Add codesign sign + verify
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
eefce13a7c
commit
83904d8f8c
41
internal/codesign/sign.go
Normal file
41
internal/codesign/sign.go
Normal file
|
|
@ -0,0 +1,41 @@
|
||||||
|
package codesign
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/leonmika/wails-release/internal/runner"
|
||||||
|
)
|
||||||
|
|
||||||
|
// SignOpts configures a codesign invocation.
|
||||||
|
type SignOpts struct {
|
||||||
|
AppPath string
|
||||||
|
Identity string
|
||||||
|
KeychainPath string
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sign runs `codesign` against a .app bundle, signing recursively with
|
||||||
|
// the hardened runtime and a secure timestamp.
|
||||||
|
func Sign(ctx context.Context, r runner.Runner, opts SignOpts) error {
|
||||||
|
args := []string{
|
||||||
|
"--deep", "--force", "--options", "runtime", "--timestamp",
|
||||||
|
"--sign", opts.Identity,
|
||||||
|
"--keychain", opts.KeychainPath,
|
||||||
|
opts.AppPath,
|
||||||
|
}
|
||||||
|
if _, err := r.Run(ctx, runner.Spec{Name: "codesign", Args: args}); err != nil {
|
||||||
|
return fmt.Errorf("codesign sign: %w", err)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify runs `codesign --verify --deep --strict` against the bundle.
|
||||||
|
func Verify(ctx context.Context, r runner.Runner, appPath string) error {
|
||||||
|
if _, err := r.Run(ctx, runner.Spec{
|
||||||
|
Name: "codesign",
|
||||||
|
Args: []string{"--verify", "--deep", "--strict", appPath},
|
||||||
|
}); err != nil {
|
||||||
|
return fmt.Errorf("codesign verify: %w", err)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
47
internal/codesign/sign_test.go
Normal file
47
internal/codesign/sign_test.go
Normal file
|
|
@ -0,0 +1,47 @@
|
||||||
|
package codesign_test
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"reflect"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/leonmika/wails-release/internal/codesign"
|
||||||
|
"github.com/leonmika/wails-release/internal/runner"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestSign_BuildsCorrectArgs(t *testing.T) {
|
||||||
|
f := &runner.Fake{}
|
||||||
|
f.On("codesign", nil).Return(nil, nil)
|
||||||
|
|
||||||
|
err := codesign.Sign(context.Background(), f, codesign.SignOpts{
|
||||||
|
AppPath: "/build/MyApp.app",
|
||||||
|
Identity: "Developer ID Application: Acme Inc (ABCD1234)",
|
||||||
|
KeychainPath: "/tmp/k",
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected: %v", err)
|
||||||
|
}
|
||||||
|
want := []string{
|
||||||
|
"--deep", "--force", "--options", "runtime", "--timestamp",
|
||||||
|
"--sign", "Developer ID Application: Acme Inc (ABCD1234)",
|
||||||
|
"--keychain", "/tmp/k",
|
||||||
|
"/build/MyApp.app",
|
||||||
|
}
|
||||||
|
if !reflect.DeepEqual(f.Calls[0].Args, want) {
|
||||||
|
t.Fatalf("args got %v want %v", f.Calls[0].Args, want)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestVerify_BuildsCorrectArgs(t *testing.T) {
|
||||||
|
f := &runner.Fake{}
|
||||||
|
f.On("codesign", nil).Return(nil, nil)
|
||||||
|
|
||||||
|
err := codesign.Verify(context.Background(), f, "/build/MyApp.app")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected: %v", err)
|
||||||
|
}
|
||||||
|
want := []string{"--verify", "--deep", "--strict", "/build/MyApp.app"}
|
||||||
|
if !reflect.DeepEqual(f.Calls[0].Args, want) {
|
||||||
|
t.Fatalf("args got %v want %v", f.Calls[0].Args, want)
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Reference in a new issue