richard pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits: fa846d22 by Nicolas Vigier at 2023-12-06T15:59:55+00:00 Bug 40990: Remove old macos signing scripts

- - - - -

30 changed files:

- tools/signing/do-all-signing - − tools/signing/finished-signing-clean-macos-signer - tools/signing/gatekeeper-bundling.sh - − tools/signing/macos-signer-gatekeeper-signing - − tools/signing/macos-signer-gatekeeper-signing.mullvadbrowser - − tools/signing/macos-signer-gatekeeper-signing.torbrowser - − tools/signing/macos-signer-notarization - − tools/signing/macos-signer-notarization.mullvadbrowser - − tools/signing/macos-signer-notarization.torbrowser - − tools/signing/macos-signer-proxy - − tools/signing/macos-signer-proxy.mullvadbrowser - − tools/signing/macos-signer-proxy.torbrowser - − tools/signing/macos-signer-stapler - − tools/signing/macos-signer-stapler.mullvadbrowser - − tools/signing/macos-signer-stapler.torbrowser - tools/signing/set-config - tools/signing/set-config.hosts - − tools/signing/set-config.macos-notarization - − tools/signing/sync-macos-local-to-macos-signer - − tools/signing/sync-macos-local-to-macos-signer.mullvadbrowser - − tools/signing/sync-macos-local-to-macos-signer.torbrowser - − tools/signing/sync-macos-local-to-macos-signer.torbrowser.dry-run - − tools/signing/sync-macos-signer-stapled-to-macos-local-stapled - − tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.mullvadbrowser - − tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.torbrowser - − tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.torbrowser.dry-run - − tools/signing/sync-scripts-to-macos-signer - − tools/signing/sync-scripts-to-macos-signer.mullvadbrowser - − tools/signing/sync-scripts-to-macos-signer.torbrowser - − tools/signing/sync-scripts-to-macos-signer.torbrowser.dry-run

Changes:

===================================== tools/signing/do-all-signing ===================================== @@ -8,19 +8,9 @@ NON_INTERACTIVE=1 steps_dir="$signed_version_dir.steps" test -d "$steps_dir" || mkdir -p "$steps_dir"

-if test -n "$use_rcodesign" -then - test -f "$steps_dir/linux-signer-rcodesign-sign.done" || - read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW - echo -else - test -f "$steps_dir/macos-signer-gatekeeper-signing.done" || - read -sp "Enter macos keychain passphrase: " KEYCHAIN_PW - echo - test -f "$steps_dir/macos-signer-notarization.done" || - read -sp "Enter macos notarization passphrase: " NOTARIZATION_PW - echo -fi +test -f "$steps_dir/linux-signer-rcodesign-sign.done" || + read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW +echo is_project torbrowser && nssdb=torbrowser-nssdb7 is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb-1 test -f "$steps_dir/linux-signer-signmars.done" || @@ -67,52 +57,6 @@ function rcodesign-notary-submit { "$script_dir/rcodesign-notary-submit" }

-function macos-signer-directory-not-present { - # To avoid doing two signings at the same time, or to avoid unknowingly - # using parts from a previous signing attempt, we check that the - # directory does not exist yet (see tor-browser-build#40497) - if ssh "$ssh_host_macos_signer" "test -d $tbb_version" - then - echo "The directory $tbb_version already exists on $ssh_host_macos_signer" - return 1 - fi - return 0 -} - -function sync-scripts-to-macos-signer { - "$script_dir/sync-scripts-to-macos-signer" -} - -function macos-signer-enable-network-proxy-settings { - ssh "$ssh_host_macos_signer" 'networksetup -setsecurewebproxystate Ethernet on' -} - -function macos-signer-gatekeeper-signing { - "$script_dir/sync-macos-local-to-macos-signer" - ssh "$ssh_host_macos_signer" 'bash -s' << EOF - export KEYCHAIN_PW=$KEYCHAIN_PW - ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-gatekeeper-signing.$SIGNING_PROJECTNAME -EOF - unset KEYCHAIN_PW -} - -function macos-signer-notarization { - ssh "$ssh_host_macos_signer" 'bash -s' << EOF - export PW=$NOTARIZATION_PW - ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-notarization.$SIGNING_PROJECTNAME -EOF - unset NOTARIZATION_PW -} - -function macos-signer-stapler { - ssh "$ssh_host_macos_signer" "~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-stapler.$SIGNING_PROJECTNAME" - "$script_dir/sync-macos-signer-stapled-to-macos-local-stapled" -} - -function macos-signer-disable-network-proxy-settings { - ssh "$ssh_host_macos_signer" 'networksetup -setsecurewebproxystate Ethernet off' -} - function gatekeeper-bundling { "$script_dir/gatekeeper-bundling.sh" } @@ -212,10 +156,6 @@ function upload-update_responses-to-staticiforme { "$script_dir/upload-update_responses-to-staticiforme" }

