From bffbbf1586ad23920cce2b69111327557682c69e Mon Sep 17 00:00:00 2001
From: Vladimir Krivosheev <vladimir.krivosheev@jetbrains.com>
Date: Mon, 23 May 2016 16:22:27 +0200
Subject: [PATCH] fix: import bundled certs into login.keychain

Closes #398
---
 .gitattributes                           |   3 +-
 .idea/runConfigurations/CodeSignTest.xml |   2 +-
 certs/AppleWWDRCA.cer                    | Bin 1062 -> 0 bytes
 certs/bundle.crt                         |  97 -----------------------
 certs/create.sh                          |  20 ++++-
 certs/root_certs.keychain                |   3 +
 docs/Code Signing.md                     |   3 +-
 package.json                             |   2 +-
 src/codeSign.ts                          |  52 ++++++++----
 src/packager.ts                          |   6 +-
 src/util.ts                              |   4 +-
 11 files changed, 67 insertions(+), 125 deletions(-)
 delete mode 100644 certs/AppleWWDRCA.cer
 delete mode 100644 certs/bundle.crt
 create mode 100644 certs/root_certs.keychain

diff --git a/.gitattributes b/.gitattributes
index f7dc612ed50..67ce1e1abc9 100755
--- a/.gitattributes
+++ b/.gitattributes
@@ -2,4 +2,5 @@
 *.ico filter=lfs diff=lfs merge=lfs -text
 *.icns filter=lfs diff=lfs merge=lfs -text
 vendor/**/* filter=lfs diff=lfs merge=lfs -text
-*.gif filter=lfs diff=lfs merge=lfs -text
\ No newline at end of file
+*.gif filter=lfs diff=lfs merge=lfs -text
+*.keychain filter=lfs diff=lfs merge=lfs -text
diff --git a/.idea/runConfigurations/CodeSignTest.xml b/.idea/runConfigurations/CodeSignTest.xml
index 46be966e804..894447848af 100644
--- a/.idea/runConfigurations/CodeSignTest.xml
+++ b/.idea/runConfigurations/CodeSignTest.xml
@@ -1,5 +1,5 @@
 <component name="ProjectRunConfigurationManager">
-  <configuration default="false" name="CodeSignTest" type="NodeJSConfigurationType" factoryName="Node.js" path-to-node="project" path-to-js-file="node_modules/.bin/ava" application-parameters="test/out/CodeSignTest.js" node-parameters="--harmony_default_parameters" working-dir="$PROJECT_DIR$">
+  <configuration default="false" name="CodeSignTest" type="NodeJSConfigurationType" factoryName="Node.js" path-to-node="project" path-to-js-file="node_modules/.bin/ava" application-parameters="test/out/CodeSignTest.js" node-parameters="--harmony_default_parameters --expose-debug-as=v8debug" working-dir="$PROJECT_DIR$">
     <envs>
       <env name="NODE_PATH" value="." />
       <env name="CSA_LINK" value="https://repository.certum.pl/cscasha2.cer" />
diff --git a/certs/AppleWWDRCA.cer b/certs/AppleWWDRCA.cer
deleted file mode 100644
index d2bb1da64122c864c872d9b711b176d042462748..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1062
zcmXqLVo@?^V&+=F%*4pV#KCxP&k@Vq1p)@VY@Awc9&O)w85vnw84QvPxeYkkm_u3E
zgqcEv4TTK^K^!h&F2{m`oKywRyktE?H3JopAh)nAM9?|4s3bEjGdZy&Ge1wkv9u&3
zzbLb$(ooDm1f-5xm=~fhC_leM!P(J3PMp`!*ucoZ+{n<x!o)mEoYx4MYtT3iyCZmz
z9id~O1$G3FGQ{xk{Gyzc^30S}1((#a)SUc+)FOqT)EuyziVa;1oWM@uu_i*b0uB!u
zG%+e6hZiF&19KB2KLb#li>Zl`k>Qj@$g<O6t4^p`dc5p;_a=Tvz1qY*Cc#zbYLXig
z%TwZ(vMX=1{1>1r8WvHYTX!VypjWG%{)c-lQVYXRuCJE(pY=;r$WxR<a?PsST1IcD
zC1(VQ+V*t4*`F;j^#Su5#@gwu>F4-br<!NI<=nO|{cK>${9`c}_k`!An>Li0EopDe
zv*^E}E$UaTdLwGTU-QA<OOvlk6>d$KGuPNJ^ruh+PumVL-h)reU3&vOc4_NAnbP|3
z#gVzkGL~*w{3pGxU>8%Qce&F<%bj1(KJ<Biz}ll{*;B>Xzgbzkmy4MuTza<lvzzA0
z7l*rFRvySoOc&ks;qTLoJxTF-=V#u1FP;2vQtE0ZW=00a#f{4h8W$VL0>fLDk420{
zq(fbtbLBRPgzh)5cYSk@JQ@_Tc)I~VNLrYY@jnZz0W**?kOv7Uvq%_-HHc_m$aJ4l
z#`*6{cCVhpvhVJ`^&D{qdLRYzEb0cT2FeQ*7s$8CW|Wi^Sn2C07v<<Bf>Nhma(=FU
z5ipVI0fh|sK<fEHHn0Gbe4Bv)8y7gCC#SG6F|sfL(>iL>2Sz0$ga7&Wk^6MMZpzW`
ze<$2-^n%rNMP7I9$xNP|H^ujq>s(2H^mkUSRb<TlX2!jn)@dacZCro$u&Y7;;%44+
zvhG_xPVQP<GJDD48Aa{ZcI#caCxz@Z+C4!cIGf8)VB1aEfE>jJu1>%3p6qBF+hu?6
zedkq{<@Qo*x8F5!lFt%JA<5kEuT>H4)frt++IqZRKk^h=we)T%!^(BLy$#kqT(EJE
zX2Ubi@~8Vu7BQZxzw?Oene~p{Z+0b3{mh!|*mRcPTGnUklH03)o}Bv9|B3H&wV91C
z_x#+Vd5N(q?V(=JH^r`_KPnzJuG@ck!rYZ>Kd=95AvG=CKqhc$%$vflrY$-AJfiXd
D2`7-6

