dryark/strawberry
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance macOS build scripts for provisioning profile handling and identity management

Browse Source 
This commit improves the `find_mas_provisioning_profile.sh` script by expanding the search for provisioning profiles to include both `.provisionprofile` and `.mobileprovision` files. It also introduces a new function to print SHA-1 values for identities, helping to avoid ambiguity when multiple identities share the same display name. Additionally, the `check_signing_identities.sh` script is updated to provide clearer recommendations for using SHA-1 hashes with codesigning and installer identities, enhancing the overall usability and clarity for developers working with macOS builds.
This commit is contained in:
David Helkowski
2026-01-22 21:15:07 +09:00
parent d4d805443e
commit 7a954b3f32
5 changed files with 386 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
build_tools/macos/build_mas_pkg.sh
View File

@@ -7,6 +7,41 @@ lower() { echo "$1" | tr '[:upper:]' '[:lower:]'; }
script_dir="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
repo_root="$(cd -- "${script_dir}/../.." && pwd)"
ensure_keychain_search_list() {
# codesign builds the cert chain using the user keychain search list.
# If the list is missing the System keychain, you can get:
# "unable to build chain to self-signed root" + errSecInternalComponent
local login_kc="$HOME/Library/Keychains/login.keychain-db"
local system_kc="/Library/Keychains/System.keychain"
local roots_kc="/System/Library/Keychains/SystemRootCertificates.keychain"
local current
current="$(security list-keychains -d user 2>/dev/null | tr -d '"' | tr -d ' ' || true)"
if echo "$current" | grep -Fq "$system_kc"; then
return 0
fi
echo "==> [$(ts)] Note: adding System keychains to the user keychain search list (fixes common codesign chain errors)"
echo " (This changes the user keychain search list; run 'security list-keychains -d user' to view.)"
security list-keychains -d user -s "$login_kc" "$system_kc" "$roots_kc" >/dev/null 2>&1 || true
}
preflight_identity() {
local what="$1"
local policy="$2"
local identity="$3"
# NOTE: security expects "-p <policy>" as *two* args; do not pass "-p codesigning" as one string.
if ! security find-identity -p "$policy" -v 2>/dev/null | grep -Fq "$identity"; then
echo "Error: ${what} identity not found/usable in Keychain: $identity" >&2
echo "Run: ./build_tools/macos/check_signing_identities.sh" >&2
exit 2
fi
}
usage() {
cat <<'EOF'
Usage:
@@ -147,40 +182,10 @@ echo "==> [$(ts)] Embedding provisioning profile"
cp -f "$provisionprofile" "${app_path}/Contents/embedded.provisionprofile"
ensure_keychain_search_list
preflight_identity "codesign" "-p codesigning" "$codesign_identity"
preflight_identity "installer" "-p basic" "$installer_identity"
preflight_identity "codesign" "codesigning" "$codesign_identity"
preflight_identity "installer" "basic" "$installer_identity"
ensure_keychain_search_list() {
# codesign builds the cert chain using the user keychain search list.
# If the list is missing the System keychain, you can get:
# "unable to build chain to self-signed root" + errSecInternalComponent
local login_kc="$HOME/Library/Keychains/login.keychain-db"
local system_kc="/Library/Keychains/System.keychain"
local roots_kc="/System/Library/Keychains/SystemRootCertificates.keychain"
local current
current="$(security list-keychains -d user 2>/dev/null | tr -d '"' | tr -d ' ' || true)"
if echo "$current" | grep -Fq "$system_kc"; then
return 0
fi
echo "==> [$(ts)] Note: adding System keychains to the user keychain search list (fixes common codesign chain errors)"
echo " (This changes the user keychain search list; run 'security list-keychains -d user' to view.)"
security list-keychains -d user -s "$login_kc" "$system_kc" "$roots_kc" >/dev/null 2>&1 || true
}
preflight_identity() {
local what="$1"
local predicate="$2"
local identity="$3"
if ! security find-identity "$predicate" -v 2>/dev/null | grep -Fq "$identity"; then
echo "Error: ${what} identity not found/usable in Keychain: $identity" >&2
echo "Run: ./build_tools/macos/check_signing_identities.sh" >&2
exit 2
fi
}
echo "==> [$(ts)] Codesigning app (Mac App Store)"
codesign_args=( --force --timestamp --options runtime --sign "$codesign_identity" --entitlements "$entitlements" )