-function finished-signing-clean-macos-signer { - "$script_dir/finished-signing-clean-macos-signer" -} - function finished-signing-clean-linux-signer { "$script_dir/finished-signing-clean-linux-signer" } @@ -233,22 +173,11 @@ export SIGNING_PROJECTNAME

do_step wait-for-finished-build do_step sync-builder-unsigned-to-local-signed -if test -n "$use_rcodesign"; -then - do_step sync-scripts-to-linux-signer - do_step sync-before-linux-signer-rcodesign-sign - do_step linux-signer-rcodesign-sign - do_step sync-linux-signer-macos-signed-tar-to-local - do_step rcodesign-notary-submit -else - do_step macos-signer-directory-not-present - do_step sync-scripts-to-macos-signer - do_step macos-signer-enable-network-proxy-settings - do_step macos-signer-gatekeeper-signing - do_step macos-signer-notarization - do_step macos-signer-stapler - do_step macos-signer-disable-network-proxy-settings -fi +do_step sync-scripts-to-linux-signer +do_step sync-before-linux-signer-rcodesign-sign +do_step linux-signer-rcodesign-sign +do_step sync-linux-signer-macos-signed-tar-to-local +do_step rcodesign-notary-submit do_step gatekeeper-bundling do_step dmg2mar do_step sync-scripts-to-linux-signer @@ -272,5 +201,4 @@ do_step sync-local-to-staticiforme do_step sync-scripts-to-staticiforme do_step staticiforme-prepare-cdn-dist-upload do_step upload-update_responses-to-staticiforme -do_step finished-signing-clean-macos-signer do_step finished-signing-clean-linux-signer

===================================== tools/signing/finished-signing-clean-macos-signer deleted ===================================== @@ -1,14 +0,0 @@ -#!/bin/bash - -# Remove current tbb version from macos-signer. You should run this -# when all signing has been done. - -set -e -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "$script_dir/functions" - -var_is_defined ssh_host_macos_signer tbb_version - -ssh "$ssh_host_macos_signer" 'bash -s' << EOF - test -n "$tbb_version" && rm -Rfv ~/"$SIGNING_PROJECTNAME-$tbb_version" -EOF

===================================== tools/signing/gatekeeper-bundling.sh ===================================== @@ -68,11 +68,7 @@ export PATH="$PATH:$tmpdir/libdmg-hfsplus:$tmpdir/hfsplus-tools"

cd $tmpdir/dmg

-if test -n "$use_rcodesign"; then - tar -xf $macos_stapled_dir/"${proj_name}-${tbb_version}-notarized+stapled.tar.zst" -else - unzip -q $macos_stapled_dir/tb-${tbb_version}_ALL-stapled.zip -fi +tar -xf $macos_stapled_dir/"${proj_name}-${tbb_version}-notarized+stapled.tar.zst"

cd .. $script_dir/ddmg.sh $macos_signed_dir/${proj_name}-macos-${tbb_version}.dmg $tmpdir/dmg/ "$Proj_Name"

===================================== tools/signing/macos-signer-gatekeeper-signing deleted ===================================== @@ -1,100 +0,0 @@ -#!/bin/bash -set -e - -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "$script_dir/functions" -source "$script_dir/set-config.generated-config" - -ENTITLEMENTS="$script_dir/$tbb_version_type.entitlements.xml" -app_name=$(Project_Name) - -function check_signature() { - LANG=$1 - UNZIP=$2 - local failed_open=0 - local failed_exec=0 - if [ ${UNZIP} -eq 1 ] - then - test -d test_${LANG} && rm -r test_${LANG} - unzip -d test_${LANG} -q tb-${tbb_version}_$LANG.zip - pushd test_${LANG} - fi - echo "Checking $LANG..." - spctl -vvvv --assess --type open --context context:primary-signature "$app_name.app/" - if [ $? -ne 3 ]; then - echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed open. - failed_open=1 - fi - spctl -vvvv --assess --type exec --context context:primary-signature "$app_name.app/" - if [ $? -ne 0 ]; then - echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed exec. - failed_exec=1 - fi - if [ ${UNZIP} -eq 1 ] - then - popd - rm -r test_${LANG} - fi - if [ ${failed_open} -ne 0 -o ${failed_exec} -ne 0 ] - then - return 1 - fi -} - -cd ~/$SIGNING_PROJECTNAME-${tbb_version} - -if test -n "$KEYCHAIN_PW" -then - KPW="-p $KEYCHAIN_PW" -fi - -security unlock $KPW /Users/torbrowser/Library/Keychains/tbb-signing-alpha.keychain -security unlock $KPW /Users/torbrowser/Library/Keychains/tbb-signing-2021.keychain - -unset KPW KEYCHAIN_PW - -for LANG in ALL -do - if [ -f tb-${tbb_version}_${LANG}.zip ] - then - echo "Deleting tb-${tbb_version}_${LANG}.zip" - rm tb-${tbb_version}_${LANG}.zip - fi - if [ -d "$app_name.app" ] - then - echo "Deleting $app_name.app" - rm -r "$app_name.app" - fi - if [ -d "/Volumes/$app_name" ]; then - echo "DMG already mounted. Please correct." - exit 1 - fi - hdiutil attach $(project-name)-macos-${tbb_version}.dmg - cp -rf "/Volumes/$app_name/$app_name.app" "$app_name.app" - echo "Signing ${app_name}_${LANG}.app" - codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "$app_name.app/" - echo "codesign exit code: $?" - set +e - check_signature $LANG 0 - if [ $? -eq 1 ] - then - echo Signature verification failed. - rm -r "$app_name.app" - hdiutil detach "/Volumes/$app_name" - exit 1 - fi - set -e - echo "Zipping up tb-${tbb_version}_${LANG}.zip" - zip -qr tb-${tbb_version}_${LANG}.zip "$app_name.app" - rm -rf "$app_name.app" - hdiutil detach "/Volumes/$app_name" - set +e - check_signature $LANG 1 - if [ $? -eq 1 ] - then - echo "Signature verification failed (${LANG})". - rm -r "$app_name.app" - exit 1 - fi - set -e -done