diff --git a/certs/bundle.crt b/certs/bundle.crt
deleted file mode 100644
index c2bcef21ae8..00000000000
--- a/certs/bundle.crt
+++ /dev/null
@@ -1,97 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIF2DCCA8CgAwIBAgIQbDvSft08lJ6Vjiips8dXoDANBgkqhkiG9w0BAQsFADB9
-MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
-U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
-cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTUxMjE2MDEwMDA1WhcN
-MzAxMjE2MDEwMDA1WjB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20g
-THRkLjEpMCcGA1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx
-IzAhBgNVBAMTGlN0YXJ0Q29tIENsYXNzIDIgT2JqZWN0IENBMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuRQEWPeyxYYsCDJgrQgmwIF3uWgZ2RUrHRhp
-5NoalgWXLmR5Gqk9UTNa0Hdq9AKTQcOOunAbq9h7dG+Y6Ne5qT5odqSJoCKsF9Yp
-+Lu4YZ/SB9BmDjBHICtwAh7+cwkccTS14n6prKin8Y46QAZ2ksr3eGzvWAVzfX+D
-UOmiVQLjAK6Wp8bCZHvj+FhAlS5Ne7/dggDeSVWnMyPm2k/5YKOTVXExJJaAlYkm
-yH1OiC3soTkkGb6aJjGJPHiaiNJ4pjkySX5l2p4DQ7K1/J6ft5Vw9PuqwmYrF0Vi
-Gnn38kzB2d9UI9Q+dFmHUbV+cnr+FoGl6CiUDd5ZIF1HMrb8hwIDAQABo4IBWjCC
-AVYwDgYDVR0PAQH/BAQDAgEGMBMGA1UdJQQMMAoGCCsGAQUFBwMDMBIGA1UdEwEB
-/wQIMAYBAf8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNz
-bC5jb20vc2ZzY2EuY3JsMGYGCCsGAQUFBwEBBFowWDAkBggrBgEFBQcwAYYYaHR0
-cDovL29jc3Auc3RhcnRzc2wuY29tMDAGCCsGAQUFBzAChiRodHRwOi8vYWlhLnN0
-YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwHQYDVR0OBBYEFD5ik5rXxxnuPo9JEIVV
-FSDjlIQcMB8GA1UdIwQYMBaAFE4L7xqkQFulF2mHMMo0aEPQQa7yMD8GA1UdIAQ4
-MDYwNAYEVR0gADAsMCoGCCsGAQUFBwIBFh5odHRwOi8vd3d3LnN0YXJ0c3NsLmNv
-bS9wb2xpY3kwDQYJKoZIhvcNAQELBQADggIBAGOlPNWzbSco2Ou6U68wC+pKXRLV
-+ZrKcPpMY4zXTVR+RupS54WhJCManab2P1ncPlHTbRMbPjfHnyj0sIdpvwcV49n0
-nizMF3MBxaKJEnBBEfHs9Krgjc4qKjR2nOywlzxJ0M27RthR5XjyjQ1ofHlOisYg
-MzcyKyMT7YYpxxoC0wTgAh0DNmE5Q/GKFOaDd3S5gTqrR9AQzGaC3IxCKBFtcwvk
-51W98lNRtMbm+oJze5T+dL2wIhyWK58sEIl2paAVfAfWGH3umYL46scLn8BXDFch
-N1Jgrg07DqY6gxCqSdubPhVHZInuVagktWmrnS6N9V/vVLz+OaX4Mkas8n1J1RIR
-+GV8ZQVmTM49l6L+fpv/h95MWLhQOcXanbIY/2cdNEuz5AkhfvDNTQnLxYEMIyMO
-tW2QIwwZdz92vMTU17G9goxXYjSm09yw+iBniH9G/xGz39BV3bwa8ZtKHzDoZ54H
-T6JT2AraDhrWTwFXv8Xrvv2cir+k0h5bIWlDtImH7Jm152edb77f5JI8JrPf6jxc
-UrhNH4xHxe2kGs8ERA39oYlT0dKQIb0obTN6FOF63hBRFFhGB7NuX2FeFjJsZFCk
-oJkpsEauObb7Rh+C02+fnHfoi6ivKwUC9BOsWlI4xn7GMe27niL6k7wpK0L6MTG5
-/6gxwosqaMA1aukw
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIF5DCCA8ygAwIBAgIQeCJDoVPfKAof+uFc0ChMhjANBgkqhkiG9w0BAQsFADB9
-MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
-U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
-cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTUxMjE2MDEwMDA1WhcN
-MzAxMjE2MDEwMDA1WjB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20g
-THRkLjEpMCcGA1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx
-IzAhBgNVBAMTGlN0YXJ0Q29tIENsYXNzIDMgT2JqZWN0IENBMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GwlNhRkXHnNYZgCnwWVUbzIQGbKV1cyk2Wg
-VbvCet+v/uVVKDJn5mMvwu9lwMHmd+1NpKW93kwI4lb1aUwgJGSwtL/a+jlv8Gw6
-MizkD2PwVK3R9qvia0TR2W7mZDf7qFufa2CNb6bpqSyoPKawAgABb80UoKzKsOWo
-05q6NeR+Z2lt7SR5mop8MPDsOgdnKA/17opoOfSly6F6Jg1r5P5yqWtXxPDexmbM
-/LG/+K1IKJHcb7Kj0soNnBUV9GP+2kAmEUCh0cTD1LCdrYVFiWkDVNmD3dBIQN67
-oeNNH0Ak8cDgjhJGGwgvku4ZZWG7FPWFfakuYpIvaY8AJXd61wIDAQABo4IBZjCC
-AWIwDgYDVR0PAQH/BAQDAgEGMB8GA1UdJQQYMBYGCCsGAQUFBwMDBgorBgEEAYI3
-PQEBMBIGA1UdEwEB/wQIMAYBAf8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDov
