Download and import certificate in build script instead of circle.yml

This will make it possible to run the build on Circle instances that don’t define the required environment variables for code signing. We could do some crazy shell scripting in the circle.yml, but this is easier overall.
2026-04-06 03:02:13 -04:00 · 2016-08-05 11:50:12 -06:00
parent d89896fe20
commit c6e38708d6
3 changed files with 50 additions and 19 deletions
--- a/circle.yml
+++ b/circle.yml
@@ -7,13 +7,6 @@ machine:
  xcode:
    version: 7.3

-  post:
-    - |- # this weird literal syntax allows a : on the next line
-      curl --header 'Accept: application/vnd.github.v3.raw' --output /tmp/mac.p12 $ATOM_MAC_CODE_SIGNING_CERT_DOWNLOAD_URL
-    - security unlock-keychain -p $ATOM_MAC_CODE_SIGNING_KEYCHAIN_PASSWORD $ATOM_MAC_CODE_SIGNING_KEYCHAIN
-    - security import /tmp/mac.p12 -P $ATOM_MAC_CODE_SIGNING_CERT_PASSWORD -k $ATOM_MAC_CODE_SIGNING_KEYCHAIN -T /usr/bin/codesign
-    - security find-identity -p codesigning
-
 general:
  artifacts:
    - out/atom-mac.zip
--- a/script/lib/code-sign.js
+++ b/script/lib/code-sign.js
@@ -1,21 +1,45 @@
 const childProcess = require('child_process')
+const fs = require('fs')
+const os = require('os')
 const path = require('path')
+const syncRequest = require('sync-request')

 module.exports = function (packagedAppPath) {
  if (process.platform === 'darwin') {
-    console.log(`Unlocking keychain ${process.env.ATOM_MAC_CODE_SIGNING_KEYCHAIN}`)
-    childProcess.spawnSync('security', [
-      'unlock-keychain',
-      '-p', process.env.ATOM_MAC_CODE_SIGNING_KEYCHAIN_PASSWORD,
-      process.env.ATOM_MAC_CODE_SIGNING_KEYCHAIN
-    ], {stdio: 'inherit'})
+    if (!process.env.ATOM_MAC_CODE_SIGNING_CERT_DOWNLOAD_URL) {
+      console.log('Skipping code signing because the ATOM_MAC_CODE_SIGNING_CERT_DOWNLOAD_URL environment variable is not defined'.gray)
+      return
+    }

-    console.log(`Code-signing application at ${packagedAppPath}`)
-    childProcess.spawnSync('codesign', [
-      '--deep', '--force', '--verbose',
-      '--keychain', process.env.ATOM_MAC_CODE_SIGNING_KEYCHAIN,
-      '--sign', 'Developer ID Application: GitHub', packagedAppPath
-    ], {stdio: 'inherit'})
+    const certPath = path.join(os.tmpdir(), 'mac.p12')
+    downloadCertificate(process.env.ATOM_MAC_CODE_SIGNING_CERT_DOWNLOAD_URL, certPath)
+
+    try {
+      console.log(`Unlocking keychain ${process.env.ATOM_MAC_CODE_SIGNING_KEYCHAIN}`)
+      childProcess.spawnSync('security', [
+        'unlock-keychain',
+        '-p', process.env.ATOM_MAC_CODE_SIGNING_KEYCHAIN_PASSWORD,
+        process.env.ATOM_MAC_CODE_SIGNING_KEYCHAIN
+      ], {stdio: 'inherit'})
+
+      console.log(`Importing certificate at ${certPath} into ${process.env.ATOM_MAC_CODE_SIGNING_KEYCHAIN} keychain`)
+      childProcess.spawnSync('security', [
+        'import', certPath,
+        '-P', process.env.ATOM_MAC_CODE_SIGNING_CERT_PASSWORD,
+        '-k', process.env.ATOM_MAC_CODE_SIGNING_KEYCHAIN,
+        '-T', '/usr/bin/codesign'
+      ])
+
+      console.log(`Code-signing application at ${packagedAppPath}`)
+      childProcess.spawnSync('codesign', [
+        '--deep', '--force', '--verbose',
+        '--keychain', process.env.ATOM_MAC_CODE_SIGNING_KEYCHAIN,
+        '--sign', 'Developer ID Application: GitHub', packagedAppPath
+      ], {stdio: 'inherit'})
+    } finally {
+      console.log(`Deleting certificate at ${certPath}`);
+      fs.removeSync(certPath)
+    }
  } else if (process.platform === 'win32') {
    const signtoolPath = path.join('C:', 'Program Files (x86)', 'Microsoft SDKs', 'Windows', 'v7.1A', 'bin', 'signtool.exe')

@@ -40,3 +64,16 @@ module.exports = function (packagedAppPath) {
    throw new Error(`Code-signing is not supported for platform ${process.platform}!`)
  }
 }
+
+function downloadCertificate (downloadURL, certificatePath) {
+  console.log(`Dowloading certificate to ${certificatePath}`)
+  const response = syncRequest('GET', downloadURL, {
+    'headers': {'Accept': 'application/vnd.github.v3.raw', 'User-Agent': 'Atom Build'}
+  })
+
+  if (response.statusCode === 200) {
+    fs.writeFileSync(certificatePath, response.body)
+  } else {
+    throw new Error('Error downloading certificate. HTTP Status ' + response.statusCode + '.')
+  }
+}
--- a/script/package.json
+++ b/script/package.json
@@ -19,6 +19,7 @@
    "pegjs": "0.9.0",
    "season": "5.3.0",
    "semver": "5.3.0",
+    "sync-request": "^3.0.1",
    "tello": "1.0.5",
    "yargs": "4.8.1"
  }