Use system keychain only for certificate trusting

conda · Sep 6, 2024 · 875af89 · 875af89
1 parent 1ad573d
commit 875af89
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 12 deletions.
diff --git a/scripts/create_self_signed_certificates_macos.sh b/scripts/create_self_signed_certificates_macos.sh
@@ -21,11 +21,14 @@ INSTALLER_ROOT="installer"
 INSTALLER_SIGNING_ID=${INSTALLER_SIGNING_ID:-${INSTALLER_ROOT}}
 
 KEYCHAIN_PATH="${KEYCHAIN_PATH:-"${ROOT_DIR}/constructor.keychain"}"
-
-if [[ ! -f "${KEYCHAIN_PATH}" ]]; then
-    security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
-    security set-keychain-settings -lut 3600 "${KEYCHAIN_PATH}"
+if [[ -n "${ON_CI}" ]]; then
+    CERT_KEYCHAIN="/Library/Keychains/System.keychain"
+else
+    CERT_KEYCHAIN=${KEYCHAIN_PATH}
 fi
+
+security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
+security set-keychain-settings -lut 3600 "${KEYCHAIN_PATH}"
 security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
 
 for context in ${APPLICATION_ROOT} ${INSTALLER_ROOT}; do
@@ -73,6 +76,6 @@ for context in ${APPLICATION_ROOT} ${INSTALLER_ROOT}; do
     fingerprint=$(openssl x509 -in "${pemfile}" -noout -fingerprint -sha256 | cut -f2 -d'=' | sed 's/://g')
     echo "SHA256 ${commonname} = ${fingerprint}"
     if [[ "${context}" == "installer" ]]; then
-        security add-trusted-cert -d -p basic -k "${KEYCHAIN_PATH}" "${pemfile}"
+        security add-trusted-cert -d -p basic -k "${CERT_KEYCHAIN}" "${pemfile}"
     fi
 done
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -27,21 +27,18 @@ def self_signed_certificate_macos(tmp_path):
     # Users will be asked for authentication.
     # On GitHub runners, the system keychain does not require authentication,
     # which is why it is unsed on the CI.
-    if ON_CI:
-        keychain_path = "/Library/Keychains/System.keychain"
-        keychain_password = ""
-    else:
-        keychain_path = str(cert_root / "constructor.keychain")
-        keychain_password = "abcd"
+    keychain_path = str(cert_root / "constructor.keychain")
+    keychain_password = "abcd"
     env = {
         "APPLICATION_SIGNING_ID": notarization_identity,
         "APPLICATION_SIGNING_PASSWORD": notarization_identity_password,
         "INSTALLER_SIGNING_ID": signing_identity,
         "INSTALLER_SIGNING_PASSWORD": signing_identity_password,
         "KEYCHAIN_PASSWORD": keychain_password,
-        "KEYCHAIN_PATH": keychain_path,
         "ROOT_DIR": str(cert_root),
     }
+    if not ON_CI:
+        env["ON_CI"] = "1"
     p = subprocess.run(
         ["bash", REPO_DIR / "scripts" / "create_self_signed_certificates_macos.sh"],
         env=env,