richard pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits: 8a492802 by Richard Pospesel at 2024-02-26T15:45:39+00:00 Bug 40569: Update remaining macOS signing scripts to include channel name
- - - - -
6 changed files:
- projects/release/dmg2mar - tools/signing/functions - tools/signing/linux-signer-rcodesign-sign - tools/signing/rcodesign-notary-submit - tools/signing/set-config - tools/signing/wrappers/sign-rcodesign
Changes:
===================================== projects/release/dmg2mar ===================================== @@ -2,7 +2,7 @@ [% c("var/set_default_env") -%] cd [% shell_quote(path(dest_dir)) %]/[% c("var/signed_status") %]/[% c("version") %]
-export TOR_APPNAME_BUNDLE_OSX='[% c("var/Project_Name") -%]' +export TOR_APPNAME_BUNDLE_OSX='[% c("var/display_name") -%]' export TOR_APPNAME_DMGFILE='[% c("var/project-name") -%]' export TOR_APPNAME_MARFILE='[% c("var/project-name") -%]' [% shell_quote(c("basedir")) %]/tools/dmg2mar [% c("var/mar_channel_id") %]
===================================== tools/signing/functions ===================================== @@ -39,7 +39,7 @@ function generate_config { p1=$("$rbm" showconf browser var/project-name --target "$SIGNING_PROJECTNAME") p2=$("$rbm" showconf browser var/Project_Name --target "$SIGNING_PROJECTNAME") p3=$("$rbm" showconf browser var/ProjectName --target "$SIGNING_PROJECTNAME") - p4=$("$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME") + p4=$("$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME" --target "$tbb_version_type") echo 'rbm_not_available=1' > "$script_dir/set-config.generated-config" echo "SIGNING_PROJECTNAMES=("$p1" "$p2" "$p3" "$p4")" >> "$script_dir/set-config.generated-config" } @@ -72,7 +72,7 @@ function display_name { if test -n "${rbm_not_available+x}"; then echo "${SIGNING_PROJECTNAMES[3]}" else - "$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME" + "$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME" --target "$tbb_version_type" fi }
===================================== tools/signing/linux-signer-rcodesign-sign ===================================== @@ -13,11 +13,11 @@ if [ -z "$RCODESIGN_PW" ]; then export RCODESIGN_PW fi
-Proj_Name=$(Project_Name) +display_name=$(display_name) output_file=$(project-name)-macos-${tbb_version}-rcodesign-signed.tar.zst destdir=~/"$SIGNING_PROJECTNAME-$tbb_version-macos-signed" mkdir -p $destdir rm -f "$destdir/$output_file"
-sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$Proj_Name" -cp "/home/signing-macos/last-signed-$Proj_Name.tar.zst" "$destdir/$output_file" +sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name" +cp "/home/signing-macos/last-signed-$display_name.tar.zst" "$destdir/$output_file"
===================================== tools/signing/rcodesign-notary-submit ===================================== @@ -17,14 +17,14 @@ test -f "$appstoreconnect_api_key_path" || \ tmpdir=$(mktemp -d -p /var/tmp) trap "rm -Rf $tmpdir" EXIT
-Proj_Name=$(Project_Name) +display_name=$(display_name)
tar -C "$tmpdir" -xf "$macos_rcodesign_signed_tar_dir/$(project-name)-macos-${tbb_version}-rcodesign-signed.tar.zst"
-"$script_dir/../local/rcodesign/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$Proj_Name.app" +"$script_dir/../local/rcodesign/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$display_name.app"
output_file="$(project-name)-${tbb_version}-notarized+stapled.tar.zst" -tar -C "$tmpdir" -caf "$tmpdir/$output_file" "$Proj_Name.app" +tar -C "$tmpdir" -caf "$tmpdir/$output_file" "$display_name.app" mkdir -p "$macos_stapled_dir" mv "$tmpdir/$output_file" "$macos_stapled_dir/$output_file"
===================================== tools/signing/set-config ===================================== @@ -23,6 +23,12 @@ export SIGNING_PROJECTNAME test -z "${rbm_not_available+x}" && rbm="$script_dir/../../rbm/rbm"
