[tbb-commits] [Git][tpo/applications/tor-browser-build][maint-13.0] Bug 40990: Remove old macos signing scripts

richard (@richard) git at gitlab.torproject.org
Wed Dec 6 16:01:40 UTC 2023



richard pushed to branch maint-13.0 at The Tor Project / Applications / tor-browser-build


Commits:
7d25ba41 by Nicolas Vigier at 2023-12-06T16:01:16+00:00
Bug 40990: Remove old macos signing scripts

- - - - -


30 changed files:

- tools/signing/do-all-signing
- − tools/signing/finished-signing-clean-macos-signer
- tools/signing/gatekeeper-bundling.sh
- − tools/signing/macos-signer-gatekeeper-signing
- − tools/signing/macos-signer-gatekeeper-signing.mullvadbrowser
- − tools/signing/macos-signer-gatekeeper-signing.torbrowser
- − tools/signing/macos-signer-notarization
- − tools/signing/macos-signer-notarization.mullvadbrowser
- − tools/signing/macos-signer-notarization.torbrowser
- − tools/signing/macos-signer-proxy
- − tools/signing/macos-signer-proxy.mullvadbrowser
- − tools/signing/macos-signer-proxy.torbrowser
- − tools/signing/macos-signer-stapler
- − tools/signing/macos-signer-stapler.mullvadbrowser
- − tools/signing/macos-signer-stapler.torbrowser
- tools/signing/set-config
- tools/signing/set-config.hosts
- − tools/signing/set-config.macos-notarization
- − tools/signing/sync-macos-local-to-macos-signer
- − tools/signing/sync-macos-local-to-macos-signer.mullvadbrowser
- − tools/signing/sync-macos-local-to-macos-signer.torbrowser
- − tools/signing/sync-macos-local-to-macos-signer.torbrowser.dry-run
- − tools/signing/sync-macos-signer-stapled-to-macos-local-stapled
- − tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.mullvadbrowser
- − tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.torbrowser
- − tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.torbrowser.dry-run
- − tools/signing/sync-scripts-to-macos-signer
- − tools/signing/sync-scripts-to-macos-signer.mullvadbrowser
- − tools/signing/sync-scripts-to-macos-signer.torbrowser
- − tools/signing/sync-scripts-to-macos-signer.torbrowser.dry-run


Changes:

=====================================
tools/signing/do-all-signing
=====================================
@@ -8,19 +8,9 @@ NON_INTERACTIVE=1
 steps_dir="$signed_version_dir.steps"
 test -d "$steps_dir" || mkdir -p "$steps_dir"
 
-if test -n "$use_rcodesign"
-then
-  test -f "$steps_dir/linux-signer-rcodesign-sign.done" ||
-    read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW
-  echo
-else
-  test -f "$steps_dir/macos-signer-gatekeeper-signing.done" ||
-    read -sp "Enter macos keychain passphrase: " KEYCHAIN_PW
-  echo
-  test -f "$steps_dir/macos-signer-notarization.done" ||
-    read -sp "Enter macos notarization passphrase: " NOTARIZATION_PW
-  echo
-fi
+test -f "$steps_dir/linux-signer-rcodesign-sign.done" ||
+  read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW
+echo
 is_project torbrowser && nssdb=torbrowser-nssdb7
 is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb-1
 test -f "$steps_dir/linux-signer-signmars.done" ||
@@ -67,52 +57,6 @@ function rcodesign-notary-submit {
   "$script_dir/rcodesign-notary-submit"
 }
 