-L2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMGYGCCsGAQUFBwEBBFowWDAkBggr
-BgEFBQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wuY29tMDAGCCsGAQUFBzAChiRo
-dHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwHQYDVR0OBBYEFGZ6
-ns2cc4ZqaaCu+oy7GI8I7NUEMB8GA1UdIwQYMBaAFE4L7xqkQFulF2mHMMo0aEPQ
-Qa7yMD8GA1UdIAQ4MDYwNAYEVR0gADAsMCoGCCsGAQUFBwIBFh5odHRwOi8vd3d3
-LnN0YXJ0c3NsLmNvbS9wb2xpY3kwDQYJKoZIhvcNAQELBQADggIBAAsfd/CktuaS
-BfVH8XRzpWAat6GYrrqAmfG4ltT6I+nKYwWCCACvlMwhOVPVUZhoAcDg9lO+WBGY
-vdmuEeef79MjTcxnK3heW5WbSqO7TDRH4Sl5RkfJxdMornUbwmO9+f27UaeyApNA
-U156nWn5/jQu9BqLbAtCAInhJy+ohQrn7YUm9LjI066Bl6M3LDjl25dTJa6QFqEb
-Z9AVxbrJm6+MceHup8CLYPK/XDoV4l4c0/+0+Fh1ArptEoMz/8QMXJdj/7ERZoFE
-QMMjwPYclW8nynQAhlBq080GIXsB2I9JlUFjCFcGv2fs3A6sWSoBG8eZ5yt1DWEj
-BIxS0i68e1FQkqKfonh0lYOe87eWWcquEdiem7hKDMLoOTYoZummdtrE/zHisl2N
-aSSKW1h9i6/SjLxSMQ8dkC+WqEaadzarmS9VzQ21eAPkiKkTzHJtesj2d3m4Ss+F
-Hh5K+C5HLlo26y4X/9t1wH2UaEwzdXZDItGAAFeHfhPB8FVK8uufBOGoLTq3rqeJ
-fLGoD/3yJp3w90Ad9KTJEEww3GTQtVIRN8n8W1Umvom9Y99CBHF6T4vyzqzD9tvg
-mvoucIJCNoKGgMWufQJ69GAOyh0wltsU9OhMmTyyA44rUPeZY4CEsvUbvrkMPzTK
-3Nf9o45cDnB+lBNPMhv/pI9cdfWcpFjJ
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIE3jCCA8agAwIBAgIQazJqDwMo03odUwv9I71I4jANBgkqhkiG9w0BAQsFADB+
-MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMgUy5B
-LjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIwIAYD
-VQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMB4XDTE1MTAyOTExMzAyOVoX
-DTI3MDYwOTExMzAyOVowgYAxCzAJBgNVBAYTAlBMMSIwIAYDVQQKDBlVbml6ZXRv
-IFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLDB5DZXJ0dW0gQ2VydGlmaWNhdGlv
-biBBdXRob3JpdHkxJDAiBgNVBAMMG0NlcnR1bSBDb2RlIFNpZ25pbmcgQ0EgU0hB
-MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALfbqNjI47za2oO6ub/W
-1VdTQbdAuhcMRJXU6WY7f7S+kKOUCaWtISAXgEa0QyY+jksaZOwOQDJD/IKf/0ot
-6pTdWhE2i2Hv7BbUSQPY513DZVvyTgsrw8FT+kAtwqszJAWBcH7Ih0yf0YDCGHsO
-FL1OA0PLKEiwLeY23xs9i8OMnTee4QbXJVDfeT3at1/rRr52KDa4AgBGA9A0G3i0
-KMdRx8iVP26NiRjcSfHCDxr0gYHHbdQEd8Uhoy5T+XfP3Kmbw8Hl1WcvMbzAwmic
-SpblH/HzSDUO9uSxxe+HgDrigAw0nfoUZHHkHKGqss8Ap+M3cvlArZ4olQINzpDj
-W8UCAwEAAaOCAVMwggFPMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMB7tMi3
-blanCUia+HJP19ckLDY+MB8GA1UdIwQYMBaAFAh2zcsH/yT2xc3tu5C84oQ3RnX3
-MA4GA1UdDwEB/wQEAwIBBjATBgNVHSUEDDAKBggrBgEFBQcDAzAvBgNVHR8EKDAm
-MCSgIqAghh5odHRwOi8vY3JsLmNlcnR1bS5wbC9jdG5jYS5jcmwwawYIKwYBBQUH
-AQEEXzBdMCgGCCsGAQUFBzABhhxodHRwOi8vc3ViY2Eub2NzcC1jZXJ0dW0uY29t
-MDEGCCsGAQUFBzAChiVodHRwOi8vcmVwb3NpdG9yeS5jZXJ0dW0ucGwvY3RuY2Eu
-Y2VyMDkGA1UdIAQyMDAwLgYEVR0gADAmMCQGCCsGAQUFBwIBFhhodHRwOi8vd3d3
-LmNlcnR1bS5wbC9DUFMwDQYJKoZIhvcNAQELBQADggEBAKrlP3ZUAkxwDimpOZYG
-DzG3C/Gmi1L7EI9PQluMvTEjAWad6CmhTcNQ+vf4RQ4dgtf8/qYyBHP9cezMiA+j
-kgjFgVgC/QtpO824P0k90I0cExRoLpsNmq2wGeKe0nw5d4hvI/17hPxEbbW6a3CS
-VWyUsdg3/alZHbRjstwTzXiOJTXBmo83hC7URczj9cyNc6jjOm3nlZRwV5FQtm3v
-c3JPLwKHYOLqIqHtPv3Ri2aNLnJtT8ZdNe6TqJjSZ2rp2hnNAoP5dPxfehgEKB7d
-IjM7dmxHBV3VUv4OunbzgxDHbjBfp2DH+nQnMZsog+0hihvxI1KE7ZW8rTqlo0IB
-nbw=
------END CERTIFICATE-----
diff --git a/certs/create.sh b/certs/create.sh
index f9558a72028..4067a89b2e7 100755
--- a/certs/create.sh
+++ b/certs/create.sh
@@ -1,5 +1,17 @@
-> bundle.crt
-curl https://www.startssl.com/certs/sca.code2.crt >> bundle.crt
-curl https://www.startssl.com/certs/sca.code3.crt >> bundle.crt
+#!/usr/bin/env bash
 
