morgan pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits: 1ae99c2b by Nicolas Vigier at 2024-07-30T17:49:28+00:00 Bug 41199: Duplicate wrappers/sign-rcodesign as wrappers/sign-rcodesign-128

In order to modify the `sign-rcodesign` wrapper for 128esr changes, while keeping support for the 115esr branch, we duplicate the script.

After the last 115esr based release we should remove it: * copying `sign-rcodesign-128` to `sign-rcodesign`, * reverting this commit, * removing tools/signing/*.entitlements.xml, * and adding instructions in `machines-setup/setup-signing-machine` to remove `/etc/sudoers.d/sign-rcodesign-128`.

- - - - - 79c986b6 by Nicolas Vigier at 2024-07-30T17:49:28+00:00 Bug 40553: Use different entitlements files for parent and child processes

We copy entitlements files from mozilla, from the esr128 branch, in directory `security/mac/hardenedruntime/v2/production`.

In the file `taskcluster/config.yml`, `mac-signing/hardened-sign-config` lists the different entitlements files used for the different files.

- - - - - 95ee823b by Nicolas Vigier at 2024-07-30T17:49:28+00:00 Bug 41199: Update rcodesign to 0.27.0

This also changes the installation directory to `rcodesign-128` instead of `rcodesign`, since we want to keep the old version for stable releases signing.

- - - - - 45c352b1 by Nicolas Vigier at 2024-07-30T17:49:28+00:00 Bug 41199: Update sign-rcodesign-128 for esr128 changes

- - - - -

12 changed files:

- projects/rcodesign/build - projects/rcodesign/config - tools/signing/linux-signer-rcodesign-sign - tools/signing/machines-setup/setup-signing-machine - + tools/signing/machines-setup/sudoers.d/sign-rcodesign-128 - + tools/signing/macos-entitlements/firefox.browser.xml - + tools/signing/macos-entitlements/media-plugin-helper.xml - + tools/signing/macos-entitlements/plugin-container.xml - tools/signing/rcodesign-notary-submit - tools/signing/set-config.rcodesign - tools/signing/setup-rcodesign - + tools/signing/wrappers/sign-rcodesign-128

Changes:

===================================== projects/rcodesign/build ===================================== @@ -12,7 +12,7 @@ tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.[% c('compress_ta tar -C $builddir -xf $rootdir/[% c('input_files_by_name/cargo_vendor') %]

cd $builddir -mkdir .cargo +mkdir -p .cargo cat >> .cargo/config << 'EOF'

[source.crates-io]

===================================== projects/rcodesign/config ===================================== @@ -1,6 +1,6 @@ # vim: filetype=yaml sw=2 -version: 0.22.0 -git_hash: cb406b5feb1439131f36ec60375f607a7f82439d +version: 0.27.0 +git_hash: 703362f818272d43b3844105863739bcb6f1a11a git_url: https://github.com/indygreg/apple-platform-rs.git container: use_container: 1 @@ -16,4 +16,4 @@ steps: project: rcodesign pkg_type: cargo_vendor norec: - sha256sum: 04c21203d2948ebfa59f1039d4481e419e656ec636293b4846fdb7868cfd98f0 + sha256sum: c778deb784f68b48a51c6c54095c6cd45e37847d65e9db36ce39b4326874ae9c

===================================== tools/signing/linux-signer-rcodesign-sign ===================================== @@ -19,5 +19,5 @@ destdir=~/"$SIGNING_PROJECTNAME-$tbb_version-macos-signed" mkdir -p $destdir rm -f "$destdir/$output_file"

-sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name" +sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-128 ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name" cp "/home/signing-macos/last-signed-$display_name.tar.zst" "$destdir/$output_file"

===================================== tools/signing/machines-setup/setup-signing-machine ===================================== @@ -91,6 +91,7 @@ sudoers_file sign-mar sudoers_file sign-exe sudoers_file sign-apk sudoers_file sign-rcodesign +sudoers_file sign-rcodesign-128 sudoers_file set-date

authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub

===================================== tools/signing/machines-setup/sudoers.d/sign-rcodesign-128 ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-macos env_keep += "SIGNING_PROJECTNAME tbb_version_type RCODESIGN_PW" +%signing ALL = (signing-macos) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-128

