From f6a289361c8c4244f99298de38afb3a409a16736 Mon Sep 17 00:00:00 2001
From: Sean Robertson <seanrobertson@improbable.io>
Date: Thu, 21 Nov 2019 17:26:02 +0000
Subject: [PATCH] flags

---
 hooks/command | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/hooks/command b/hooks/command
index 71d1176..540f9d3 100755
--- a/hooks/command
+++ b/hooks/command
@@ -82,16 +82,17 @@ function get_signing_identity {
 #   identity: The identity to use for signing.
 function sign_and_validate {
   signing_target="${1}"
-  identity="${2}"
+  keychain="${2}"
+  identity="${3}"
 
-  codesign --verify --verbose --display --deep -s "${identity}" "${signing_target}"
+  codesign --verbose --display --deep --keychain "${codesigning_keychain}" --sign "${identity}" "${signing_target}"
   retval=$?
   if [[ "${retval}" -ne 0  ]]; then
     echo "codesigning of target '${signing_target}' failed: error code '${retval}'"
     exit 4
   fi
 
-  codesign --verify --deep --strict "${signing_target}"
+  codesign --verify --verbose --deep --strict "${signing_target}"
   retval=$?
   if [[ "${retval}" -ne 0  ]]; then
     echo "Unable to verify that '${signing_target}' has a valid code signature: error code '${retval}'"
@@ -136,7 +137,7 @@ echo "--- Unlocking the keychain"
 unlock_keychain "${codesigning_keychain}" "${keychain_pw}"
 
 echo "--- Finding the code signing identity in the unlocked keychain"
-identity=$(get_signing_identity "${BUILDKITE_PLUGIN_MAC_CODESIGN_KEYCHAIN}")
+identity=$(get_signing_identity "${codesigning_keychain}")
 
 # Sign things in a local dir so the uploaded artifacts don't have a weird path
 signed_dir_fragment="signed"
@@ -151,7 +152,7 @@ for artifact in $(plugin_read_list INPUT_ARTIFACTS) ; do
   unsigned_artifact="$(fetch_artifact ${artifact} ${relative_artifacts_dir})"
 
   echo "${artifact}: signing binary"
-  signed_artifact="$(sign_and_validate "${unsigned_artifact}" "${identity}")"
+  signed_artifact="$(sign_and_validate "${unsigned_artifact}" "${codesigning_keychain}" "${identity}")"
 
   # The pushd/popd/dirname/basename shenanigans are so the artifact path in BK is friendlier.  EG - 
   # "signed/$BINARY_NAME"