-curl https://repository.certum.pl/cscasha2.pem >> bundle.crt
\ No newline at end of file
+> /tmp/bundle.crt
+curl https://www.startssl.com/certs/sca.code2.crt >> /tmp/bundle.crt
+curl https://www.startssl.com/certs/sca.code3.crt >> /tmp/bundle.crt
+
+curl https://repository.certum.pl/cscasha2.pem >> /tmp/bundle.crt
+
+
+rm -rf $PWD/root_certs.keychain
+security create-keychain -p pass $PWD/root_certs.keychain
+security set-keychain-settings -t 86400 -u $PWD/root_certs.keychain
+
+security import /tmp/bundle.crt -k $PWD/root_certs.keychain -T /usr/bin/codesign -T /usr/bin/productbuild
+
+curl https://developer.apple.com/certificationauthority/AppleWWDRCA.cer > /tmp/AppleWWDRCA.cer
+security import /tmp/AppleWWDRCA.cer -k $PWD/root_certs.keychain -T /usr/bin/codesign -T /usr/bin/productbuild
\ No newline at end of file
diff --git a/certs/root_certs.keychain b/certs/root_certs.keychain
new file mode 100644
index 00000000000..aec2067511e
--- /dev/null
+++ b/certs/root_certs.keychain
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d63fbb2e912ca7b375a6edefcdf1bff92b25f311fdb67f226c03bd91e744ab54
+size 31944
diff --git a/docs/Code Signing.md b/docs/Code Signing.md
index c9655c90789..2b0569d18cd 100644
--- a/docs/Code Signing.md	
+++ b/docs/Code Signing.md	
@@ -29,5 +29,4 @@ To sign app on build server you need to set `CSC_LINK`, `CSC_KEY_PASSWORD` (and
    In case of AppVeyor, don't forget to click on lock icon to “Toggle variable encryption”.
 
