file mode 100755
index 0000000..3523b6f
--- /dev/null
+++ b/apple/sign.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+# From: http://users.wfu.edu/cottrell/productsign/productsign_linux.html
+
+PKG=$1
+
+mkdir tmp
+# extract the private key from certs.p12 (requires passphrase)
+openssl pkcs12 -in leap-developer-id-installer.key.p12 -nodes | openssl rsa -out tmp/key.pem
+
+# determine the size of the signature
+: | openssl dgst -sign tmp/key.pem -binary | wc -c > tmp/siglen.txt
+
+# prepare data for signing -- may have to adjust depending
+# on the contents of the certs subdir in your case
+xar --sign -f $PKG --digestinfo-to-sign tmp/digestinfo.dat \
+ --sig-size `cat tmp/siglen.txt` \
+ --cert-loc certs/cert00 \
+ --cert-loc certs/cert01 \
+ --cert-loc certs/cert02
+
+# create the signature
+openssl rsautl -sign -inkey tmp/key.pem -in tmp/digestinfo.dat \
+ -out tmp/signature.dat
+
+# stuff it into the archive
+xar --inject-sig tmp/signature.dat -f $PKG
+
+# and clean up
+rm -rf tmp
+