[tbb-commits] [Git][tpo/applications/tor-browser-build][main] 4 commits: Bug 41199: Duplicate wrappers/sign-rcodesign as wrappers/sign-rcodesign-128
morgan (@morgan)
git at gitlab.torproject.org
Tue Jul 30 17:52:47 UTC 2024
morgan pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
1ae99c2b by Nicolas Vigier at 2024-07-30T17:49:28+00:00
Bug 41199: Duplicate wrappers/sign-rcodesign as wrappers/sign-rcodesign-128
In order to modify the `sign-rcodesign` wrapper for 128esr changes,
while keeping support for the 115esr branch, we duplicate the script.
After the last 115esr based release we should remove it:
* copying `sign-rcodesign-128` to `sign-rcodesign`,
* reverting this commit,
* removing tools/signing/*.entitlements.xml,
* and adding instructions in `machines-setup/setup-signing-machine` to
remove `/etc/sudoers.d/sign-rcodesign-128`.
- - - - -
79c986b6 by Nicolas Vigier at 2024-07-30T17:49:28+00:00
Bug 40553: Use different entitlements files for parent and child processes
We copy entitlements files from mozilla, from the esr128 branch, in
directory `security/mac/hardenedruntime/v2/production`.
In the file `taskcluster/config.yml`, `mac-signing/hardened-sign-config`
lists the different entitlements files used for the different files.
- - - - -
95ee823b by Nicolas Vigier at 2024-07-30T17:49:28+00:00
Bug 41199: Update rcodesign to 0.27.0
This also changes the installation directory to `rcodesign-128` instead
of `rcodesign`, since we want to keep the old version for stable
releases signing.
- - - - -
45c352b1 by Nicolas Vigier at 2024-07-30T17:49:28+00:00
Bug 41199: Update sign-rcodesign-128 for esr128 changes
- - - - -
12 changed files:
- projects/rcodesign/build
- projects/rcodesign/config
- tools/signing/linux-signer-rcodesign-sign
- tools/signing/machines-setup/setup-signing-machine
- + tools/signing/machines-setup/sudoers.d/sign-rcodesign-128
- + tools/signing/macos-entitlements/firefox.browser.xml
- + tools/signing/macos-entitlements/media-plugin-helper.xml
- + tools/signing/macos-entitlements/plugin-container.xml
- tools/signing/rcodesign-notary-submit
- tools/signing/set-config.rcodesign
- tools/signing/setup-rcodesign
- + tools/signing/wrappers/sign-rcodesign-128
Changes:
=====================================
projects/rcodesign/build
=====================================
@@ -12,7 +12,7 @@ tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.[% c('compress_ta
tar -C $builddir -xf $rootdir/[% c('input_files_by_name/cargo_vendor') %]
cd $builddir
-mkdir .cargo
+mkdir -p .cargo
cat >> .cargo/config << 'EOF'
[source.crates-io]
=====================================
projects/rcodesign/config
=====================================
@@ -1,6 +1,6 @@
# vim: filetype=yaml sw=2
-version: 0.22.0
-git_hash: cb406b5feb1439131f36ec60375f607a7f82439d
+version: 0.27.0
+git_hash: 703362f818272d43b3844105863739bcb6f1a11a
git_url: https://github.com/indygreg/apple-platform-rs.git
container:
use_container: 1
@@ -16,4 +16,4 @@ steps:
project: rcodesign
pkg_type: cargo_vendor
norec:
- sha256sum: 04c21203d2948ebfa59f1039d4481e419e656ec636293b4846fdb7868cfd98f0
+ sha256sum: c778deb784f68b48a51c6c54095c6cd45e37847d65e9db36ce39b4326874ae9c
=====================================
tools/signing/linux-signer-rcodesign-sign
=====================================
@@ -19,5 +19,5 @@ destdir=~/"$SIGNING_PROJECTNAME-$tbb_version-macos-signed"
mkdir -p $destdir
rm -f "$destdir/$output_file"
-sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name"
+sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-128 ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name"
cp "/home/signing-macos/last-signed-$display_name.tar.zst" "$destdir/$output_file"
=====================================
tools/signing/machines-setup/setup-signing-machine
=====================================
@@ -91,6 +91,7 @@ sudoers_file sign-mar
sudoers_file sign-exe
sudoers_file sign-apk
sudoers_file sign-rcodesign
+sudoers_file sign-rcodesign-128
sudoers_file set-date
authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub
=====================================
tools/signing/machines-setup/sudoers.d/sign-rcodesign-128
=====================================
@@ -0,0 +1,2 @@
+Defaults>signing-macos env_keep += "SIGNING_PROJECTNAME tbb_version_type RCODESIGN_PW"
+%signing ALL = (signing-macos) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-128
=====================================
tools/signing/macos-entitlements/firefox.browser.xml
=====================================
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+ Entitlements to apply to the main browser process executable during
+ codesigning of production channel builds.