-function macos-signer-directory-not-present {
-  # To avoid doing two signings at the same time, or to avoid unknowingly
-  # using parts from a previous signing attempt, we check that the
-  # directory does not exist yet (see tor-browser-build#40497)
-  if ssh "$ssh_host_macos_signer" "test -d $tbb_version"
-  then
-    echo "The directory $tbb_version already exists on $ssh_host_macos_signer"
-    return 1
-  fi
-  return 0
-}
-
-function sync-scripts-to-macos-signer {
-  "$script_dir/sync-scripts-to-macos-signer"
-}
-
-function macos-signer-enable-network-proxy-settings {
-  ssh "$ssh_host_macos_signer" 'networksetup -setsecurewebproxystate Ethernet on'
-}
-
-function macos-signer-gatekeeper-signing {
-  "$script_dir/sync-macos-local-to-macos-signer"
-  ssh "$ssh_host_macos_signer" 'bash -s' << EOF
-  export KEYCHAIN_PW=$KEYCHAIN_PW
-  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-gatekeeper-signing.$SIGNING_PROJECTNAME
-EOF
-  unset KEYCHAIN_PW
-}
-
-function macos-signer-notarization {
-  ssh "$ssh_host_macos_signer" 'bash -s' << EOF
-  export PW=$NOTARIZATION_PW
-  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-notarization.$SIGNING_PROJECTNAME
-EOF
-  unset NOTARIZATION_PW
-}
-
-function macos-signer-stapler {
-  ssh "$ssh_host_macos_signer" "~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-stapler.$SIGNING_PROJECTNAME"
-  "$script_dir/sync-macos-signer-stapled-to-macos-local-stapled"
-}
-
-function macos-signer-disable-network-proxy-settings {
-  ssh "$ssh_host_macos_signer" 'networksetup -setsecurewebproxystate Ethernet off'
-}
-
 function gatekeeper-bundling {
   "$script_dir/gatekeeper-bundling.sh"
 }
@@ -212,10 +156,6 @@ function upload-update_responses-to-staticiforme {
   "$script_dir/upload-update_responses-to-staticiforme"
 }
 
-function finished-signing-clean-macos-signer {
-  "$script_dir/finished-signing-clean-macos-signer"
-}
-
 function finished-signing-clean-linux-signer {
   "$script_dir/finished-signing-clean-linux-signer"
 }
@@ -233,22 +173,11 @@ export SIGNING_PROJECTNAME
 
 do_step wait-for-finished-build
 do_step sync-builder-unsigned-to-local-signed
-if test -n "$use_rcodesign";
-then
-  do_step sync-scripts-to-linux-signer
-  do_step sync-before-linux-signer-rcodesign-sign
-  do_step linux-signer-rcodesign-sign
-  do_step sync-linux-signer-macos-signed-tar-to-local
-  do_step rcodesign-notary-submit
-else
-  do_step macos-signer-directory-not-present
-  do_step sync-scripts-to-macos-signer
-  do_step macos-signer-enable-network-proxy-settings
-  do_step macos-signer-gatekeeper-signing
-  do_step macos-signer-notarization
-  do_step macos-signer-stapler
-  do_step macos-signer-disable-network-proxy-settings
-fi
+do_step sync-scripts-to-linux-signer
+do_step sync-before-linux-signer-rcodesign-sign
+do_step linux-signer-rcodesign-sign
+do_step sync-linux-signer-macos-signed-tar-to-local
+do_step rcodesign-notary-submit
 do_step gatekeeper-bundling
 do_step dmg2mar
 do_step sync-scripts-to-linux-signer
@@ -272,5 +201,4 @@ do_step sync-local-to-staticiforme
 do_step sync-scripts-to-staticiforme
 do_step staticiforme-prepare-cdn-dist-upload
 do_step upload-update_responses-to-staticiforme
-do_step finished-signing-clean-macos-signer
 do_step finished-signing-clean-linux-signer


=====================================
tools/signing/finished-signing-clean-macos-signer deleted
=====================================
@@ -1,14 +0,0 @@
-#!/bin/bash
-
-# Remove current tbb version from macos-signer. You should run this
-# when all signing has been done.
-
-set -e
-script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-source "$script_dir/functions"
-
-var_is_defined ssh_host_macos_signer tbb_version
-
-ssh "$ssh_host_macos_signer" 'bash -s' << EOF
-  test -n "$tbb_version" && rm -Rfv ~/"$SIGNING_PROJECTNAME-$tbb_version"
-EOF


=====================================
tools/signing/gatekeeper-bundling.sh
=====================================
@@ -68,11 +68,7 @@ export PATH="$PATH:$tmpdir/libdmg-hfsplus:$tmpdir/hfsplus-tools"
 
 cd $tmpdir/dmg
 
-if test -n "$use_rcodesign"; then
-  tar -xf $macos_stapled_dir/"${proj_name}-${tbb_version}-notarized+stapled.tar.zst"
-else
-  unzip -q $macos_stapled_dir/tb-${tbb_version}_ALL-stapled.zip
-fi
+tar -xf $macos_stapled_dir/"${proj_name}-${tbb_version}-notarized+stapled.tar.zst"
 
 cd ..
 $script_dir/ddmg.sh $macos_signed_dir/${proj_name}-macos-${tbb_version}.dmg $tmpdir/dmg/ "$Proj_Name"


