OSX package scripts and Makefile target

Author: Alex Wilson

.gitignore

@@ -5,3 +5,5 @@
 /pivy-tool
 /pivy-zfs
 /pivy-box
+/macosx/*.pkg
+/macosx/root

Makefile

@@ -15,6 +15,8 @@ CURL		= curl -k
 prefix		?= /opt/pivy
 bindir		?= $(prefix)/bin
 
+VERSION		= 0.1.4
+
 SYSTEM		:= $(shell uname -s)
 ifeq ($(SYSTEM), Linux)
 	PCSC_CFLAGS	= $(shell pkg-config --cflags libpcsclite)
@@ -288,9 +290,10 @@ pivy-agent: $(AGENT_OBJS) $(LIBRESSL_LIB)/libcrypto.a
 clean:
 	rm -f pivy-tool $(PIVTOOL_OBJS)
 	rm -f pivy-agent $(AGENT_OBJS)
-	rm -f piv-zfs $(PIVZFS_OBJS)
-	rm -f ebox $(EBOX_OBJS)
+	rm -f pivy-box $(EBOX_OBJS)
+	rm -f pivy-zfs $(PIVZFS_OBJS)
 	rm -fr .dist
+	rm -fr macosx/root macosx/*.pkg
 
 distclean: clean
 	rm -fr libressl
@@ -318,6 +321,26 @@ install_common: pivy-tool pivy-agent pivy-box
 
 ifeq ($(SYSTEM), Darwin)
 install: install_common
+	install -o root -g wheel -m 0755 -d $(DESTDIR)/etc/paths.d
+	echo "$(bindir)" > $(DESTDIR)/etc/paths.d/pivy
+	install -o root -g wheel -m 0755 -d $(DESTDIR)$(prefix)/share
+	install -o root -g wheel -m 0644 macosx/net.cooperi.pivy-agent.plist \
+	    $(DESTDIR)$(prefix)/share
+
+.PHONY: package
+package:
+	$(MAKE) install DESTDIR=macosx/root/ prefix=/opt/pivy
+	pkgbuild --root macosx/root \
+	    --identifier net.cooperi.pivy \
+	    --version $(VERSION) \
+	    --ownership recommended \
+	    --scripts macosx/scripts \
+	    macosx/output.pkg
+	productbuild --distribution macosx/distribution.xml \
+	    --resources macosx/resources \
+	    --package-path macosx \
+	    --version $(VERSION) \
+	    macosx/pivy-$(VERSION).pkg
 
 .dist/net.cooperi.pivy-agent.plist: net.cooperi.pivy-agent.plist .dist pivy-tool
 	@./pivy-tool list

macosx/distribution.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<installer-gui-script minSpecVersion="1">
+    <title>pivy</title>
+    <organization>org.someid</organization>
+    <domains enable_localSystem="true"/>
+    <options customize="never" require-scripts="true" rootVolumeOnly="true" />
+    <!-- Define documents displayed at various steps -->
+    <welcome    file="welcome.html"    mime-type="text/html" />
+    <license    file="license.html"    mime-type="text/html" />
+    <conclusion file="conclusion.html" mime-type="text/html" />
+    <!-- List all component packages -->
+    <pkg-ref id="net.cooperi.pivy"
+             version="0"
+             auth="root">output.pkg</pkg-ref>
+    <!-- List them again here. They can now be organized
+         as a hierarchy if you want. -->
+    <choices-outline>
+        <line choice="net.cooperi.pivy"/>
+    </choices-outline>
+    <!-- Define each choice above -->
+    <choice
+        id="net.cooperi.pivy"
+        visible="false"
+        title="pivy tools"
+        description="pivy tools"
+        start_selected="true">
+      <pkg-ref id="net.cooperi.pivy"/>
+    </choice>
+</installer-gui-script>

net.cooperi.pivy-agent.plist macosx/net.cooperi.pivy-agent.plist

@@ -11,11 +11,12 @@
         <string>@@GUID@@</string>
         <string>-K</string>
         <string>@@CAK@@</string>
+        <string>-i</string>
+        <string>-a</string>
+        <string>@@HOME@@/.ssh/pivy-agent.sock</string>
     </array>
-    <key>StandardOutPath</key>
-    <string>@@HOME@@/.ssh/agent.env</string>
     <key>StandardErrorPath</key>
-    <string>@@HOME@@/.ssh/agent.out</string>
+    <string>@@HOME@@/Library/Logs/pivy-agent.log</string>
     <key>RunAtLoad</key>
     <true/>
     <key>KeepAlive</key>

macosx/scripts/postinstall

@@ -0,0 +1,45 @@
+#!/bin/bash
+set -ex
+user="$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");')"
+HOME="/Users/${user}"
+uagents="$HOME/Library/LaunchAgents"
+plist="net.cooperi.pivy-agent.plist"
+prefix="/opt/pivy"
+bindir="$prefix/bin"
+
+while true; do
+  /usr/bin/osascript -e 'display dialog "Please insert your YubiKey and press OK"'
+
+  # XXX: we just take the first one we see?
+  while IFS=: read rdrname guid chuid ykpiv; do
+    # check it's been set up with a CHUID
+    if [[ "$chuid" == "false" && "$ykpiv" == "true" ]]; then
+      # if it hasn't set up a basic one + 9e key so we can pin it.
+      # the user can do the rest with pivy-tool later.
+      $bindir/pivy-tool -g $guid init
+      # "init" changes the guid
+      guid=$($bindir/pivy-tool list -p | \
+        /usr/bin/grep "$rdrname" | /usr/bin/awk -F: '{print $2}')
+      $bindir/pivy-tool -g $guid -a eccp256 generate 9e
+    fi
+    cak="$($bindir/pivy-tool -g $guid pubkey 9e)"
+
+    /usr/bin/su "${user}" -c "/bin/mkdir -p \"${uagents}\""
+    # substitute placeholders in the plist
+    /bin/cat /opt/pivy/share/net.cooperi.pivy-agent.plist | \
+      /usr/bin/sed -e "s|@@GUID@@|${guid}|g" -e "s|@@CAK@@|${cak}|g" \
+        -e "s|@@HOME@@|${HOME}|g" \
+      > "${uagents}/${plist}"
+    chown "${user}" "${uagents}/${plist}"
+
+    /usr/bin/su "${user}" -c "/bin/launchctl load \"${uagents}/${plist}\""
+
+    if ! /usr/bin/grep pivy-agent /etc/profile >/dev/null 2>/dev/null; then
+      echo '# pivy-agent' >> /etc/profile
+      echo 'if [[ ! -e "$SSH_AUTH_SOCK" || "$SSH_AUTH_SOCK" == *"launchd"* ]]; then' >> /etc/profile
+      echo '  SSH_AUTH_SOCK=$HOME/.ssh/pivy-agent.sock; export SSH_AUTH_SOCK;' >>/etc/profile
+      echo 'fi' >>/etc/profile
+    fi
+    exit 0
+  done < <($bindir/pivy-tool -p list)
+done

macosx/scripts/preinstall

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -ex
+user="$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");')"
+HOME="/Users/${user}"
+uagents="$HOME/Library/LaunchAgents"
+plist="net.cooperi.pivy-agent.plist"
+
+if /usr/bin/su "$user" -c "/bin/launchctl list \"net.cooperi.pivy-agent\"" > /dev/null; then
+    /usr/bin/su "$user" -c "/bin/launchctl unload \"$uagents/$plist\""
+fi