+-->
+<plist version="1.0">
+ <dict>
+ <!-- Allow loading third party libraries to support pkcs11 modules -->
+ <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+ <!-- Firefox needs to create executable pages with MAP_JIT on aarch64 -->
+ <key>com.apple.security.cs.allow-jit</key><true/>
+
+ <!-- Firefox needs to access the microphone on sites the user allows -->
+ <key>com.apple.security.device.audio-input</key><true/>
+
+ <!-- Firefox needs to access the camera on sites the user allows -->
+ <key>com.apple.security.device.camera</key><true/>
+
+ <!-- Firefox needs to access the location on sites the user allows -->
+ <key>com.apple.security.personal-information.location</key><true/>
+
+ <!-- For SmartCardServices(7) -->
+ <key>com.apple.security.smartcard</key><true/>
+
+ <!-- Required for com.apple.developer.web-browser.public-key-credential -->
+ <key>com.apple.application-identifier</key>
+ <string>43AQ936H96.org.mozilla.firefox</string>
+
+ <!-- For platform passkey (webauthn) support -->
+ <key>com.apple.developer.web-browser.public-key-credential</key><true/>
+ </dict>
+</plist>
=====================================
tools/signing/macos-entitlements/media-plugin-helper.xml
=====================================
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+ Entitlements to apply to the media-plugin-helper.app bundle during
+ codesigning of production channel builds.
+-->
+<plist version="1.0">
+ <dict>
+ <!-- Allow loading third party CDM libraries -->
+ <key>com.apple.security.cs.disable-library-validation</key><true/>
+ </dict>
+</plist>
=====================================
tools/signing/macos-entitlements/plugin-container.xml
=====================================
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+ Entitlements to apply to the plugin-container.app bundle during
+ codesigning of production channel builds.
+-->
+<plist version="1.0">
+ <dict>
+ <!-- Firefox needs to create executable pages with MAP_JIT -->
+ <key>com.apple.security.cs.allow-jit</key><true/>
+ </dict>
+</plist>
=====================================
tools/signing/rcodesign-notary-submit
=====================================
@@ -21,7 +21,7 @@ display_name=$(display_name)
tar -C "$tmpdir" -xf "$macos_rcodesign_signed_tar_dir/$(project-name)-macos-${tbb_version}-rcodesign-signed.tar.zst"
-"$script_dir/../local/rcodesign/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$display_name.app"
+"$script_dir/../local/rcodesign-128/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$display_name.app"
output_file="$(project-name)-${tbb_version}-notarized+stapled.tar.zst"
tar -C "$tmpdir" -caf "$tmpdir/$output_file" "$display_name.app"
=====================================
tools/signing/set-config.rcodesign
=====================================
@@ -1,4 +1,4 @@
-rcodesign_version=0.22.0-bc8cc7
+rcodesign_version=0.27.0-e252fa
rcodesign_filename=rcodesign-${rcodesign_version}.tar.gz
-rcodesign_sha256sum=2a9eda016fff116c59f52b358e7a740f6fb5c039974f0acc8266c3605d24092a
+rcodesign_sha256sum=c228c5fb06a088bc6c50a212d8d5a15425c2bcdf448bfa7f94ea5cc41321c533
rcodesign_url="https://build-sources.tbb.torproject.org/${rcodesign_filename}"
=====================================
tools/signing/setup-rcodesign
=====================================
@@ -35,8 +35,8 @@ function setup_rcodesign {
tar -C "$tmpdir" -xf "$rcodesign_path"
mv "$tmpdir/rcodesign" "$rcodesign_dir"
chmod -R go+rX "$rcodesign_dir"
- rm -f "$localdir/rcodesign"
- ln -s "rcodesign-$rcodesign_version" "$localdir/rcodesign"
+ rm -f "$localdir/rcodesign-128"
+ ln -s "rcodesign-$rcodesign_version" "$localdir/rcodesign-128"
}
download_rcodesign
=====================================
tools/signing/wrappers/sign-rcodesign-128
=====================================
@@ -0,0 +1,95 @@
+#!/bin/bash
+set -e
+
