From a8d11f02a85e99144111afb784cde059ea3faab1 Mon Sep 17 00:00:00 2001
From: Justin Clift <justin@postgresql.org>
Date: Mon, 13 Mar 2017 17:59:10 +0000
Subject: [PATCH] Bash script to generate & install signing certificate for
 delve (#760)

---
 Makefile           |  3 ++-
 scripts/gencert.sh | 59 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100755 scripts/gencert.sh

diff --git a/Makefile b/Makefile
index 13f996da..5d54368d 100644
--- a/Makefile
+++ b/Makefile
@@ -29,7 +29,8 @@ check-cert:
 ifneq "$(TRAVIS)" "true"
 ifdef DARWIN
 ifeq "$(CERT)" ""
-	$(error You must provide a CERT environment variable in order to codesign the binary.)
+	scripts/gencert.sh || (echo "An error occurred when generating and installing a new certicate"; exit 1)
+        CERT = dlv-cert
 endif
 endif
 endif
diff --git a/scripts/gencert.sh b/scripts/gencert.sh
new file mode 100755
index 00000000..9ee45c83
--- /dev/null
+++ b/scripts/gencert.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Check if the certificate is already present in the system keychain
+security find-certificate -Z -p -c "dlv-cert" /Library/Keychains/System.keychain > /dev/null 2>&1
+EXIT_CODE=$?
+if [ $EXIT_CODE -eq 0 ]; then
+  # Certificate has already been generated and installed
+  exit 0
+fi
+
+CERT="dlv-cert"
+
+# Create the certificate template
+cat <<EOF >$CERT.tmpl
+[ req ]
+default_bits       = 2048        # RSA key size
+encrypt_key        = no          # Protect private key
+default_md         = sha512      # MD to use
+prompt             = no          # Prompt for DN
+distinguished_name = codesign_dn # DN template
+[ codesign_dn ]
+commonName         = "dlv-cert"
+[ codesign_reqext ]
+keyUsage           = critical,digitalSignature
+extendedKeyUsage   = critical,codeSigning
+EOF
+
+# Generate a new certificate
+openssl req -new -newkey rsa:2048 -x509 -days 3650 -nodes -config $CERT.tmpl -extensions codesign_reqext -batch -out $CERT.cer -keyout $CERT.key > /dev/null 2>&1
+EXIT_CODE=$?
+if [ $EXIT_CODE -ne 0 ]; then
+  # Something went wrong when generating the certificate
+  exit 1
+fi
+
+# Install the certificate in the system keychain
+sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain $CERT.cer > /dev/null 2>&1
+EXIT_CODE=$?
+if [ $EXIT_CODE -ne 0 ]; then
+  # Something went wrong when installing the certificate
+  exit 1
+fi
+
+# Install the key for the certificate in the system keychain
+sudo security import $CERT.key -A -k /Library/Keychains/System.keychain > /dev/null 2>&1
+EXIT_CODE=$?
+if [ $EXIT_CODE -ne 0 ]; then
+  # Something went wrong when installing the key
+  exit 1
+fi
+
+# Kill task_for_pid access control daemon
+sudo pkill -f /usr/libexec/taskgated > /dev/null 2>&1
+
+# Remove generated files
+rm $CERT.tmpl $CERT.cer $CERT.key > /dev/null 2>&1
+
+# Exit indicating the certificate is now generated and installed
+exit 0