-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsetup.sh
More file actions
executable file
·64 lines (56 loc) · 2.1 KB
/
setup.sh
File metadata and controls
executable file
·64 lines (56 loc) · 2.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/bin/bash -e
# !!! WARNING !!!
# This is EXPERIMENTAL code, and it modifies the security policy of your
# system. It may damage or compromise the security of your system.
update_cert_if_changed() {
url="$1"
command="$2"
pem=`mktemp -t altca-setup`
curl -sfo $pem "$url"
commonName=`openssl asn1parse -in $pem -i|grep -1 ':commonName'|grep UTF8STRING|cut -f 4 -d :|uniq|tail -1`
newSha=`openssl x509 -in $pem -sha1 -noout -fingerprint | cut -f 2 -d = | sed -e 's/://g'`
echo "Downloaded certificate \"$commonName\" with fingerprint $newSha"
oldSha=`sha_for "$commonName"`
added=false
replaced=false
if [ "$oldSha" != "$newSha" ] ; then
der=${pem}.der
openssl x509 -in $pem -outform der -out $der
security add-certificates $der
if [ "$command" = "add-trusted-cert" ] ; then
security add-trusted-cert $der
fi
added=true
somethingchanged=true
if [ "$oldSha" ] ; then
if [ "$command" = "add-trusted-cert" ] ; then
security remove-trusted-cert "$oldSha"
fi
security delete-certificate -Z "$oldSha"
replaced=true
fi
fi
if $replaced ; then
echo "Replaced certificate \"$commonName\" (old fingerprint: $oldSha, new fingerprint: $newSha)"
elif $added ; then
echo "Added new certificate \"$commonName\" with fingerprint $newSha"
fi
}
sha_for() {
security find-certificate -Zc "$1" 2>/dev/null |grep ^SHA-1|awk '{print $3}'
}
somethingchanged=false
update_cert_if_changed 'https://raw.github.com/AltCA/roots/master/root.pem' add-trusted-cert
rootSha="$newSha"
rootName="$commonName"
update_cert_if_changed 'https://raw.github.com/AltCA/roots/master/codesign.pem'
update_cert_if_changed 'https://raw.github.com/AltCA/roots/master/package.pem'
if $somethingchanged ; then
echo "Removing old AltCA.org certificates from Gatekeeper"
sudo spctl --remove --label "AltCA.org root" \
|| echo "(Failed, this is probably the first run.)"
echo "Adding certificate \"$rootName\" to Gatekeeper"
sudo spctl --add --label "AltCA.org root" --anchor "$rootSha"
else
echo "No certificates added or changed, not changing security policy database."
fi