feat: debug build has code-signing to preserve permissions

lwouis · Mar 10, 2020 · 34a32f3 · 34a32f3
1 parent 4612e37
commit 34a32f3
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -51,6 +51,14 @@ Before building my own app, I looked around at similar apps. However, none was c
 | `⌘ command` + `⇥ tab`                                                                     | Only shows apps, not windows (note: can press down to see window of selected app)                            |
 | `⌘ command` + `` ` ``                                                                      | Cycles through tabs and windows, but only of the same app. Only cycling, no direct access                    |
 
+## Building the project locally
+
+This project has minimal dependency on Xcode-only features (e.g. InterfaceBuilder, Playgrounds). You can build it using 1 command `xcodebuild`.
+
+Note that on debug builds, to avoid having to re-check the  `System Preferences > Security & Privacy` permissions on every build, we use a code-signing certificate. You can generate one on your local machine in one step by running `ci/generate_codesign_certificate.sh`.
+
+If you want to contribute a PR, please run `npm install` once. It will add the pre-commit hook to ensure that your commits follow the convention and will pass the PR.
+
 ## Screenshots
 
 ### 1 row

diff --git a/alt-tab-macos.xcodeproj/project.pbxproj b/alt-tab-macos.xcodeproj/project.pbxproj
@@ -63,6 +63,7 @@
 		D04BA56355579F78776E6D51 /* Cell.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = Cell.swift; sourceTree = "<group>"; };
 		D04BA56E285C3FCDA52ED262 /* DispatchQueues.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = DispatchQueues.swift; sourceTree = "<group>"; };
 		D04BA5ABFA5457A86536E2E4 /* 5 windows - 1 line.jpg */ = {isa = PBXFileReference; lastKnownFileType = image.jpeg; path = "5 windows - 1 line.jpg"; sourceTree = "<group>"; };
+		D04BA5E819181CB83C5602C7 /* generate_codesign_certificate.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = generate_codesign_certificate.sh; sourceTree = "<group>"; };
 		D04BA5EB5ED248C8C22CC672 /* Spaces.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = Spaces.swift; sourceTree = "<group>"; };
 		D04BA66B5B4143D2238F50B9 /* Applications.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = Applications.swift; sourceTree = "<group>"; };
 		D04BA78E3B4E73B40DB77174 /* CGWindow.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = CGWindow.swift; sourceTree = "<group>"; };
@@ -219,6 +220,7 @@
 				D04BA4B5292629AA6B560216 /* package_release.sh */,
 				D04BAC6AFC7F06D1A567F27A /* set_version_in_app.sh */,
 				D04BAE93A5854C501639C640 /* update_homebrew_cask.sh */,
+				D04BA5E819181CB83C5602C7 /* generate_codesign_certificate.sh */,
 			);
 			path = ci;
 			sourceTree = "<group>";
@@ -411,6 +413,7 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = "alt-tab-macos/alt_tab_macos.entitlements";
+				CODE_SIGN_IDENTITY = "alt-tab-macos";
 				COMBINE_HIDPI_IMAGES = YES;
 				FRAMEWORK_SEARCH_PATHS = /System/Library/PrivateFrameworks;
 				INFOPLIST_FILE = "alt-tab-macos/Info.plist";
@@ -454,7 +457,6 @@
 				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
 				CLANG_WARN_UNREACHABLE_CODE = YES;
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
-				CODE_SIGN_IDENTITY = "-";
 				COPY_PHASE_STRIP = NO;
 				DEBUG_INFORMATION_FORMAT = dwarf;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
@@ -515,7 +517,6 @@
 				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
 				CLANG_WARN_UNREACHABLE_CODE = YES;
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
-				CODE_SIGN_IDENTITY = "-";
 				COPY_PHASE_STRIP = NO;
 				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
 				ENABLE_NS_ASSERTIONS = NO;

diff --git a/ci/generate_codesign_certificate.sh b/ci/generate_codesign_certificate.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -ex
+
+# certificate request (see https://apple.stackexchange.com/q/359997)
+cat >codesign.conf <<EOL
+  [ req ]
+  distinguished_name = req_name
+  prompt = no
+  [ req_name ]
+  CN = alt-tab-macos
+  [ extensions ]
+  basicConstraints=critical,CA:false
+  keyUsage=critical,digitalSignature
+  extendedKeyUsage=critical,1.3.6.1.5.5.7.3.3
+  1.2.840.113635.100.6.1.14=critical,DER:0500
+EOL
+
+password=$(openssl rand -base64 12)
+
+# generate key
+openssl genrsa -out codesign.key 2048
+# generate self-signed certificate
+openssl req -x509 -new -config codesign.conf -nodes -key codesign.key -extensions extensions -sha256 -out codesign.crt
+# wrap key and certificate into PKCS12
+openssl pkcs12 -export -inkey codesign.key -in codesign.crt -out codesign.p12 -passout pass:$password
+# import p12 into Keychain
+security import codesign.p12 -P $password -T /usr/bin/codesign
+# in Keychain, set Trust > Code Signing > "Always Trust"
+security add-trusted-cert -d -r trustRoot -p codeSign codesign.crt