 # Where to Buy Code Signing Certificate
-[StartSSL](https://startssl.com/Support?v=34) is recommended.
-It can be used to sign OS X app also, so, you don't need to buy Apple Certificate in addition.
\ No newline at end of file
+[StartSSL](https://startssl.com/Support?v=34) is recommended.
\ No newline at end of file
diff --git a/package.json b/package.json
index 544daefb2a1..2418477add1 100644
--- a/package.json
+++ b/package.json
@@ -6,7 +6,7 @@
   "files": [
     "out",
     "templates",
-    "certs"
+    "certs/root_certs.keychain"
   ],
   "bin": {
     "build": "./out/build-cli.js",
diff --git a/src/codeSign.ts b/src/codeSign.ts
index b459f86adb8..c0052e5720b 100644
--- a/src/codeSign.ts
+++ b/src/codeSign.ts
@@ -1,11 +1,12 @@
-import { exec } from "./util"
-import { deleteFile, outputFile } from "fs-extra-p"
+import { exec, getTempName } from "./util"
+import { deleteFile, outputFile, copy, rename } from "fs-extra-p"
 import { download } from "./httpRequest"
 import { tmpdir } from "os"
 import * as path from "path"
 import { executeFinally, all } from "./promise"
 import { Promise as BluebirdPromise } from "bluebird"
 import { randomBytes } from "crypto"
+import { homedir } from "os"
 
