[tor-commits] [builders/tor-browser-build] 21/32: Bug 40414: Improve macos-signer-gatekeeper-signing

gitolite role git at cupani.torproject.org
Wed Apr 20 09:38:58 UTC 2022


This is an automated email from the git hooks/post-receive script.

boklm pushed a commit to branch master
in repository builders/tor-browser-build.

commit a20376ccd729c6ba777a57c5b6d28f100b925e81
Author: Nicolas Vigier <boklm at torproject.org>
AuthorDate: Wed Mar 16 17:29:23 2022 +0100

    Bug 40414: Improve macos-signer-gatekeeper-signing
    
    - get tbb_version and BUNDLE_LOCALES from config
    - automatically change to ~/$tbb_version directory
    - unlock keychain
    - use entitlements.xml from script directory
    - allow setting password with an environment variable (useful for
      tor-browser-build#40476)
    - cleanups
---
 tools/signing/macos-signer-gatekeeper-signing      | 76 +++++++++++-----------
 ...e.entitlements.xml => release.entitlements.xml} |  0
 2 files changed, 37 insertions(+), 39 deletions(-)

diff --git a/tools/signing/macos-signer-gatekeeper-signing b/tools/signing/macos-signer-gatekeeper-signing
index 38e119e..9df621f 100755
--- a/tools/signing/macos-signer-gatekeeper-signing
+++ b/tools/signing/macos-signer-gatekeeper-signing
@@ -1,38 +1,31 @@
-set -x
+#!/bin/bash
+set -e
 
-TORBROWSER_VERSION=$1
-if [ -z "$TORBROWSER_VERSION" ];
-then
-  echo "Please call this script with a Tor Browser version!"
-  exit 1
-fi
-ENTITLEMENTS=/Users/torbrowser/signing/alpha.entitlements.xml
-if [ -z "$BUNDLE_LOCALES" ];
-then
-  BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW"
-fi
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source "$script_dir/functions"
+
+ENTITLEMENTS="$script_dir/$tbb_version_type.entitlements.xml"
 
 function check_signature() {
   LANG=$1
-  TORBROWSER_VERSION=$2
-  UNZIP=$3
+  UNZIP=$2
   local failed_open=0
   local failed_exec=0
   if [ ${UNZIP} -eq 1 ]
   then
     test -d test_${LANG} && rm -r test_${LANG}
-    unzip -d test_${LANG} -q tb-${TORBROWSER_VERSION}_$LANG.zip
+    unzip -d test_${LANG} -q tb-${tbb_version}_$LANG.zip
     pushd test_${LANG}
   fi
   echo "Checking $LANG..."
   spctl -vvvv --assess --type open --context context:primary-signature 'Tor Browser.app/'
   if [ $? -ne 3 ]; then
-    echo tb-${TORBROWSER_VERSION}_$LANG.zip not signed correctly. Failed open.
+    echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed open.
     failed_open=1
   fi
   spctl -vvvv --assess --type exec --context context:primary-signature 'Tor Browser.app/'
   if [ $? -ne 0 ]; then
-    echo tb-${TORBROWSER_VERSION}_$LANG.zip not signed correctly. Failed exec.
+    echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed exec.
     failed_exec=1
   fi
   if [ ${UNZIP} -eq 1 ]
@@ -46,12 +39,24 @@ function check_signature() {
   fi
 }
 
-for LANG in $BUNDLE_LOCALES
+cd ~/${tbb_version}
+
+if test -n "$KEYCHAIN_PW"
+then
+  KPW="-p $KEYCHAIN_PW"
+fi
+
+security unlock $KPW /Users/torbrowser/Library/Keychains/tbb-signing-alpha.keychain
+security unlock $KPW /Users/torbrowser/Library/Keychains/tbb-signing-2021.keychain
+
+unset KPW KEYCHAIN_PW
+
+for LANG in $bundle_locales
 do
-  if [ -f tb-${TORBROWSER_VERSION}_${LANG}.zip ]
+  if [ -f tb-${tbb_version}_${LANG}.zip ]
   then
-    echo "Deleting tb-${TORBROWSER_VERSION}_${LANG}.zip"
-    rm tb-${TORBROWSER_VERSION}_${LANG}.zip
+    echo "Deleting tb-${tbb_version}_${LANG}.zip"
+    rm tb-${tbb_version}_${LANG}.zip
   fi
   if [ -d "Tor Browser.app" ]
   then
@@ -62,12 +67,13 @@ do
     echo "DMG already mounted. Please correct."
     exit 1
   fi
-  hdiutil attach TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg
+  hdiutil attach TorBrowser-${tbb_version}-osx64_$LANG.dmg
   cp -rf "/Volumes/Tor Browser/Tor Browser.app" "Tor Browser.app"
   echo "Signing Tor Browser_$LANG.app"
   codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/"
   echo "codesign exit code: $?"
-  check_signature $LANG $TORBROWSER_VERSION 0
+  set +e
+  check_signature $LANG 0
   if [ $? -eq 1 ]
   then
     echo Signature verification failed.
@@ -75,26 +81,18 @@ do
     hdiutil detach "/Volumes/Tor Browser"
     exit 1
   fi
-  echo "Zipping up"
-  zip -qr tb-${TORBROWSER_VERSION}_${LANG}.zip "Tor Browser.app"
+  set -e
+  echo "Zipping up tb-${tbb_version}_${LANG}.zip"
+  zip -qr tb-${tbb_version}_${LANG}.zip "Tor Browser.app"
   rm -rf "Tor Browser.app"
   hdiutil detach "/Volumes/Tor Browser"
-  check_signature $LANG $TORBROWSER_VERSION 1
+  set +e
+  check_signature $LANG 1
   if [ $? -eq 1 ]
   then
-    echo Signature verification failed.
+    echo Signature verification failed ($LANG).
     rm -r "Tor Browser.app"
+    exit 1
   fi
+  set -e
 done
-#for LANG in $BUNDLE_LOCALES
-#do
-#  hdiutil attach TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg
-#  cp -rf "/Volumes/Tor Browser/Tor Browser.app" "Tor Browser.app"
-#  echo "Signing Tor Browser_$LANG.app"
-#  codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/"
-#  #codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp=none -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/"
-#  echo "Zipping up"
-#  zip -qr tb-${TORBROWSER_VERSION}_${LANG}.zip "Tor Browser.app"
-#  rm -rf "Tor Browser.app"
-#  hdiutil detach "/Volumes/Tor Browser"
-#done
diff --git a/tools/signing/stable.entitlements.xml b/tools/signing/release.entitlements.xml
similarity index 100%
rename from tools/signing/stable.entitlements.xml
rename to tools/signing/release.entitlements.xml

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the tor-commits mailing list