diff options
author | Ruben Pollan <meskio@sindominio.net> | 2020-01-22 18:56:46 -0600 |
---|---|---|
committer | Ruben Pollan <meskio@sindominio.net> | 2020-01-22 18:56:46 -0600 |
commit | 8356ad58ab95e3f695af34f65975510f2f5200ed (patch) | |
tree | c58d6c0101b0505754e1cce082cdf2f0900841ce | |
parent | 9599e5b4137ce9628500659b3289fc6a7b15d2d8 (diff) |
Add cross signature support for apple
With sign.sh it can be created signatures for OSX packages from linux.
-rw-r--r-- | apple/README | 3 | ||||
-rw-r--r-- | apple/certs/cert00 | bin | 0 -> 1433 bytes | |||
-rw-r--r-- | apple/certs/cert01 | bin | 0 -> 1032 bytes | |||
-rw-r--r-- | apple/certs/cert02 | bin | 0 -> 1215 bytes | |||
-rwxr-xr-x | apple/sign.sh | 30 |
5 files changed, 33 insertions, 0 deletions
diff --git a/apple/README b/apple/README index 4ab3039..3dfe172 100644 --- a/apple/README +++ b/apple/README @@ -24,3 +24,6 @@ leap-developer-id-application leap-developer-id-installer This is used for distributing an installer outside the app store. + +To cross sign from linux use: + ./sign.sh $PATH_REPO/deploy/RiseupVPN-$VERSION_unsigned.pkg diff --git a/apple/certs/cert00 b/apple/certs/cert00 Binary files differnew file mode 100644 index 0000000..7730fce --- /dev/null +++ b/apple/certs/cert00 diff --git a/apple/certs/cert01 b/apple/certs/cert01 Binary files differnew file mode 100644 index 0000000..d333739 --- /dev/null +++ b/apple/certs/cert01 diff --git a/apple/certs/cert02 b/apple/certs/cert02 Binary files differnew file mode 100644 index 0000000..8a9ff24 --- /dev/null +++ b/apple/certs/cert02 diff --git a/apple/sign.sh b/apple/sign.sh new file mode 100755 index 0000000..3523b6f --- /dev/null +++ b/apple/sign.sh @@ -0,0 +1,30 @@ +#!/bin/sh +# From: http://users.wfu.edu/cottrell/productsign/productsign_linux.html + +PKG=$1 + +mkdir tmp +# extract the private key from certs.p12 (requires passphrase) +openssl pkcs12 -in leap-developer-id-installer.key.p12 -nodes | openssl rsa -out tmp/key.pem + +# determine the size of the signature +: | openssl dgst -sign tmp/key.pem -binary | wc -c > tmp/siglen.txt + +# prepare data for signing -- may have to adjust depending +# on the contents of the certs subdir in your case +xar --sign -f $PKG --digestinfo-to-sign tmp/digestinfo.dat \ + --sig-size `cat tmp/siglen.txt` \ + --cert-loc certs/cert00 \ + --cert-loc certs/cert01 \ + --cert-loc certs/cert02 + +# create the signature +openssl rsautl -sign -inkey tmp/key.pem -in tmp/digestinfo.dat \ + -out tmp/signature.dat + +# stuff it into the archive +xar --inject-sig tmp/signature.dat -f $PKG + +# and clean up +rm -rf tmp + |