 //noinspection JSUnusedLocalSymbols
 const __awaiter = require("./awaiter")
@@ -34,7 +35,38 @@ function downloadUrlOrBase64(urlOrBase64: string, destination: string): Bluebird
   }
 }
 
-export function createKeychain(keychainName: string, cscLink: string, cscKeyPassword: string, cscILink?: string | null, cscIKeyPassword?: string | null, csaLink?: string | null): Promise<CodeSigningInfo> {
+let bundledCertKeychainAdded = false
+
+export async function createKeychain(keychainName: string, cscLink: string, cscKeyPassword: string, cscILink?: string | null, cscIKeyPassword?: string | null, csaLink?: string | null): Promise<CodeSigningInfo> {
+  if (!bundledCertKeychainAdded) {
+    // "Note that filename will not be searched to resolve the signing identity's certificate chain unless it is also on the user's keychain search list."
+    // but "security list-keychains" doesn't support add - we should 1) get current list 2) set new list - it is very bad http://stackoverflow.com/questions/10538942/add-a-keychain-to-search-list
+    // "overly complicated and introduces a race condition."
+    // https://github.com/electron-userland/electron-builder/issues/398
+
+    bundledCertKeychainAdded = true
+
+    // copy to temp and then atomic rename to final path
+    const tmpKeychainPath = path.join(homedir(), ".cache", getTempName("electron_builder_root_certs"))
+    const keychainPath = path.join(homedir(), ".cache", "electron_builder_root_certs.keychain")
+    const results = await BluebirdPromise.all<Array<string> | string>([
+      exec("security", ["list-keychains"]),
+      copy(path.join(__dirname, "..", "certs", "root_certs.keychain"), tmpKeychainPath)
+        .then(() => rename(tmpKeychainPath, keychainPath)),
+    ])
+    const list = (<string[]>results[0])[0]
+      .split("\n")
+      .map(it => {
+        let r = it.trim()
+        return r.substring(1, r.length - 1)
+      })
+      .filter(it => it.length > 0)
+
+    if (!list.includes(keychainPath)) {
+      await exec("security", ["list-keychains", "-d", "user", "-s", keychainPath])
+    }
+  }
+
   const certLinks = csaLink == null ? [] : [csaLink]
   certLinks.push(cscLink)
   if (cscILink != null) {
@@ -43,7 +75,7 @@ export function createKeychain(keychainName: string, cscLink: string, cscKeyPass
 
