From bcd743ef1f6e4e9eafb878bb955baa461c27bc55 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 26 Mar 2020 11:36:56 +0000
Subject: [PATCH] Add support for development signing using Yubikey 4 on macOS

See ukf/ukf-meta#221.
---
 macosx.properties      | 29 +++++++++++++++++++++++------
 mdx/uk/yubikey-mac.cfg |  8 ++++++++
 2 files changed, 31 insertions(+), 6 deletions(-)
 create mode 100644 mdx/uk/yubikey-mac.cfg

diff --git a/macosx.properties b/macosx.properties
index 31d66d14..d6e1086d 100644
--- a/macosx.properties
+++ b/macosx.properties
@@ -1,26 +1,43 @@
 #
 # macosx.properties
 #
-# Properties for Mac OS X builds.  Properties defined here override
+# Properties for macOS builds.  Properties defined here override
 # those defined in default.properties, but may be overridden by
 # properties defined in a machine-specific build.properties file.
 #
-
+# As most use cases for macOS builds are for development purposes,
+# you should normally add overriding properties to build.properties
+# rather than editing this file. Examples are provided below.
 #
-# Location of the PKCS#11 configuration file for OpenSC on Mac OS X.
+
 #
-# This varies depending on which version of OpenSC is installed.
+# Location of the PKCS#11 configuration file for OpenSC on macOS.
 #
-# If the standard installer was used:
+# This varies depending on which token you are using. The default
+# configuration assumes an OpenSC-supported token such as the Nitrokey HSM
+# accessed through a version of OpenSC installed using the standard installer:
 #
 sign.uk.pkcs11Config = ${basedir}/mdx/uk/opensc-mac.cfg
 #
-# If the MacPorts system was used, override this by placing the following
+# For an OpenSC-supported token accessed through a MacPorts-installed
+# version of OpenSC, override this by placing the following
 # definition in the local build.properties file:
 #
 #sign.uk.pkcs11Config = ${basedir}/mdx/uk/opensc-mac-macports.cfg
+#
+# For a Yubikey, use this override in build.properties:
+#
+#sign.uk.pkcs11Config = ${basedir}/mdx/uk/yubikey-mac.cfg
 
 #
 # Signing key alias within the keystore.
 #
+# Default is suitable for something like the Nitrokey HSM:
+#
 sign.uk.keyAlias = key10
+#
+# For a PIV token such as the Yubikey 4, override this by
+# adding an override in build.properties. The following, for
+# example, corresponds to PIV slot 82:
+#
+#sign.uk.keyAlias = X.509 Certificate for Retired Key 1
diff --git a/mdx/uk/yubikey-mac.cfg b/mdx/uk/yubikey-mac.cfg
new file mode 100644
index 00000000..24cf2d48
--- /dev/null
+++ b/mdx/uk/yubikey-mac.cfg
@@ -0,0 +1,8 @@
+#
+# PKCS#11 provider configuration for Yubikey 4 running under Mac OS X.
+#
+# This assumes a copy of the yubico-piv-tool-2.0.0-mac package unpacked and
+# manually moved under /usr/local.
+#
+name = Yubikey
+library = /usr/local/yubico-piv-tool/lib/libykcs11.dylib