[tor-commits] [Git][tpo/applications/tor-browser-build][main] Bug 40569: Update remaining macOS signing scripts to include channel name
richard (@richard)
git at gitlab.torproject.org
Mon Feb 26 17:49:13 UTC 2024
richard pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
8a492802 by Richard Pospesel at 2024-02-26T15:45:39+00:00
Bug 40569: Update remaining macOS signing scripts to include channel name
- - - - -
6 changed files:
- projects/release/dmg2mar
- tools/signing/functions
- tools/signing/linux-signer-rcodesign-sign
- tools/signing/rcodesign-notary-submit
- tools/signing/set-config
- tools/signing/wrappers/sign-rcodesign
Changes:
=====================================
projects/release/dmg2mar
=====================================
@@ -2,7 +2,7 @@
[% c("var/set_default_env") -%]
cd [% shell_quote(path(dest_dir)) %]/[% c("var/signed_status") %]/[% c("version") %]
-export TOR_APPNAME_BUNDLE_OSX='[% c("var/Project_Name") -%]'
+export TOR_APPNAME_BUNDLE_OSX='[% c("var/display_name") -%]'
export TOR_APPNAME_DMGFILE='[% c("var/project-name") -%]'
export TOR_APPNAME_MARFILE='[% c("var/project-name") -%]'
[% shell_quote(c("basedir")) %]/tools/dmg2mar [% c("var/mar_channel_id") %]
=====================================
tools/signing/functions
=====================================
@@ -39,7 +39,7 @@ function generate_config {
p1=$("$rbm" showconf browser var/project-name --target "$SIGNING_PROJECTNAME")
p2=$("$rbm" showconf browser var/Project_Name --target "$SIGNING_PROJECTNAME")
p3=$("$rbm" showconf browser var/ProjectName --target "$SIGNING_PROJECTNAME")
- p4=$("$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME")
+ p4=$("$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME" --target "$tbb_version_type")
echo 'rbm_not_available=1' > "$script_dir/set-config.generated-config"
echo "SIGNING_PROJECTNAMES=(\"$p1\" \"$p2\" \"$p3\" \"$p4\")" >> "$script_dir/set-config.generated-config"
}
@@ -72,7 +72,7 @@ function display_name {
if test -n "${rbm_not_available+x}"; then
echo "${SIGNING_PROJECTNAMES[3]}"
else
- "$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME"
+ "$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME" --target "$tbb_version_type"
fi
}
=====================================
tools/signing/linux-signer-rcodesign-sign
=====================================
@@ -13,11 +13,11 @@ if [ -z "$RCODESIGN_PW" ]; then
export RCODESIGN_PW
fi
-Proj_Name=$(Project_Name)
+display_name=$(display_name)
output_file=$(project-name)-macos-${tbb_version}-rcodesign-signed.tar.zst
destdir=~/"$SIGNING_PROJECTNAME-$tbb_version-macos-signed"
mkdir -p $destdir
rm -f "$destdir/$output_file"
-sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$Proj_Name"
-cp "/home/signing-macos/last-signed-$Proj_Name.tar.zst" "$destdir/$output_file"
+sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name"
+cp "/home/signing-macos/last-signed-$display_name.tar.zst" "$destdir/$output_file"
=====================================
tools/signing/rcodesign-notary-submit
=====================================
@@ -17,14 +17,14 @@ test -f "$appstoreconnect_api_key_path" || \
tmpdir=$(mktemp -d -p /var/tmp)
trap "rm -Rf $tmpdir" EXIT
-Proj_Name=$(Project_Name)
+display_name=$(display_name)
tar -C "$tmpdir" -xf "$macos_rcodesign_signed_tar_dir/$(project-name)-macos-${tbb_version}-rcodesign-signed.tar.zst"
-"$script_dir/../local/rcodesign/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$Proj_Name.app"
+"$script_dir/../local/rcodesign/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$display_name.app"
output_file="$(project-name)-${tbb_version}-notarized+stapled.tar.zst"
-tar -C "$tmpdir" -caf "$tmpdir/$output_file" "$Proj_Name.app"
+tar -C "$tmpdir" -caf "$tmpdir/$output_file" "$display_name.app"
mkdir -p "$macos_stapled_dir"
mv "$tmpdir/$output_file" "$macos_stapled_dir/$output_file"
=====================================
tools/signing/set-config
=====================================
@@ -23,6 +23,12 @@ export SIGNING_PROJECTNAME
test -z "${rbm_not_available+x}" && rbm="$script_dir/../../rbm/rbm"
. "$script_dir/set-config.tbb-version"
+
+test "$tbb_version_type" = 'release' \
+ || test "$tbb_version_type" = 'alpha' \
