boklm pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
-
c71f868f
by Nicolas Vigier at 2025-09-19T13:57:23+02:00
-
c24ab3b9
by hackademix at 2025-09-22T16:04:56+02:00
7 changed files:
- tools/signing/do-all-signing
- + tools/signing/extract-dmg
- + tools/signing/extract-dmg.mullvadbrowser
- + tools/signing/extract-dmg.torbrowser
- tools/signing/functions
- tools/signing/gatekeeper-bundling.sh
- tools/signing/linux-signer-rcodesign-sign
Changes:
| ... | ... | @@ -99,6 +99,10 @@ function clean-build-artifacts { |
| 99 | 99 | "$script_dir/clean-build-artifacts"
|
| 100 | 100 | }
|
| 101 | 101 | |
| 102 | +function extract-dmg {
|
|
| 103 | + "$script_dir/extract-dmg"
|
|
| 104 | +}
|
|
| 105 | + |
|
| 102 | 106 | function sync-before-linux-signer-rcodesign-sign {
|
| 103 | 107 | "$script_dir/sync-local-to-linux-signer"
|
| 104 | 108 | }
|
| ... | ... | @@ -245,6 +249,8 @@ do_step set-time-on-signing-machine |
| 245 | 249 | do_step wait-for-finished-build
|
| 246 | 250 | do_step sync-builder-unsigned-to-local-signed
|
| 247 | 251 | do_step clean-build-artifacts
|
| 252 | +[ -n "$platform_macos" ] && \
|
|
| 253 | + do_step extract-dmg
|
|
| 248 | 254 | do_step sync-scripts-to-linux-signer
|
| 249 | 255 | do_step sync-before-linux-signer-rcodesign-sign
|
| 250 | 256 | [ -n "$platform_macos" ] && \
|
| 1 | +#!/bin/bash
|
|
| 2 | +set -e
|
|
| 3 | +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
|
| 4 | +source "$script_dir/functions"
|
|
| 5 | + |
|
| 6 | +setup_dmg_tools
|
|
| 7 | + |
|
| 8 | +# extract the hfs from the dmg archive preemptively to avoid an obsolete
|
|
| 9 | +# 7z version to break the rcodesign step
|
|
| 10 | +archive="$signed_version_dir/$(project-name)-macos-${tbb_version}"
|
|
| 11 | +dmg extract "$archive.dmg" "$archive.hfs" 0
|
|
| 12 | +rm -f "$archive.dmg" |
| 1 | +extract-dmg |
|
| \ No newline at end of file |
| 1 | +extract-dmg |
|
| \ No newline at end of file |
| ... | ... | @@ -83,4 +83,24 @@ function rbm_showconf_boolean { |
| 83 | 83 | echo '1'
|
| 84 | 84 | }
|
| 85 | 85 | |
| 86 | +function setup_dmg_tools {
|
|
| 87 | + dmgtools_dir=$(mktemp -d)
|
|
| 88 | + trap "rm -Rf $dmgtools_dir" EXIT
|
|
| 89 | + local libdmg_file="$script_dir/../../out/libdmg-hfsplus/libdmg-hfsplus-d6287b5afc24-6f206c.tar.zst"
|
|
| 90 | + test -f "$libdmg_file" || \
|
|
| 91 | + exit_error "$libdmg_file is missing." \
|
|
| 92 | + "You can build it with:" \
|
|
| 93 | + " ./rbm/rbm build --target no_containers libdmg-hfsplus" \
|
|
| 94 | + "See var/deps in projects/libdmg-hfsplus/config for the list of build dependencies"
|
|
| 95 | + local hfstools_file="$script_dir/../../out/hfsplus-tools/hfsplus-tools-540.1.linux3-2acaa4.tar.zst"
|
|
| 96 | + test -f "$hfstools_file" || \
|
|
| 97 | + exit_error "$hfstools_file is missing." \
|
|
| 98 | + "You can build it with:" \
|
|
| 99 | + " ./rbm/rbm build --target no_containers hfsplus-tools" \
|
|
| 100 | + "You will need the clang and uuid-dev packages installed"
|