===================================== tools/signing/macos-entitlements/firefox.browser.xml ===================================== @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<!-- + Entitlements to apply to the main browser process executable during + codesigning of production channel builds. +--> +<plist version="1.0"> + <dict> + <!-- Allow loading third party libraries to support pkcs11 modules --> + <key>com.apple.security.cs.disable-library-validation</key><true/> + + <!-- Firefox needs to create executable pages with MAP_JIT on aarch64 --> + <key>com.apple.security.cs.allow-jit</key><true/> + + <!-- Firefox needs to access the microphone on sites the user allows --> + <key>com.apple.security.device.audio-input</key><true/> + + <!-- Firefox needs to access the camera on sites the user allows --> + <key>com.apple.security.device.camera</key><true/> + + <!-- Firefox needs to access the location on sites the user allows --> + <key>com.apple.security.personal-information.location</key><true/> + + <!-- For SmartCardServices(7) --> + <key>com.apple.security.smartcard</key><true/> + + <!-- Required for com.apple.developer.web-browser.public-key-credential --> + <key>com.apple.application-identifier</key> + <string>43AQ936H96.org.mozilla.firefox</string> + + <!-- For platform passkey (webauthn) support --> + <key>com.apple.developer.web-browser.public-key-credential</key><true/> + </dict> +</plist>

===================================== tools/signing/macos-entitlements/media-plugin-helper.xml ===================================== @@ -0,0 +1,12 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<!-- + Entitlements to apply to the media-plugin-helper.app bundle during + codesigning of production channel builds. +--> +<plist version="1.0"> + <dict> + <!-- Allow loading third party CDM libraries --> + <key>com.apple.security.cs.disable-library-validation</key><true/> + </dict> +</plist>

===================================== tools/signing/macos-entitlements/plugin-container.xml ===================================== @@ -0,0 +1,12 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<!-- + Entitlements to apply to the plugin-container.app bundle during + codesigning of production channel builds. +--> +<plist version="1.0"> + <dict> + <!-- Firefox needs to create executable pages with MAP_JIT --> + <key>com.apple.security.cs.allow-jit</key><true/> + </dict> +</plist>

===================================== tools/signing/rcodesign-notary-submit ===================================== @@ -21,7 +21,7 @@ display_name=$(display_name)

tar -C "$tmpdir" -xf "$macos_rcodesign_signed_tar_dir/$(project-name)-macos-${tbb_version}-rcodesign-signed.tar.zst"

-"$script_dir/../local/rcodesign/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$display_name.app" +"$script_dir/../local/rcodesign-128/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$display_name.app"

output_file="$(project-name)-${tbb_version}-notarized+stapled.tar.zst" tar -C "$tmpdir" -caf "$tmpdir/$output_file" "$display_name.app"

===================================== tools/signing/set-config.rcodesign ===================================== @@ -1,4 +1,4 @@ -rcodesign_version=0.22.0-bc8cc7 +rcodesign_version=0.27.0-e252fa rcodesign_filename=rcodesign-${rcodesign_version}.tar.gz -rcodesign_sha256sum=2a9eda016fff116c59f52b358e7a740f6fb5c039974f0acc8266c3605d24092a +rcodesign_sha256sum=c228c5fb06a088bc6c50a212d8d5a15425c2bcdf448bfa7f94ea5cc41321c533 rcodesign_url="https://build-sources.tbb.torproject.org/$%7Brcodesign_filename%7D"

