[macOS] Add swift program to save certificate (actions#3311)

dmitry-shibanov · May 5, 2021 · 5475c40 · 5475c40
1 parent adf1f3d
commit 5475c40
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 2 deletions.
diff --git a/images/macos/provision/configuration/add-certificate.swift b/images/macos/provision/configuration/add-certificate.swift
@@ -0,0 +1,64 @@
+import Foundation
+import Security
+
+let certInfo: CFDictionary
+
+enum SecurityError: Error {
+    case generalError
+}
+
+func deleteCertificateFromKeyChain(_ certificateLabel: String) -> Bool {
+    let delQuery: [NSString: Any] = [
+        kSecClass: kSecClassCertificate,
+        kSecAttrLabel: certificateLabel,
+    ]
+    let delStatus: OSStatus = SecItemDelete(delQuery as CFDictionary)
+
+    return delStatus == errSecSuccess
+}
+
+func saveCertificateToKeyChain(_ certificate: SecCertificate, certificateLabel: String) throws {
+    SecKeychainSetPreferenceDomain(SecPreferencesDomain.system)
+    deleteCertificateFromKeyChain(certificateLabel)
+
+    let setQuery: [NSString: AnyObject] = [
+        kSecClass: kSecClassCertificate,
+        kSecValueRef: certificate,
+        kSecAttrLabel: certificateLabel as AnyObject,
+        kSecAttrAccessible: kSecAttrAccessibleWhenUnlocked,
+    ]
+    let addStatus: OSStatus = SecItemAdd(setQuery as CFDictionary, nil)
+
+    guard addStatus == errSecSuccess else {
+        throw SecurityError.generalError
+    }
+
+    var status = SecTrustSettingsSetTrustSettings(certificate, SecTrustSettingsDomain.admin, nil)
+}
+
+func getCertificateFromString(stringData: String) throws -> SecCertificate {
+    if let data = NSData(base64Encoded: stringData, options: NSData.Base64DecodingOptions.ignoreUnknownCharacters) {
+        if let certificate = SecCertificateCreateWithData(kCFAllocatorDefault, data) {
+            return certificate
+        }
+    }
+    throw SecurityError.generalError
+}
+
+if CommandLine.arguments.count > 1 {
+    let fileURL = URL(fileURLWithPath: CommandLine.arguments[1])
+    do {
+        let certData = try Data(contentsOf: fileURL)
+        let certificate = SecCertificateCreateWithData(nil, certData as CFData)
+        if certificate != nil {
+            print("Saving certificate")
+            try? saveCertificateToKeyChain(certificate!, certificateLabel: "Test")
+        } else {
+            print("Certificate can't be read")
+        }
+    } catch {
+        print("Unable to read the file \(CommandLine.arguments[1])")
+    }
+} else {
+    print("Usage: \(CommandLine.arguments[0]) [cert.file]")
+}
diff --git a/images/macos/provision/configuration/configure-machine.sh b/images/macos/provision/configuration/configure-machine.sh
@@ -1,5 +1,7 @@
 #!/bin/bash -e -o pipefail
 
+source ~/utils/utils.sh
+
 echo "Enabling safari driver..."
 # https://developer.apple.com/documentation/webkit/testing_with_webdriver_in_safari
 # Safari’s executable is located at /usr/bin/safaridriver
@@ -22,7 +24,14 @@ sudo "/Library/Application Support/VMware Tools/vmware-resolutionSet" 1176 885
 # Confirm that the correct intermediate certificate is installed by verifying the expiration date is set to 2030.
 # sudo security delete-certificate -Z FF6797793A3CD798DC5B2ABEF56F73EDC9F83A64 /Library/Keychains/System.keychain
 curl https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer --output $HOME/AppleWWDRCAG3.cer --silent
-sudo security add-trusted-cert -d -r unspecified -k /Library/Keychains/System.keychain $HOME/AppleWWDRCAG3.cer
+# Big Sur requires user interaction to add a cert https://developer.apple.com/forums/thread/671582, we need to use a workaround with SecItemAdd swift method
+if is_Less_BigSur; then
+    sudo security add-trusted-cert -d -r unspecified -k /Library/Keychains/System.keychain $HOME/AppleWWDRCAG3.cer
+else
+    swiftc $HOME/image-generation/add-certificate.swift
+    sudo ./add-certificate $HOME/AppleWWDRCAG3.cer
+    rm add-certificate
+fi
 rm $HOME/AppleWWDRCAG3.cer
 
 # Create symlink for tests running

diff --git a/images/macos/templates/macOS-11.0.json b/images/macos/templates/macOS-11.0.json
@@ -61,6 +61,11 @@
             "source": "./helpers",
             "destination": "~/image-generation/"
         },
+        {
+            "type": "file",
+            "source": "./provision/configuration/add-certificate.swift",
+            "destination": "~/image-generation/add-certificate.swift"
+        },
         {
             "type": "file",
             "source": "./provision/configuration/environment/bashrc",
@@ -109,6 +114,7 @@
             "scripts": [
                 "./provision/configuration/preimagedata.sh",
                 "./provision/configuration/configure-ssh.sh",
+                "./provision/core/xcode-clt.sh",
                 "./provision/configuration/configure-machine.sh"
             ],
             "environment_vars": [
@@ -127,7 +133,6 @@
             "execute_command": "chmod +x {{ .Path }}; {{ .Vars }} {{ .Path }}",
             "pause_before": "30s",
             "scripts": [
-                "./provision/core/xcode-clt.sh",
                 "./provision/core/homebrew.sh",
                 "./provision/core/powershell.sh",
                 "./provision/core/dotnet.sh",