|
| 101 | + tar -C "$dmgtools_dir" -xf "$libdmg_file"
|
|
| 102 | + tar -C "$dmgtools_dir" -xf "$hfstools_file"
|
|
| 103 | + export PATH="$PATH:$dmgtools_dir/libdmg-hfsplus:$dmgtools_dir/hfsplus-tools"
|
|
| 104 | +}
|
|
| 105 | + |
|
| 86 | 106 | . "$script_dir/set-config" |
| ... | ... | @@ -39,18 +39,8 @@ test -f $faketime_path || \ |
| 39 | 39 | exit_error "$faketime_path is missing"
|
| 40 | 40 | test -d $macos_stapled_dir || \
|
| 41 | 41 | exit_error "The stapled macos zip files should be placed in directory $macos_stapled_dir"
|
| 42 | -libdmg_file="$script_dir/../../out/libdmg-hfsplus/libdmg-hfsplus-d6287b5afc24-6f206c.tar.zst"
|
|
| 43 | -test -f "$libdmg_file" || \
|
|
| 44 | - exit_error "$libdmg_file is missing." \
|
|
| 45 | - "You can build it with:" \
|
|
| 46 | - " ./rbm/rbm build --target no_containers libdmg-hfsplus" \
|
|
| 47 | - "See var/deps in projects/libdmg-hfsplus/config for the list of build dependencies"
|
|
| 48 | -hfstools_file="$script_dir/../../out/hfsplus-tools/hfsplus-tools-540.1.linux3-2acaa4.tar.zst"
|
|
| 49 | -test -f "$hfstools_file" || \
|
|
| 50 | - exit_error "$hfstools_file is missing." \
|
|
| 51 | - "You can build it with:" \
|
|
| 52 | - " ./rbm/rbm build --target no_containers hfsplus-tools" \
|
|
| 53 | - "You will need the clang and uuid-dev packages installed"
|
|
| 42 | + |
|
| 43 | +setup_dmg_tools
|
|
| 54 | 44 | |
| 55 | 45 | ProjName=$(ProjectName)
|
| 56 | 46 | Proj_Name=$(Project_Name)
|
| ... | ... | @@ -66,10 +56,6 @@ rm -Rf "$tmpdir" |
| 66 | 56 | mkdir "$tmpdir"
|
| 67 | 57 | cp -rT "$script_dir/../../projects/common/dmg-root/$ProjName.dmg" "$tmpdir/dmg"
|
| 68 | 58 | |
| 69 | -tar -C "$tmpdir" -xf "$libdmg_file"
|
|
| 70 | -tar -C "$tmpdir" -xf "$hfstools_file"
|
|
| 71 | -export PATH="$PATH:$tmpdir/libdmg-hfsplus:$tmpdir/hfsplus-tools"
|
|
| 72 | - |
|
| 73 | 59 | cd $tmpdir/dmg
|
| 74 | 60 | |
| 75 | 61 | cp ${tbb_version_type}.DS_Store .DS_Store
|
| ... | ... | @@ -84,3 +70,5 @@ rm -Rf "$tmpdir" |
| 84 | 70 | |
| 85 | 71 | # move the signed+stapled dmgs to expected output directory for publishing and mar generation
|
| 86 | 72 | mv -vf "$macos_signed_dir"/"${proj_name}"-*.dmg "$signed_version_dir"/
|
| 73 | +# Remove hfs file created in extract-dmg
|
|
| 74 | +rm -f "$signed_version_dir"/"${proj_name}"-*.hfs |
| ... | ... | @@ -19,5 +19,8 @@ destdir=~/"$SIGNING_PROJECTNAME-$tbb_version-macos-signed" |
| 19 | 19 | mkdir -p $destdir
|
| 20 | 20 | rm -f "$destdir/$output_file"
|
| 21 | 21 | |
| 22 | -sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-128 ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name"
|
|
| 22 | +volume=~/"$SIGNING_PROJECTNAME-$tbb_version"/"$(project-name)-macos-${tbb_version}.hfs"
|
|
| 23 | +echo "Using $volume"
|
|
| 24 | +sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-128 "$volume" "$display_name"
|
|
| 23 | 25 | cp "/home/signing-macos/last-signed-$display_name.tar.zst" "$destdir/$output_file"
|
| 26 | +rm -f "$volume" |