mirror of
https://github.com/microsoft/vscode.git
synced 2026-02-15 07:28:05 +00:00
Sign macOS server binaries (#291872)
This commit is contained in:
Dmitriy Vasyura
GitHub
82
build/darwin/sign-server.ts
Normal file
82
build/darwin/sign-server.ts
Normal file
@@ -0,0 +1,82 @@
|
||||
/*---------------------------------------------------------------------------------------------
|
||||
* Copyright (c) Microsoft Corporation. All rights reserved.
|
||||
* Licensed under the MIT License. See License.txt in the project root for license information.
|
||||
*--------------------------------------------------------------------------------------------*/
|
||||
|
||||
import { spawn } from '@malept/cross-spawn-promise';
|
||||
import fs from 'fs';
|
||||
import path from 'path';
|
||||
|
||||
const MACHO_MAGIC_NUMBERS = new Set([
|
||||
0xFEEDFACE, // MH_MAGIC (32-bit)
|
||||
0xCEFAEDFE, // MH_CIGAM (32-bit, byte-swapped)
|
||||
0xFEEDFACF, // MH_MAGIC_64 (64-bit)
|
||||
0xCFFAEDFE, // MH_CIGAM_64 (64-bit, byte-swapped)
|
||||
0xCAFEBABE, // FAT_MAGIC (universal binary)
|
||||
0xBEBAFECA, // FAT_CIGAM (universal binary, byte-swapped)
|
||||
]);
|
||||
|
||||
function isMachOBinary(filePath: string): boolean {
|
||||
try {
|
||||
let fd: number | undefined;
|
||||
try {
|
||||
fd = fs.openSync(filePath, 'r');
|
||||
const buffer = Buffer.alloc(4);
|
||||
fs.readSync(fd, buffer, 0, 4, 0);
|
||||
const magic = buffer.readUInt32BE(0);
|
||||
return MACHO_MAGIC_NUMBERS.has(magic);
|
||||
} finally {
|
||||
if (fd !== undefined) {
|
||||
fs.closeSync(fd);
|
||||
}
|
||||
}
|
||||
} catch {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
async function main(serverDir: string): Promise<void> {
|
||||
if (!serverDir || !fs.existsSync(serverDir)) {
|
||||
throw new Error('Server directory argument is required');
|
||||
}
|
||||
|
||||
const tempDir = process.env['AGENT_TEMPDIRECTORY'];
|
||||
if (!tempDir) {
|
||||
throw new Error('$AGENT_TEMPDIRECTORY not set');
|
||||
}
|
||||
|
||||
const identity = process.env['CODESIGN_IDENTITY'];
|
||||
if (!identity) {
|
||||
throw new Error('$CODESIGN_IDENTITY not set');
|
||||
}
|
||||
|
||||
const keychain = path.join(tempDir, 'buildagent.keychain');
|
||||
const baseDir = path.dirname(import.meta.dirname);
|
||||
const entitlementsPath = path.join(baseDir, 'azure-pipelines', 'darwin', 'server-entitlements.plist');
|
||||
|
||||
console.log(`Signing Mach-O binaries in: ${serverDir}`);
|
||||
for (const entry of fs.readdirSync(serverDir, { withFileTypes: true, recursive: true })) {
|
||||
if (entry.isFile()) {
|
||||
const filePath = path.join(entry.parentPath, entry.name);
|
||||
if (isMachOBinary(filePath)) {
|
||||
console.log(`Signing: ${filePath}`);
|
||||
await spawn('codesign', [
|
||||
'--sign', identity,
|
||||
'--keychain', keychain,
|
||||
'--options', 'runtime',
|
||||
'--timestamp',
|
||||
'--force',
|
||||
'--entitlements', entitlementsPath,
|
||||
filePath
|
||||
]);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (import.meta.main) {
|
||||
main(process.argv[2]).catch(err => {
|
||||
console.error(err);
|
||||
process.exit(1);
|
||||
});
|
||||
}
|
||||
Reference in New Issue
Block a user