=====================================
tools/signing/macos-signer-gatekeeper-signing deleted
=====================================
@@ -1,100 +0,0 @@
-#!/bin/bash
-set -e
-
-script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-source "$script_dir/functions"
-source "$script_dir/set-config.generated-config"
-
-ENTITLEMENTS="$script_dir/$tbb_version_type.entitlements.xml"
-app_name=$(Project_Name)
-
-function check_signature() {
-  LANG=$1
-  UNZIP=$2
-  local failed_open=0
-  local failed_exec=0
-  if [ ${UNZIP} -eq 1 ]
-  then
-    test -d test_${LANG} && rm -r test_${LANG}
-    unzip -d test_${LANG} -q tb-${tbb_version}_$LANG.zip
-    pushd test_${LANG}
-  fi
-  echo "Checking $LANG..."
-  spctl -vvvv --assess --type open --context context:primary-signature "$app_name.app/"
-  if [ $? -ne 3 ]; then
-    echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed open.
-    failed_open=1
-  fi
-  spctl -vvvv --assess --type exec --context context:primary-signature "$app_name.app/"
-  if [ $? -ne 0 ]; then
-    echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed exec.
-    failed_exec=1
-  fi
-  if [ ${UNZIP} -eq 1 ]
-  then
-    popd
-    rm -r test_${LANG}
-  fi
-  if [ ${failed_open} -ne 0 -o ${failed_exec} -ne 0 ]
-  then
-    return 1
-  fi
-}
-
-cd ~/$SIGNING_PROJECTNAME-${tbb_version}
-
-if test -n "$KEYCHAIN_PW"
-then
-  KPW="-p $KEYCHAIN_PW"
-fi
-
-security unlock $KPW /Users/torbrowser/Library/Keychains/tbb-signing-alpha.keychain
-security unlock $KPW /Users/torbrowser/Library/Keychains/tbb-signing-2021.keychain
-
-unset KPW KEYCHAIN_PW
-
-for LANG in ALL
-do
-  if [ -f tb-${tbb_version}_${LANG}.zip ]
-  then
-    echo "Deleting tb-${tbb_version}_${LANG}.zip"
-    rm tb-${tbb_version}_${LANG}.zip
-  fi
-  if [ -d "$app_name.app" ]
-  then
-    echo "Deleting $app_name.app"
-    rm -r "$app_name.app"
-  fi
-  if [ -d "/Volumes/$app_name" ]; then
-    echo "DMG already mounted. Please correct."
-    exit 1
-  fi
-  hdiutil attach $(project-name)-macos-${tbb_version}.dmg
-  cp -rf "/Volumes/$app_name/$app_name.app" "$app_name.app"
-  echo "Signing ${app_name}_${LANG}.app"
-  codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "$app_name.app/"
-  echo "codesign exit code: $?"
-  set +e
-  check_signature $LANG 0
-  if [ $? -eq 1 ]
-  then
-    echo Signature verification failed.
-    rm -r "$app_name.app"
-    hdiutil detach "/Volumes/$app_name"
-    exit 1
-  fi
-  set -e
-  echo "Zipping up tb-${tbb_version}_${LANG}.zip"
-  zip -qr tb-${tbb_version}_${LANG}.zip "$app_name.app"
-  rm -rf "$app_name.app"
-  hdiutil detach "/Volumes/$app_name"
-  set +e
-  check_signature $LANG 1
-  if [ $? -eq 1 ]
-  then
-    echo "Signature verification failed (${LANG})".
-    rm -r "$app_name.app"
-    exit 1
-  fi
-  set -e
-done


=====================================
tools/signing/macos-signer-gatekeeper-signing.mullvadbrowser deleted
=====================================
@@ -1 +0,0 @@
-macos-signer-gatekeeper-signing
\ No newline at end of file


=====================================
tools/signing/macos-signer-gatekeeper-signing.torbrowser deleted
=====================================
@@ -1 +0,0 @@
-macos-signer-gatekeeper-signing
\ No newline at end of file


