GitLab

at 2024-07-30T17:49:28+00:00

Bug 41199: Duplicate wrappers/sign-rcodesign as wrappers/sign-rcodesign-128

In order to modify the `sign-rcodesign` wrapper for 128esr changes,
while keeping support for the 115esr branch, we duplicate the script.

After the last 115esr based release we should remove it:
 * copying `sign-rcodesign-128` to `sign-rcodesign`,
 * reverting this commit,
 * removing tools/signing/*.entitlements.xml,
 * and adding instructions in `machines-setup/setup-signing-machine` to
   remove `/etc/sudoers.d/sign-rcodesign-128`.

@@ -12,7 +12,7 @@ tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.[% c('compress_ta
  tar -C $builddir -xf $rootdir/[% c('input_files_by_name/cargo_vendor') %]
  cd $builddir
 -mkdir .cargo
 +mkdir -p .cargo
  cat >> .cargo/config << 'EOF'
  [source.crates-io]

  # vim: filetype=yaml sw=2
 -version: 0.22.0
 -git_hash: cb406b5feb1439131f36ec60375f607a7f82439d
 +version: 0.27.0
 +git_hash: 703362f818272d43b3844105863739bcb6f1a11a
  git_url: https://github.com/indygreg/apple-platform-rs.git
  container:
    use_container: 1
@@ -16,4 +16,4 @@ steps:
          project: rcodesign
          pkg_type: cargo_vendor
          norec:
 -          sha256sum: 04c21203d2948ebfa59f1039d4481e419e656ec636293b4846fdb7868cfd98f0
 +          sha256sum: c778deb784f68b48a51c6c54095c6cd45e37847d65e9db36ce39b4326874ae9c

@@ -19,5 +19,5 @@ destdir=~/"$SIGNING_PROJECTNAME-$tbb_version-macos-signed"
  mkdir -p $destdir
  rm -f "$destdir/$output_file"
 -sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name"
 +sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-128 ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name"
  cp "/home/signing-macos/last-signed-$display_name.tar.zst" "$destdir/$output_file"

@@ -91,6 +91,7 @@ sudoers_file sign-mar
  sudoers_file sign-exe
  sudoers_file sign-apk
  sudoers_file sign-rcodesign
 +sudoers_file sign-rcodesign-128
  sudoers_file set-date
  authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub

 +<?xml version="1.0" encoding="UTF-8"?>
 +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 +<!--
 +     Entitlements to apply to the main browser process executable during
 +     codesigning of production channel builds.
 +-->
 +<plist version="1.0">
 +  <dict>
 +    <!-- Allow loading third party libraries to support pkcs11 modules -->
 +    <key>com.apple.security.cs.disable-library-validation</key><true/>
++
 +    <!-- Firefox needs to create executable pages with MAP_JIT on aarch64 -->
 +    <key>com.apple.security.cs.allow-jit</key><true/>
++
 +    <!-- Firefox needs to access the microphone on sites the user allows -->
 +    <key>com.apple.security.device.audio-input</key><true/>
++
 +    <!-- Firefox needs to access the camera on sites the user allows -->
 +    <key>com.apple.security.device.camera</key><true/>
++
 +    <!-- Firefox needs to access the location on sites the user allows -->
 +    <key>com.apple.security.personal-information.location</key><true/>
++
 +    <!-- For SmartCardServices(7) -->
 +    <key>com.apple.security.smartcard</key><true/>
++
 +    <!-- Required for com.apple.developer.web-browser.public-key-credential -->
 +    <key>com.apple.application-identifier</key>
 +    <string>43AQ936H96.org.mozilla.firefox</string>
++
 +    <!-- For platform passkey (webauthn) support -->
 +    <key>com.apple.developer.web-browser.public-key-credential</key><true/>
 +  </dict>
 +</plist>

morgan pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

12 changed files:

Changes:

	1	+Defaults>signing-macos env_keep += "SIGNING_PROJECTNAME tbb_version_type RCODESIGN_PW"
	2	+%signing ALL = (signing-macos) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-128

@@ -21,7 +21,7 @@ display_name=$(display_name)
  tar -C "$tmpdir" -xf "$macos_rcodesign_signed_tar_dir/$(project-name)-macos-${tbb_version}-rcodesign-signed.tar.zst"
 -"$script_dir/../local/rcodesign/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$display_name.app"
 +"$script_dir/../local/rcodesign-128/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$display_name.app"
  output_file="$(project-name)-${tbb_version}-notarized+stapled.tar.zst"
  tar -C "$tmpdir" -caf "$tmpdir/$output_file" "$display_name.app"

 -rcodesign_version=0.22.0-bc8cc7
 +rcodesign_version=0.27.0-e252fa
  rcodesign_filename=rcodesign-${rcodesign_version}.tar.gz
 -rcodesign_sha256sum=2a9eda016fff116c59f52b358e7a740f6fb5c039974f0acc8266c3605d24092a
 +rcodesign_sha256sum=c228c5fb06a088bc6c50a212d8d5a15425c2bcdf448bfa7f94ea5cc41321c533
  rcodesign_url="https://build-sources.tbb.torproject.org/${rcodesign_filename}"

