From 875af8947795ef19efe2dac52be8a7a5c48c53b0 Mon Sep 17 00:00:00 2001
From: Marco Esters <mesters@anaconda.com>
Date: Fri, 6 Sep 2024 15:00:03 -0700
Subject: [PATCH] Use system keychain only for certificate trusting

---
 scripts/create_self_signed_certificates_macos.sh | 13 ++++++++-----
 tests/conftest.py                                | 11 ++++-------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/scripts/create_self_signed_certificates_macos.sh b/scripts/create_self_signed_certificates_macos.sh
index 86466b060..ced60e529 100755
--- a/scripts/create_self_signed_certificates_macos.sh
+++ b/scripts/create_self_signed_certificates_macos.sh
@@ -21,11 +21,14 @@ INSTALLER_ROOT="installer"
 INSTALLER_SIGNING_ID=${INSTALLER_SIGNING_ID:-${INSTALLER_ROOT}}
 
 KEYCHAIN_PATH="${KEYCHAIN_PATH:-"${ROOT_DIR}/constructor.keychain"}"
-
-if [[ ! -f "${KEYCHAIN_PATH}" ]]; then
-    security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
-    security set-keychain-settings -lut 3600 "${KEYCHAIN_PATH}"
+if [[ -n "${ON_CI}" ]]; then
+    CERT_KEYCHAIN="/Library/Keychains/System.keychain"
+else
+    CERT_KEYCHAIN=${KEYCHAIN_PATH}
 fi
+
+security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
+security set-keychain-settings -lut 3600 "${KEYCHAIN_PATH}"
 security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
 
 for context in ${APPLICATION_ROOT} ${INSTALLER_ROOT}; do
@@ -73,6 +76,6 @@ for context in ${APPLICATION_ROOT} ${INSTALLER_ROOT}; do
     fingerprint=$(openssl x509 -in "${pemfile}" -noout -fingerprint -sha256 | cut -f2 -d'=' | sed 's/://g')
     echo "SHA256 ${commonname} = ${fingerprint}"
     if [[ "${context}" == "installer" ]]; then
-        security add-trusted-cert -d -p basic -k "${KEYCHAIN_PATH}" "${pemfile}"
+        security add-trusted-cert -d -p basic -k "${CERT_KEYCHAIN}" "${pemfile}"
     fi
 done
diff --git a/tests/conftest.py b/tests/conftest.py
index 4f567c257..e63cb24ed 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -27,21 +27,18 @@ def self_signed_certificate_macos(tmp_path):
     # Users will be asked for authentication.
     # On GitHub runners, the system keychain does not require authentication,
     # which is why it is unsed on the CI.
-    if ON_CI:
-        keychain_path = "/Library/Keychains/System.keychain"
-        keychain_password = ""
-    else:
-        keychain_path = str(cert_root / "constructor.keychain")
-        keychain_password = "abcd"
+    keychain_path = str(cert_root / "constructor.keychain")
+    keychain_password = "abcd"
     env = {
         "APPLICATION_SIGNING_ID": notarization_identity,
         "APPLICATION_SIGNING_PASSWORD": notarization_identity_password,
         "INSTALLER_SIGNING_ID": signing_identity,
         "INSTALLER_SIGNING_PASSWORD": signing_identity_password,
         "KEYCHAIN_PASSWORD": keychain_password,
-        "KEYCHAIN_PATH": keychain_path,
         "ROOT_DIR": str(cert_root),
     }
+    if not ON_CI:
+        env["ON_CI"] = "1"
     p = subprocess.run(
         ["bash", REPO_DIR / "scripts" / "create_self_signed_certificates_macos.sh"],
         env=env,