=====================================
tools/signing/macos-signer-notarization deleted
=====================================
@@ -1,44 +0,0 @@
-#!/bin/bash
-set -e
-
-script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-source "$script_dir/functions"
-source "$script_dir/set-config.macos-notarization"
-
-ALTOOL=~/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework/Versions/A/Support/altool
-
-cd ~/$SIGNING_PROJECTNAME-${tbb_version}
-
-if [ -z "${PW}" ]; then
-  echo "Please enter notarization password:"
-  stty -echo; read PW; stty echo; export PW
-fi
-
-for LANG in ALL
-do
-  if test -f ${LANG}/tb-${tbb_version}_$LANG.zip.uuid
-  then
-    echo "Skipping ${LANG}/tb-${tbb_version}_$LANG.zip"
-    continue;
-  fi
-  if test -d ${LANG}; then
-    mv ${LANG}/tb-${tbb_version}_$LANG.zip ./
-    rm -r ${LANG}/
-  fi
-  mkdir $LANG
-  cd $LANG
-  mv ../tb-${tbb_version}_$LANG.zip .
-  unzip -q tb-${tbb_version}_$LANG.zip
-  echo "Notarizing $LANG..."
-  $ALTOOL --notarize-app --verbose -t osx -f tb-${tbb_version}_$LANG.zip --primary-bundle-id org.torproject.torbrowser -u "$macos_notarization_user" -p @env:PW --output-format xml | tee tb-${tbb_version}_$LANG.zip.log 2>&1
-
-  request_uuid=`grep -A1 RequestUUID tb-${tbb_version}_$LANG.zip.log | grep -o '[0-9a-f]\+[0-9a-f-]\+'`
-  if [ -z "${request_uuid}" ]; then
-    echo "Request UUID not present. Notarization failed"
-    exit 1
-  fi
-  echo ${request_uuid} > tb-${tbb_version}_$LANG.zip.uuid
-  echo "Notarization done for $LANG."
-
-  cd ..
-done


=====================================
tools/signing/macos-signer-notarization.mullvadbrowser deleted
=====================================
@@ -1 +0,0 @@
-macos-signer-notarization
\ No newline at end of file


=====================================
tools/signing/macos-signer-notarization.torbrowser deleted
=====================================
@@ -1 +0,0 @@
-macos-signer-notarization
\ No newline at end of file


=====================================
tools/signing/macos-signer-proxy deleted
=====================================
@@ -1,6 +0,0 @@
-#!/bin/bash
-set -e
-script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-source "$script_dir/functions"
-
-ssh -R :1080 "$ssh_host_macos_signer" 'python ~/proxy.py --port 8443'


=====================================
tools/signing/macos-signer-proxy.mullvadbrowser deleted
=====================================
@@ -1 +0,0 @@
-macos-signer-proxy
\ No newline at end of file


=====================================
tools/signing/macos-signer-proxy.torbrowser deleted
=====================================
@@ -1 +0,0 @@
-macos-signer-proxy
\ No newline at end of file


=====================================
tools/signing/macos-signer-stapler deleted
=====================================
@@ -1,22 +0,0 @@
-#!/bin/bash
-set -e
-
-read -n 1 -p "Press enter once notarization is complete..."
-
-script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-source "$script_dir/functions"
-source "$script_dir/set-config.generated-config"
-
-STAPLER=/Users/torbrowser/Xcode.app/Contents//Developer/usr/bin/stapler
-app_name=$(Project_Name)
-
-cd ~/$SIGNING_PROJECTNAME-${tbb_version}
-
-for LANG in ALL
-do
-  echo "Stapling $LANG..."
-  cd $LANG
-  $STAPLER staple "$app_name.app"
-  zip -qr ../tb-${tbb_version}_$LANG-stapled.zip "$app_name.app"
-  cd ..
-done


=====================================
tools/signing/macos-signer-stapler.mullvadbrowser deleted
=====================================
@@ -1 +0,0 @@
-macos-signer-stapler
\ No newline at end of file


=====================================
tools/signing/macos-signer-stapler.torbrowser deleted
=====================================
@@ -1 +0,0 @@
-macos-signer-stapler
\ No newline at end of file


