| #!/bin/sh |
| |
| # Copyright 2016 The Chromium Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| |
| set -e -x |
| |
| SECURITY=/usr/bin/security |
| |
| KEYCHAIN="$1" |
| shift |
| # security create-keychain will interpret a non-absolute path relative to the |
| # keychain directory rather than the current directory, and OSX doesn't have a |
| # realpath command. Be lazy and make the user pass in an absolute path. |
| if [ `echo "$KEYCHAIN" | cut -c1` != '/' ]; then |
| echo keychain path must be absolute |
| exit 1 |
| fi |
| |
| PASSWORD=aoeu |
| |
| |
| # create-keychain modifes the global keychain search list, save it first. |
| # (or does it?) |
| SAVED_KEYCHAIN_LIST=`$SECURITY list -d user` |
| echo "Saved user keychain list:" |
| echo "$SAVED_KEYCHAIN_LIST" |
| echo |
| |
| |
| $SECURITY create-keychain -p "$PASSWORD" "$KEYCHAIN" |
| |
| trusted=0 |
| |
| for cert in "$@"; do |
| if [ "$cert" = "--trusted" ]; then |
| trusted=1 |
| continue |
| fi |
| if [ "$cert" = "--untrusted" ]; then |
| trusted=0 |
| continue |
| fi |
| |
| # security tool only accepts DER. If input is a PEM, convert it. |
| if grep -- "-----BEGIN CERTIFICATE-----" "$cert" ; then |
| tmpcert="${cert}.der.tmp" |
| openssl x509 -inform PEM -in "$cert" -outform DER -out "$tmpcert" |
| cert="$tmpcert" |
| fi |
| |
| if [ $trusted = 1 ]; then |
| $SECURITY add-trusted-cert -r trustAsRoot -k "$KEYCHAIN" "$cert" |
| else |
| $SECURITY add-certificates -k "$KEYCHAIN" "$cert" |
| fi |
| done |
| |
| |
| |
| #TODO: Would be good to restore the keychain search list on failure too. |
| |
| echo "pre-restore user keychain list:" |
| $SECURITY list -d user |
| |
| # restore the original keychain search list |
| /bin/echo -n "${SAVED_KEYCHAIN_LIST}" | xargs $SECURITY list -d user -s |
| |
| echo "Restored user keychain list:" |
| $SECURITY list -d user |
| echo |