. "$script_dir/set-config.tbb-version" + +test "$tbb_version_type" = 'release' \ + || test "$tbb_version_type" = 'alpha' \ + || test "$tbb_version_type" = 'nightly' \ + || exit_error "Unknown tbb_version_type $tbb_version_type" + . "$script_dir/set-config.hosts"
signed_dir="$script_dir/../../$SIGNING_PROJECTNAME/$tbb_version_type/signed"
===================================== tools/signing/wrappers/sign-rcodesign ===================================== @@ -11,9 +11,9 @@ function exit_error {
test $# -eq 2 || exit_error "Wrong number of arguments" dmg_file="$1" -Proj_Name="$2" +display_name="$2"
-output_file="/home/signing-macos/last-signed-$Proj_Name.tar.zst" +output_file="/home/signing-macos/last-signed-$display_name.tar.zst" rm -f "$output_file"
rcodesign_signing_p12_file=/home/signing-macos/keys/key-1.p12 @@ -28,11 +28,11 @@ cd "$tmpdir" # https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29... # FIXME: Maybe we should extract the .mar file instead of the .dmg to # preserve permissions -chmod ugo+x "$Proj_Name/$Proj_Name.app/Contents/MacOS"/* \ - "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \ - "$Proj_Name/$Proj_Name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/* -test -d "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor" && \ - chmod -R ugo+x "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor" +chmod ugo+x "$display_name/$display_name.app/Contents/MacOS"/* \ + "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \ + "$display_name/$display_name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/* +test -d "$display_name/$display_name.app/Contents/MacOS/Tor" && \ + chmod -R ugo+x "$display_name/$display_name.app/Contents/MacOS/Tor"
pwdir=/run/lock/rcodesign-pw trap "rm -Rf $pwdir" EXIT @@ -56,19 +56,19 @@ rcodesign_opts=" echo '**** Signing updater.app ****' /signing/rcodesign/rcodesign sign \ $rcodesign_opts \ - --info-plist-path "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app/Contents/Info.plist" \ + --info-plist-path "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/Info.plist" \ -- \ - "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app" + "$display_name/$display_name.app/Contents/MacOS/updater.app" echo '**** Signing plugin-container.app ****' /signing/rcodesign/rcodesign sign \ $rcodesign_opts \ --entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \ -- \ - "$Proj_Name/$Proj_Name.app/Contents/MacOS/plugin-container.app" + "$display_name/$display_name.app/Contents/MacOS/plugin-container.app"
# Setting binary-identifier on some files, to avoid signature errors. See: # https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29... -pushd "$Proj_Name/$Proj_Name.app/Contents/MacOS/" +pushd "$display_name/$display_name.app/Contents/MacOS/" for lib in *.dylib do binident=$(echo $lib | sed 's/.dylib$//') @@ -78,9 +78,9 @@ do done popd
-if test -d "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor/PluggableTransports/" +if test -d "$display_name/$display_name.app/Contents/MacOS/Tor/PluggableTransports/" then - pushd "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor/PluggableTransports/" + pushd "$display_name/$display_name.app/Contents/MacOS/Tor/PluggableTransports/" for file in echo * do binident="--binary-identifier Contents/MacOS/Tor/PluggableTransports/$file:$file" @@ -90,17 +90,17 @@ then popd fi
-echo "**** Signing main bundle ($Proj_Name.app) ****" +echo "**** Signing main bundle ($display_name.app) ****" # We use `--exclude '**'` to avoid re-signing nested bundles /signing/rcodesign/rcodesign sign \ $rcodesign_opts \ --entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \ --exclude '**' \ -- \ - "$Proj_Name/$Proj_Name.app" + "$display_name/$display_name.app"
rm -f "$pwdir/rcodesign-pw" rmdir "$pwdir" -tar -C "$Proj_Name" -caf "$output_file" "$Proj_Name.app" +tar -C "$display_name" -caf "$output_file" "$display_name.app" cd - rm -Rf "$tmpdir"
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/8a...