=====================================
tools/signing/set-config
=====================================
@@ -38,5 +38,3 @@ rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}"
 
 tb_builders='boklm dan henry ma1 pierov richard'
 wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers
-
-use_rcodesign=1


=====================================
tools/signing/set-config.hosts
=====================================
@@ -1,6 +1,5 @@
 ssh_host_builder=tbbuild
 ssh_host_linux_signer=linux-signer-notor
-ssh_host_macos_signer=mac-signer-notor
 ssh_host_staticiforme=staticiforme.torproject.org
 
 builder_tor_browser_build_dir=/home/user/tor-browser-build


=====================================
tools/signing/set-config.macos-notarization deleted
=====================================
@@ -1,5 +0,0 @@
-# The following line should be uncommented and updated:
-
-#macos_notarization_user='user at email'
-
-var_is_defined macos_notarization_user


=====================================
tools/signing/sync-macos-local-to-macos-signer deleted
=====================================
@@ -1,8 +0,0 @@
-#!/bin/bash
-set -e
-script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-source "$script_dir/functions"
-
-var_is_defined ssh_host_macos_signer
-
-rsync $rsync_options "$signed_version_dir"/*.dmg "$ssh_host_macos_signer:$SIGNING_PROJECTNAME-$tbb_version/"


=====================================
tools/signing/sync-macos-local-to-macos-signer.mullvadbrowser deleted
=====================================
@@ -1 +0,0 @@
-sync-macos-local-to-macos-signer
\ No newline at end of file


=====================================
tools/signing/sync-macos-local-to-macos-signer.torbrowser deleted
=====================================
@@ -1 +0,0 @@
-sync-macos-local-to-macos-signer
\ No newline at end of file


=====================================
tools/signing/sync-macos-local-to-macos-signer.torbrowser.dry-run deleted
=====================================
@@ -1 +0,0 @@
-sync-macos-local-to-macos-signer
\ No newline at end of file


=====================================
tools/signing/sync-macos-signer-stapled-to-macos-local-stapled deleted
=====================================
@@ -1,8 +0,0 @@
-#!/bin/bash
-set -e
-script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-source "$script_dir/functions"
-
-var_is_defined ssh_host_macos_signer
-
-rsync $rsync_options "$ssh_host_macos_signer:$SIGNING_PROJECTNAME-$tbb_version/*-stapled.zip" "$macos_stapled_dir/"


=====================================
tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.mullvadbrowser deleted
=====================================
@@ -1 +0,0 @@
-sync-macos-signer-stapled-to-macos-local-stapled
\ No newline at end of file


=====================================
tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.torbrowser deleted
=====================================
@@ -1 +0,0 @@
-sync-macos-signer-stapled-to-macos-local-stapled
\ No newline at end of file


=====================================
tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.torbrowser.dry-run deleted
=====================================
@@ -1 +0,0 @@
-sync-macos-signer-stapled-to-macos-local-stapled
\ No newline at end of file


=====================================
tools/signing/sync-scripts-to-macos-signer deleted
=====================================
@@ -1,10 +0,0 @@
-#!/bin/bash
-set -e
-script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-source "$script_dir/functions"
-
-var_is_defined ssh_host_macos_signer
-
-generate_config
-
-rsync $rsync_options "$script_dir/" "$ssh_host_macos_signer:signing-$SIGNING_PROJECTNAME-$tbb_version_type/"


=====================================
tools/signing/sync-scripts-to-macos-signer.mullvadbrowser deleted
=====================================
@@ -1 +0,0 @@
-sync-scripts-to-macos-signer
\ No newline at end of file


=====================================
tools/signing/sync-scripts-to-macos-signer.torbrowser deleted
=====================================
@@ -1 +0,0 @@
-sync-scripts-to-macos-signer
\ No newline at end of file


=====================================
tools/signing/sync-scripts-to-macos-signer.torbrowser.dry-run deleted
=====================================
@@ -1 +0,0 @@
-sync-scripts-to-macos-signer
\ No newline at end of file



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/7d25ba41dd5b301a82744baa5730b348f7f5605a

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/7d25ba41dd5b301a82744baa5730b348f7f5605a
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20231206/e5cc3a9e/attachment-0001.htm>


More information about the tbb-commits mailing list