   const certPaths = certLinks.map(it => path.join(tmpdir(), randomString() + (it.endsWith(".cer") ? ".cer" : ".p12")))
   const keychainPassword = randomString()
-  return executeFinally(BluebirdPromise.all([
+  return await executeFinally(BluebirdPromise.all([
       BluebirdPromise.map(certPaths, (p, i) => downloadUrlOrBase64(certLinks[i], p)),
       BluebirdPromise.mapSeries([
         ["create-keychain", "-p", keychainPassword, keychainName],
@@ -51,7 +83,7 @@ export function createKeychain(keychainName: string, cscLink: string, cscKeyPass
         ["set-keychain-settings", "-t", "3600", "-u", keychainName]
       ], it => exec("security", it))
     ])
-    .then(() => importCerts(keychainName, certPaths, [cscKeyPassword, cscIKeyPassword].filter(it => it != null), csaLink == null)),
+    .then(() => importCerts(keychainName, certPaths, [cscKeyPassword, cscIKeyPassword].filter(it => it != null))),
     errorOccurred => {
       const tasks = certPaths.map(it => deleteFile(it, true))
       if (errorOccurred) {
@@ -61,16 +93,8 @@ export function createKeychain(keychainName: string, cscLink: string, cscKeyPass
     })
 }
 
-async function importCerts(keychainName: string, paths: Array<string>, keyPasswords: Array<string | null | undefined>, importBundledCerts: boolean): Promise<CodeSigningInfo> {
+async function importCerts(keychainName: string, paths: Array<string>, keyPasswords: Array<string | null | undefined>): Promise<CodeSigningInfo> {
   const certFiles = paths.slice(0, -keyPasswords.length)
-  if (importBundledCerts) {
-    const bundledCertsPath = path.join(__dirname, "..", "certs")
-    certFiles.push(
-      path.join(bundledCertsPath, "AppleWWDRCA.cer"),
-      path.join(bundledCertsPath, "bundle.crt")
-    )
-  }
-
   for (let file of certFiles) {
     await exec("security", ["import", file, "-k", keychainName, "-T", "/usr/bin/codesign"])
   }
diff --git a/src/packager.ts b/src/packager.ts
index c788be5ac85..2fd0029b7c8 100644
--- a/src/packager.ts
+++ b/src/packager.ts
@@ -77,7 +77,7 @@ export class Packager implements BuildInfo {
     // custom packager - don't check wine
     let checkWine = this.options.platformPackagerFactory == null
     for (let platform of platforms) {
-      let wineCheck: Promise<Buffer[]> | null = null
+      let wineCheck: Promise<string[]> | null = null
       if (checkWine && process.platform !== "win32" && platform === Platform.WINDOWS) {
         wineCheck = exec("wine", ["--version"])
       }
@@ -228,14 +228,14 @@ function checkConflictingOptions(options: any) {
   }
 }
 
-async function checkWineVersion(checkPromise: Promise<Buffer[]>) {
+async function checkWineVersion(checkPromise: Promise<string[]>) {
   function wineError(prefix: string): string {
     return `${prefix}, please see https://github.com/electron-userland/electron-builder/wiki/Multi-Platform-Build#${(process.platform === "linux" ? "linux" : "os-x")}`
   }
 
   let wineVersion: string
   try {
-    wineVersion = (await checkPromise)[0].toString().trim()
+    wineVersion = (await checkPromise)[0].trim()
   }
   catch (e) {
     if (e.code === "ENOENT") {
diff --git a/src/util.ts b/src/util.ts
index 3352847bd89..2526d448e16 100644
--- a/src/util.ts
+++ b/src/util.ts
@@ -67,12 +67,12 @@ export interface ExecOptions extends BaseExecOptions {
   killSignal?: string
 }
 
-export function exec(file: string, args?: Array<string> | null, options?: ExecOptions): BluebirdPromise<Buffer[]> {
+export function exec(file: string, args?: Array<string> | null, options?: ExecOptions): BluebirdPromise<string[]> {
   if (debug.enabled) {
     debug(`Executing ${file} ${args == null ? "" : args.join(" ")}`)
   }
 
-  return new BluebirdPromise<Buffer[]>((resolve, reject) => {
+  return new BluebirdPromise<string[]>((resolve, reject) => {
     execFile(file, <any>args, options, function (error, stdout, stderr) {
       if (error == null) {
         resolve(<any>[stdout, stderr])