===================================== tools/signing/setup-rcodesign ===================================== @@ -35,8 +35,8 @@ function setup_rcodesign { tar -C "$tmpdir" -xf "$rcodesign_path" mv "$tmpdir/rcodesign" "$rcodesign_dir" chmod -R go+rX "$rcodesign_dir" - rm -f "$localdir/rcodesign" - ln -s "rcodesign-$rcodesign_version" "$localdir/rcodesign" + rm -f "$localdir/rcodesign-128" + ln -s "rcodesign-$rcodesign_version" "$localdir/rcodesign-128" }

download_rcodesign

===================================== tools/signing/wrappers/sign-rcodesign-128 ===================================== @@ -0,0 +1,95 @@ +#!/bin/bash +set -e + +function exit_error { + for msg in "$@" + do + echo "$msg" >&2 + done + exit 1 +} + +test $# -eq 2 || exit_error "Wrong number of arguments" +dmg_file="$1" +display_name="$2" + +output_file="/home/signing-macos/last-signed-$display_name.tar.zst" +rm -f "$output_file" + +rcodesign=/signing/rcodesign-128/rcodesign +rcodesign_signing_p12_file=/home/signing-macos/keys/key-1.p12 +test -f "$rcodesign_signing_p12_file" || exit_error "$rcodesign_signing_p12_file is missing" + +tmpdir=$(mktemp -d) +trap "rm -Rf $tmpdir" EXIT +cd "$tmpdir" +7z x "$dmg_file" + +# Fix permission on files: +# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29... +# FIXME: Maybe we should extract the .mar file instead of the .dmg to +# preserve permissions +chmod ugo+x "$display_name/$display_name.app/Contents/MacOS"/* \ + "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \ + "$display_name/$display_name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/* \ + "$display_name/$display_name.app/Contents/MacOS/media-plugin-helper.app/Contents/MacOS"/* \ + "$display_name/$display_name.app/Contents/Frameworks/ChannelPrefs.framework/ChannelPrefs" \ + "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework/UpdateSettings" +test -d "$display_name/$display_name.app/Contents/MacOS/Tor" && \ + chmod -R ugo+x "$display_name/$display_name.app/Contents/MacOS/Tor" + +pwdir=/run/lock/rcodesign-pw +trap "rm -Rf $pwdir" EXIT +rm -Rf "$pwdir" +mkdir "$pwdir" +chmod 700 "$pwdir" +cat > "$pwdir/rcodesign-pw-2" << EOF +$RCODESIGN_PW +EOF +tr -d '\n' < "$pwdir/rcodesign-pw-2" > "$pwdir/rcodesign-pw" +rm "$pwdir/rcodesign-pw-2" + +# unset RCODESIGN_PW since it conflicts with rcodesign config +unset RCODESIGN_PW +rcodesign_opts=" + --code-signature-flags runtime + --timestamp-url http://timestamp.apple.com:8080/ts01 + --p12-file $rcodesign_signing_p12_file + --p12-password-file $pwdir/rcodesign-pw + " + +flags=() +for dir in Contents/MacOS Contents/MacOS/Tor Contents/MacOS/Tor/PluggableTransports +do + d="$display_name/$display_name.app/$dir" + test -d "$d" || continue + pushd "$d" + for file in * + do + test -f "$file" || continue + flags+=('--code-signature-flags' "$dir/$file:runtime") + done + popd +done +echo "code-signature-flags: ${flags[@]}" + +echo "**** Signing main bundle ($display_name.app) ****" +$rcodesign sign \ + $rcodesign_opts \ + "${flags[@]}" \ + --code-signature-flags Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework:runtime \ + --code-signature-flags Contents/MacOS/updater.app:runtime \ + --code-signature-flags Contents/Frameworks/ChannelPrefs.framework:runtime \ + --code-signature-flags Contents/MacOS/plugin-container.app:runtime \ + --code-signature-flags Contents/MacOS/media-plugin-helper.app:runtime \ + --entitlements-xml-path Contents/MacOS/plugin-container.app:/signing/tor-browser-build/tools/signing/macos-entitlements/plugin-container.xml \ + --entitlements-xml-path Contents/MacOS/media-plugin-helper.app:/signing/tor-browser-build/tools/signing/macos-entitlements/media-plugin-helper.xml \ + --entitlements-xml-path /signing/tor-browser-build/tools/signing/macos-entitlements/firefox.browser.xml \ + -- \ + "$display_name/$display_name.app" + +rm -f "$pwdir/rcodesign-pw" +rmdir "$pwdir" +tar -C "$display_name" -caf "$output_file" "$display_name.app" +cd - +rm -Rf "$tmpdir"

View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/d...