===================================== tools/signing/macos-signer-gatekeeper-signing.mullvadbrowser deleted ===================================== @@ -1 +0,0 @@ -macos-signer-gatekeeper-signing \ No newline at end of file

===================================== tools/signing/macos-signer-gatekeeper-signing.torbrowser deleted ===================================== @@ -1 +0,0 @@ -macos-signer-gatekeeper-signing \ No newline at end of file

===================================== tools/signing/macos-signer-notarization deleted ===================================== @@ -1,44 +0,0 @@ -#!/bin/bash -set -e - -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "$script_dir/functions" -source "$script_dir/set-config.macos-notarization" - -ALTOOL=~/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework/Versions/A/Support/altool - -cd ~/$SIGNING_PROJECTNAME-${tbb_version} - -if [ -z "${PW}" ]; then - echo "Please enter notarization password:" - stty -echo; read PW; stty echo; export PW -fi - -for LANG in ALL -do - if test -f ${LANG}/tb-${tbb_version}_$LANG.zip.uuid - then - echo "Skipping ${LANG}/tb-${tbb_version}_$LANG.zip" - continue; - fi - if test -d ${LANG}; then - mv ${LANG}/tb-${tbb_version}_$LANG.zip ./ - rm -r ${LANG}/ - fi - mkdir $LANG - cd $LANG - mv ../tb-${tbb_version}_$LANG.zip . - unzip -q tb-${tbb_version}_$LANG.zip - echo "Notarizing $LANG..." - $ALTOOL --notarize-app --verbose -t osx -f tb-${tbb_version}_$LANG.zip --primary-bundle-id org.torproject.torbrowser -u "$macos_notarization_user" -p @env:PW --output-format xml | tee tb-${tbb_version}_$LANG.zip.log 2>&1 - - request_uuid=`grep -A1 RequestUUID tb-${tbb_version}_$LANG.zip.log | grep -o '[0-9a-f]+[0-9a-f-]+'` - if [ -z "${request_uuid}" ]; then - echo "Request UUID not present. Notarization failed" - exit 1 - fi - echo ${request_uuid} > tb-${tbb_version}_$LANG.zip.uuid - echo "Notarization done for $LANG." - - cd .. -done

===================================== tools/signing/macos-signer-notarization.mullvadbrowser deleted ===================================== @@ -1 +0,0 @@ -macos-signer-notarization \ No newline at end of file

===================================== tools/signing/macos-signer-notarization.torbrowser deleted ===================================== @@ -1 +0,0 @@ -macos-signer-notarization \ No newline at end of file

===================================== tools/signing/macos-signer-proxy deleted ===================================== @@ -1,6 +0,0 @@ -#!/bin/bash -set -e -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "$script_dir/functions" - -ssh -R :1080 "$ssh_host_macos_signer" 'python ~/proxy.py --port 8443'

===================================== tools/signing/macos-signer-proxy.mullvadbrowser deleted ===================================== @@ -1 +0,0 @@ -macos-signer-proxy \ No newline at end of file

===================================== tools/signing/macos-signer-proxy.torbrowser deleted ===================================== @@ -1 +0,0 @@ -macos-signer-proxy \ No newline at end of file

