ma1 pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: d7e795d4 by Nicolas Vigier at 2025-12-15T16:54:16+01:00 Bug 41665: Update macos signing wrapper for new executable gpu-helper.app - - - - - 4 changed files: - tools/signing/linux-signer-rcodesign-sign - tools/signing/machines-setup/setup-signing-machine - + tools/signing/machines-setup/sudoers.d/sign-rcodesign-146 - + tools/signing/wrappers/sign-rcodesign-146 Changes: ===================================== tools/signing/linux-signer-rcodesign-sign ===================================== @@ -21,6 +21,6 @@ rm -f "$destdir/$output_file" volume=~/"$SIGNING_PROJECTNAME-$tbb_version"/"$(project-name)-macos-${tbb_version}.hfs" echo "Using $volume" -sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-128 "$volume" "$display_name" +sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-146 "$volume" "$display_name" cp "/home/signing-macos/last-signed-$display_name.tar.zst" "$destdir/$output_file" rm -f "$volume" ===================================== tools/signing/machines-setup/setup-signing-machine ===================================== @@ -93,6 +93,7 @@ sudoers_file sign-apk sudoers_file sign-aab sudoers_file sign-rcodesign sudoers_file sign-rcodesign-128 +sudoers_file sign-rcodesign-146 sudoers_file set-date authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub ===================================== tools/signing/machines-setup/sudoers.d/sign-rcodesign-146 ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-macos env_keep += "SIGNING_PROJECTNAME tbb_version_type RCODESIGN_PW" +%signing ALL = (signing-macos) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-146 ===================================== tools/signing/wrappers/sign-rcodesign-146 ===================================== @@ -0,0 +1,98 @@ +#!/bin/bash +set -e + +function exit_error { + for msg in "$@" + do + echo "$msg" >&2 + done + exit 1 +} + +test $# -eq 2 || exit_error "Wrong number of arguments" +dmg_file="$1" +display_name="$2" + +output_file="/home/signing-macos/last-signed-$display_name.tar.zst" +rm -f "$output_file" + +rcodesign=/signing/rcodesign-128/rcodesign +rcodesign_signing_p12_file=/home/signing-macos/keys/key-1.p12 +test -f "$rcodesign_signing_p12_file" || exit_error "$rcodesign_signing_p12_file is missing" + +tmpdir=$(mktemp -d) +trap "rm -Rf $tmpdir" EXIT +cd "$tmpdir" +7z x "$dmg_file" + +# Fix permission on files: +# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29... +# FIXME: Maybe we should extract the .mar file instead of the .dmg to +# preserve permissions +chmod ugo+x "$display_name/$display_name.app/Contents/MacOS"/* \ + "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \ + "$display_name/$display_name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/* \ + "$display_name/$display_name.app/Contents/MacOS/media-plugin-helper.app/Contents/MacOS"/* \ + "$display_name/$display_name.app/Contents/MacOS/gpu-helper.app/Contents/MacOS"/* \ + "$display_name/$display_name.app/Contents/Frameworks/ChannelPrefs.framework/ChannelPrefs" \ + "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework/UpdateSettings" +test -d "$display_name/$display_name.app/Contents/MacOS/Tor" && \ + chmod -R ugo+x "$display_name/$display_name.app/Contents/MacOS/Tor" + +pwdir=/run/lock/rcodesign-pw +trap "rm -Rf $pwdir" EXIT +rm -Rf "$pwdir" +mkdir "$pwdir" +chmod 700 "$pwdir" +cat > "$pwdir/rcodesign-pw-2" << EOF +$RCODESIGN_PW +EOF +tr -d '\n' < "$pwdir/rcodesign-pw-2" > "$pwdir/rcodesign-pw" +rm "$pwdir/rcodesign-pw-2" + +# unset RCODESIGN_PW since it conflicts with rcodesign config +unset RCODESIGN_PW +rcodesign_opts=" + --code-signature-flags runtime + --timestamp-url http://timestamp.apple.com:8080/ts01 + --p12-file $rcodesign_signing_p12_file + --p12-password-file $pwdir/rcodesign-pw + " + +flags=() +for dir in Contents/MacOS Contents/MacOS/Tor Contents/MacOS/Tor/PluggableTransports +do + d="$display_name/$display_name.app/$dir" + test -d "$d" || continue + pushd "$d" + for file in * + do + test -f "$file" || continue + flags+=('--code-signature-flags' "$dir/$file:runtime") + done + popd +done +echo "code-signature-flags: ${flags[@]}" + +echo "**** Signing main bundle ($display_name.app) ****" +$rcodesign sign \ + $rcodesign_opts \ + "${flags[@]}" \ + --code-signature-flags Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework:runtime \ + --code-signature-flags Contents/MacOS/updater.app:runtime \ + --code-signature-flags Contents/Frameworks/ChannelPrefs.framework:runtime \ + --code-signature-flags Contents/MacOS/plugin-container.app:runtime \ + --code-signature-flags Contents/MacOS/media-plugin-helper.app:runtime \ + --code-signature-flags Contents/MacOS/gpu-helper.app:runtime \ + --entitlements-xml-path Contents/MacOS/Tor/tor:/signing/tor-browser-build/tools/signing/macos-entitlements/tor.xml \ + --entitlements-xml-path Contents/MacOS/plugin-container.app:/signing/tor-browser-build/tools/signing/macos-entitlements/plugin-container.xml \ + --entitlements-xml-path Contents/MacOS/media-plugin-helper.app:/signing/tor-browser-build/tools/signing/macos-entitlements/media-plugin-helper.xml \ + --entitlements-xml-path /signing/tor-browser-build/tools/signing/macos-entitlements/firefox.browser.xml \ + -- \ + "$display_name/$display_name.app" + +rm -f "$pwdir/rcodesign-pw" +rmdir "$pwdir" +tar -C "$display_name" -caf "$output_file" "$display_name.app" +cd - +rm -Rf "$tmpdir" View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/d7... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/d7... You're receiving this email because of your account on gitlab.torproject.org.