+ || test "$tbb_version_type" = 'nightly' \
+ || exit_error "Unknown tbb_version_type $tbb_version_type"
+
. "$script_dir/set-config.hosts"
signed_dir="$script_dir/../../$SIGNING_PROJECTNAME/$tbb_version_type/signed"
=====================================
tools/signing/wrappers/sign-rcodesign
=====================================
@@ -11,9 +11,9 @@ function exit_error {
test $# -eq 2 || exit_error "Wrong number of arguments"
dmg_file="$1"
-Proj_Name="$2"
+display_name="$2"
-output_file="/home/signing-macos/last-signed-$Proj_Name.tar.zst"
+output_file="/home/signing-macos/last-signed-$display_name.tar.zst"
rm -f "$output_file"
rcodesign_signing_p12_file=/home/signing-macos/keys/key-1.p12
@@ -28,11 +28,11 @@ cd "$tmpdir"
# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2957050
# FIXME: Maybe we should extract the .mar file instead of the .dmg to
# preserve permissions
-chmod ugo+x "$Proj_Name/$Proj_Name.app/Contents/MacOS"/* \
- "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \
- "$Proj_Name/$Proj_Name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/*
-test -d "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor" && \
- chmod -R ugo+x "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor"
+chmod ugo+x "$display_name/$display_name.app/Contents/MacOS"/* \
+ "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \
+ "$display_name/$display_name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/*
+test -d "$display_name/$display_name.app/Contents/MacOS/Tor" && \
+ chmod -R ugo+x "$display_name/$display_name.app/Contents/MacOS/Tor"
pwdir=/run/lock/rcodesign-pw
trap "rm -Rf $pwdir" EXIT
@@ -56,19 +56,19 @@ rcodesign_opts="
echo '**** Signing updater.app ****'
/signing/rcodesign/rcodesign sign \
$rcodesign_opts \
- --info-plist-path "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app/Contents/Info.plist" \
+ --info-plist-path "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/Info.plist" \
-- \
- "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app"
+ "$display_name/$display_name.app/Contents/MacOS/updater.app"
echo '**** Signing plugin-container.app ****'
/signing/rcodesign/rcodesign sign \
$rcodesign_opts \
--entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \
-- \
- "$Proj_Name/$Proj_Name.app/Contents/MacOS/plugin-container.app"
+ "$display_name/$display_name.app/Contents/MacOS/plugin-container.app"
# Setting binary-identifier on some files, to avoid signature errors. See:
# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2956149
-pushd "$Proj_Name/$Proj_Name.app/Contents/MacOS/"
+pushd "$display_name/$display_name.app/Contents/MacOS/"
for lib in *.dylib
do
binident=$(echo $lib | sed 's/\.dylib$//')
@@ -78,9 +78,9 @@ do
done
popd
-if test -d "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor/PluggableTransports/"
+if test -d "$display_name/$display_name.app/Contents/MacOS/Tor/PluggableTransports/"
then
- pushd "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor/PluggableTransports/"
+ pushd "$display_name/$display_name.app/Contents/MacOS/Tor/PluggableTransports/"
for file in echo *
do
binident="--binary-identifier Contents/MacOS/Tor/PluggableTransports/$file:$file"
@@ -90,17 +90,17 @@ then
popd
fi
-echo "**** Signing main bundle ($Proj_Name.app) ****"
+echo "**** Signing main bundle ($display_name.app) ****"
# We use `--exclude '**'` to avoid re-signing nested bundles
/signing/rcodesign/rcodesign sign \
$rcodesign_opts \
--entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \
--exclude '**' \
-- \
- "$Proj_Name/$Proj_Name.app"
+ "$display_name/$display_name.app"
rm -f "$pwdir/rcodesign-pw"
rmdir "$pwdir"
-tar -C "$Proj_Name" -caf "$output_file" "$Proj_Name.app"
+tar -C "$display_name" -caf "$output_file" "$display_name.app"
cd -
rm -Rf "$tmpdir"
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/8a492802eb21a963937b3c045f0ea0bcf6a3d721
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/8a492802eb21a963937b3c045f0ea0bcf6a3d721
You're receiving this email because of your account on gitlab.torproject.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-commits/attachments/20240226/4393c276/attachment-0001.htm>
More information about the tor-commits
mailing list