+function exit_error {
+ for msg in "$@"
+ do
+ echo "$msg" >&2
+ done
+ exit 1
+}
+
+test $# -eq 2 || exit_error "Wrong number of arguments"
+dmg_file="$1"
+display_name="$2"
+
+output_file="/home/signing-macos/last-signed-$display_name.tar.zst"
+rm -f "$output_file"
+
+rcodesign=/signing/rcodesign-128/rcodesign
+rcodesign_signing_p12_file=/home/signing-macos/keys/key-1.p12
+test -f "$rcodesign_signing_p12_file" || exit_error "$rcodesign_signing_p12_file is missing"
+
+tmpdir=$(mktemp -d)
+trap "rm -Rf $tmpdir" EXIT
+cd "$tmpdir"
+7z x "$dmg_file"
+
+# Fix permission on files:
+# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2957050
+# FIXME: Maybe we should extract the .mar file instead of the .dmg to
+# preserve permissions
+chmod ugo+x "$display_name/$display_name.app/Contents/MacOS"/* \
+ "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \
+ "$display_name/$display_name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/* \
+ "$display_name/$display_name.app/Contents/MacOS/media-plugin-helper.app/Contents/MacOS"/* \
+ "$display_name/$display_name.app/Contents/Frameworks/ChannelPrefs.framework/ChannelPrefs" \
+ "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework/UpdateSettings"
+test -d "$display_name/$display_name.app/Contents/MacOS/Tor" && \
+ chmod -R ugo+x "$display_name/$display_name.app/Contents/MacOS/Tor"
+
+pwdir=/run/lock/rcodesign-pw
+trap "rm -Rf $pwdir" EXIT
+rm -Rf "$pwdir"
+mkdir "$pwdir"
+chmod 700 "$pwdir"
+cat > "$pwdir/rcodesign-pw-2" << EOF
+$RCODESIGN_PW
+EOF
+tr -d '\n' < "$pwdir/rcodesign-pw-2" > "$pwdir/rcodesign-pw"
+rm "$pwdir/rcodesign-pw-2"
+
+# unset RCODESIGN_PW since it conflicts with rcodesign config
+unset RCODESIGN_PW
+rcodesign_opts="
+ --code-signature-flags runtime
+ --timestamp-url http://timestamp.apple.com:8080/ts01
+ --p12-file $rcodesign_signing_p12_file
+ --p12-password-file $pwdir/rcodesign-pw
+ "
+
+flags=()
+for dir in Contents/MacOS Contents/MacOS/Tor Contents/MacOS/Tor/PluggableTransports
+do
+ d="$display_name/$display_name.app/$dir"
+ test -d "$d" || continue
+ pushd "$d"
+ for file in *
+ do
+ test -f "$file" || continue
+ flags+=('--code-signature-flags' "$dir/$file:runtime")
+ done
+ popd
+done
+echo "code-signature-flags: ${flags[@]}"
+
+echo "**** Signing main bundle ($display_name.app) ****"
+$rcodesign sign \
+ $rcodesign_opts \
+ "${flags[@]}" \
+ --code-signature-flags Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework:runtime \
+ --code-signature-flags Contents/MacOS/updater.app:runtime \
+ --code-signature-flags Contents/Frameworks/ChannelPrefs.framework:runtime \
+ --code-signature-flags Contents/MacOS/plugin-container.app:runtime \
+ --code-signature-flags Contents/MacOS/media-plugin-helper.app:runtime \
+ --entitlements-xml-path Contents/MacOS/plugin-container.app:/signing/tor-browser-build/tools/signing/macos-entitlements/plugin-container.xml \
+ --entitlements-xml-path Contents/MacOS/media-plugin-helper.app:/signing/tor-browser-build/tools/signing/macos-entitlements/media-plugin-helper.xml \
+ --entitlements-xml-path /signing/tor-browser-build/tools/signing/macos-entitlements/firefox.browser.xml \
+ -- \
+ "$display_name/$display_name.app"
+
+rm -f "$pwdir/rcodesign-pw"
+rmdir "$pwdir"
+tar -C "$display_name" -caf "$output_file" "$display_name.app"
+cd -
+rm -Rf "$tmpdir"
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/d54b0b7fe5635177aedc51230430f9046a689c68...45c352b130355b9facade5877e98a04188d08306
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/d54b0b7fe5635177aedc51230430f9046a689c68...45c352b130355b9facade5877e98a04188d08306
You're receiving this email because of your account on gitlab.torproject.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20240730/97873651/attachment-0001.htm>
More information about the tbb-commits
mailing list