swap keychain path to variable

phusion · Aug 26, 2024 · f1d3a5e · f1d3a5e
1 parent 6cbd06a
commit f1d3a5e
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 4 deletions.
diff --git a/dev/ci/lib/setup-container.sh b/dev/ci/lib/setup-container.sh
@@ -18,7 +18,11 @@ header2 "Creating test/config.json"
 if [[ "$OS" = linux ]]; then
 	run cp test/config.json.travis test/config.json
 else
-	sed -e "s/_AUTHORITY_/Developer/" -e "s/_USER_/$USER/" test/config.json.travis-osx > test/config.json
+    sed \
+        -e "s/_AUTHORITY_/Developer/" \
+        -e "s|_KEYCHAIN_|/Library/Keychains/System.keychain|" \
+        -e "s/_USER_/$USER/" \
+        test/config.json.travis-osx > test/config.json
 fi
 echo "+ Done."
 echo

diff --git a/dev/ci/setup-host b/dev/ci/setup-host
@@ -36,7 +36,7 @@ if [ "${GITHUB_ACTIONS:-false}" = "true" ]; then
         if [ "$OS" = "macos" ]; then
             brew update
             brew install ccache
-            sudo security add-trusted-cert -d -r trustRoot -p codeSign "$PASSENGER_ROOT/dev/ci/Certificates.cer"
+            sudo security add-trusted-cert -d -r trustRoot -p codeSign -k /Library/Keychains/System.keychain "$PASSENGER_ROOT/dev/ci/Certificates.cer"
         fi
 
 	echo

diff --git a/test/config.json.example b/test/config.json.example
@@ -37,8 +37,9 @@
 
   // On macOS, Apache requires that all modules be code signed.
   // Create a certificate yourself (be sure to enable the "Code Signing" capability)
-  // and specify the certificate name here.
+  // and specify the certificate name and keychain here.
   "codesigning_identity": "<NAME>",
+  "codesigning_keychain": "<PATH>",
 
   // If you want to run the Nginx integration tests, then set the following
   // config option to the full path of the Nginx binary. This Nginx binary *must*

diff --git a/test/config.json.travis-osx b/test/config.json.travis-osx
@@ -10,5 +10,6 @@
 "nonexistant_uid": 9999,
 "nonexistant_gid": 9999,
 "codesigning_identity": "_AUTHORITY_",
+"codesigning_keychain": "_KEYCHAIN_",
 "nginx": "/tmp/nginx/sbin/nginx"
 }
diff --git a/test/integration_tests/apache2_tests.rb b/test/integration_tests/apache2_tests.rb
@@ -75,6 +75,9 @@ def create_apache2_controller
     if CONFIG.has_key?('codesigning_identity')
       @apache2.set(codesigning_identity: CONFIG['codesigning_identity'])
     end
+    if CONFIG.has_key?('codesigning_keychain')
+      @apache2.set(codesigning_keychain: CONFIG['codesigning_keychain'])
+    end
     if Process.uid == 0
       @apache2.set(
         :www_user => CONFIG['normal_user_1'],

diff --git a/test/support/apache2_controller.rb b/test/support/apache2_controller.rb
@@ -95,7 +95,7 @@ def start
 
     if @codesigning_identity
       require 'open3'
-      stdout, stderr, status = Open3.capture3("codesign", "--force", "-s", @codesigning_identity, "--keychain", File.expand_path("~/Library/Keychains/login.keychain-db"), @mod_passenger)
+      stdout, stderr, status = Open3.capture3("codesign", "--force", "-s", @codesigning_identity, "--keychain", File.expand_path(@codesigning_keychain), @mod_passenger)
       if !status.success?
         raise "Could not sign Apache module at #{@mod_passenger} with authority #{@codesigning_identity}: #{stderr}"
       end