===================================== tools/signing/macos-signer-stapler deleted ===================================== @@ -1,22 +0,0 @@ -#!/bin/bash -set -e - -read -n 1 -p "Press enter once notarization is complete..." - -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "$script_dir/functions" -source "$script_dir/set-config.generated-config" - -STAPLER=/Users/torbrowser/Xcode.app/Contents//Developer/usr/bin/stapler -app_name=$(Project_Name) - -cd ~/$SIGNING_PROJECTNAME-${tbb_version} - -for LANG in ALL -do - echo "Stapling $LANG..." - cd $LANG - $STAPLER staple "$app_name.app" - zip -qr ../tb-${tbb_version}_$LANG-stapled.zip "$app_name.app" - cd .. -done

===================================== tools/signing/macos-signer-stapler.mullvadbrowser deleted ===================================== @@ -1 +0,0 @@ -macos-signer-stapler \ No newline at end of file

===================================== tools/signing/macos-signer-stapler.torbrowser deleted ===================================== @@ -1 +0,0 @@ -macos-signer-stapler \ No newline at end of file

===================================== tools/signing/set-config ===================================== @@ -38,5 +38,3 @@ rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}"

tb_builders='boklm dan henry ma1 pierov richard' wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers - -use_rcodesign=1

===================================== tools/signing/set-config.hosts ===================================== @@ -1,6 +1,5 @@ ssh_host_builder=tbbuild ssh_host_linux_signer=linux-signer-notor -ssh_host_macos_signer=mac-signer-notor ssh_host_staticiforme=staticiforme.torproject.org

builder_tor_browser_build_dir=/home/user/tor-browser-build

===================================== tools/signing/set-config.macos-notarization deleted ===================================== @@ -1,5 +0,0 @@ -# The following line should be uncommented and updated: - -#macos_notarization_user='user@email' - -var_is_defined macos_notarization_user

===================================== tools/signing/sync-macos-local-to-macos-signer deleted ===================================== @@ -1,8 +0,0 @@ -#!/bin/bash -set -e -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "$script_dir/functions" - -var_is_defined ssh_host_macos_signer - -rsync $rsync_options "$signed_version_dir"/*.dmg "$ssh_host_macos_signer:$SIGNING_PROJECTNAME-$tbb_version/"

===================================== tools/signing/sync-macos-local-to-macos-signer.mullvadbrowser deleted ===================================== @@ -1 +0,0 @@ -sync-macos-local-to-macos-signer \ No newline at end of file

===================================== tools/signing/sync-macos-local-to-macos-signer.torbrowser deleted ===================================== @@ -1 +0,0 @@ -sync-macos-local-to-macos-signer \ No newline at end of file

===================================== tools/signing/sync-macos-local-to-macos-signer.torbrowser.dry-run deleted ===================================== @@ -1 +0,0 @@ -sync-macos-local-to-macos-signer \ No newline at end of file

===================================== tools/signing/sync-macos-signer-stapled-to-macos-local-stapled deleted ===================================== @@ -1,8 +0,0 @@ -#!/bin/bash -set -e -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "$script_dir/functions" - -var_is_defined ssh_host_macos_signer - -rsync $rsync_options "$ssh_host_macos_signer:$SIGNING_PROJECTNAME-$tbb_version/*-stapled.zip" "$macos_stapled_dir/"

===================================== tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.mullvadbrowser deleted ===================================== @@ -1 +0,0 @@ -sync-macos-signer-stapled-to-macos-local-stapled \ No newline at end of file

===================================== tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.torbrowser deleted ===================================== @@ -1 +0,0 @@ -sync-macos-signer-stapled-to-macos-local-stapled \ No newline at end of file

===================================== tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.torbrowser.dry-run deleted ===================================== @@ -1 +0,0 @@ -sync-macos-signer-stapled-to-macos-local-stapled \ No newline at end of file

===================================== tools/signing/sync-scripts-to-macos-signer deleted ===================================== @@ -1,10 +0,0 @@ -#!/bin/bash -set -e -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "$script_dir/functions" - -var_is_defined ssh_host_macos_signer - -generate_config - -rsync $rsync_options "$script_dir/" "$ssh_host_macos_signer:signing-$SIGNING_PROJECTNAME-$tbb_version_type/"

===================================== tools/signing/sync-scripts-to-macos-signer.mullvadbrowser deleted ===================================== @@ -1 +0,0 @@ -sync-scripts-to-macos-signer \ No newline at end of file

===================================== tools/signing/sync-scripts-to-macos-signer.torbrowser deleted ===================================== @@ -1 +0,0 @@ -sync-scripts-to-macos-signer \ No newline at end of file

===================================== tools/signing/sync-scripts-to-macos-signer.torbrowser.dry-run deleted ===================================== @@ -1 +0,0 @@ -sync-scripts-to-macos-signer \ No newline at end of file

View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/fa...