@@ -35,8 +35,8 @@ function setup_rcodesign {
    tar -C "$tmpdir" -xf "$rcodesign_path"
    mv "$tmpdir/rcodesign" "$rcodesign_dir"
    chmod -R go+rX "$rcodesign_dir"
 -  rm -f "$localdir/rcodesign"
 -  ln -s "rcodesign-$rcodesign_version" "$localdir/rcodesign"
 +  rm -f "$localdir/rcodesign-128"
 +  ln -s "rcodesign-$rcodesign_version" "$localdir/rcodesign-128"
+ }
  download_rcodesign

 +#!/bin/bash
 +set -e
++
 +function exit_error {
 +  for msg in "$@"
 +  do
 +    echo "$msg" >&2
 +  done
 +  exit 1
 +}
++
 +test $# -eq 2 || exit_error "Wrong number of arguments"
 +dmg_file="$1"
 +display_name="$2"
++
 +output_file="/home/signing-macos/last-signed-$display_name.tar.zst"
 +rm -f "$output_file"
++
 +rcodesign=/signing/rcodesign-128/rcodesign
 +rcodesign_signing_p12_file=/home/signing-macos/keys/key-1.p12
 +test -f "$rcodesign_signing_p12_file" || exit_error "$rcodesign_signing_p12_file is missing"
++
 +tmpdir=$(mktemp -d)
 +trap "rm -Rf $tmpdir" EXIT
 +cd "$tmpdir"
 +7z x "$dmg_file"
++
 +# Fix permission on files:
 +# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2957050
 +# FIXME: Maybe we should extract the .mar file instead of the .dmg to
 +# preserve permissions
 +chmod ugo+x "$display_name/$display_name.app/Contents/MacOS"/* \
 +            "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \
 +            "$display_name/$display_name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/* \
 +            "$display_name/$display_name.app/Contents/MacOS/media-plugin-helper.app/Contents/MacOS"/* \
 +            "$display_name/$display_name.app/Contents/Frameworks/ChannelPrefs.framework/ChannelPrefs" \
 +            "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework/UpdateSettings"
 +test -d "$display_name/$display_name.app/Contents/MacOS/Tor" && \
 +  chmod -R ugo+x "$display_name/$display_name.app/Contents/MacOS/Tor"
++
 +pwdir=/run/lock/rcodesign-pw
 +trap "rm -Rf $pwdir" EXIT
 +rm -Rf "$pwdir"
 +mkdir "$pwdir"
 +chmod 700 "$pwdir"
 +cat > "$pwdir/rcodesign-pw-2" << EOF
 +$RCODESIGN_PW
 +EOF
 +tr -d '\n' < "$pwdir/rcodesign-pw-2" > "$pwdir/rcodesign-pw"
 +rm "$pwdir/rcodesign-pw-2"
++
 +# unset RCODESIGN_PW since it conflicts with rcodesign config
 +unset RCODESIGN_PW
 +rcodesign_opts="
 +  --code-signature-flags runtime
 +  --timestamp-url http://timestamp.apple.com:8080/ts01
 +  --p12-file $rcodesign_signing_p12_file
 +  --p12-password-file $pwdir/rcodesign-pw
 +  "
++
 +flags=()
 +for dir in Contents/MacOS Contents/MacOS/Tor Contents/MacOS/Tor/PluggableTransports
 +do
 +  d="$display_name/$display_name.app/$dir"
 +  test -d "$d" || continue
 +  pushd "$d"
 +  for file in *
 +  do
 +    test -f "$file" || continue
 +    flags+=('--code-signature-flags' "$dir/$file:runtime")
 +  done
 +  popd
 +done
 +echo "code-signature-flags: ${flags[@]}"
++
 +echo "**** Signing main bundle ($display_name.app) ****"
 +$rcodesign sign \
 +  $rcodesign_opts \
 +  "${flags[@]}" \
 +  --code-signature-flags Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework:runtime \
 +  --code-signature-flags Contents/MacOS/updater.app:runtime \
 +  --code-signature-flags Contents/Frameworks/ChannelPrefs.framework:runtime \
 +  --code-signature-flags Contents/MacOS/plugin-container.app:runtime \
 +  --code-signature-flags Contents/MacOS/media-plugin-helper.app:runtime \
 +  --entitlements-xml-path Contents/MacOS/plugin-container.app:/signing/tor-browser-build/tools/signing/macos-entitlements/plugin-container.xml \
 +  --entitlements-xml-path Contents/MacOS/media-plugin-helper.app:/signing/tor-browser-build/tools/signing/macos-entitlements/media-plugin-helper.xml \
 +  --entitlements-xml-path /signing/tor-browser-build/tools/signing/macos-entitlements/firefox.browser.xml \
 +  -- \
 +  "$display_name/$display_name.app"
++
 +rm -f "$pwdir/rcodesign-pw"
 +rmdir "$pwdir"
 +tar -C "$display_name" -caf "$output_file" "$display_name.app"
 +cd -
 +rm -Rf "$tmpdir"