[tbb-commits] [Git][tpo/applications/tor-browser-build][main] Bug 40569: Update remaining macOS signing scripts to include channel name

richard (@richard) git at gitlab.torproject.org
Mon Feb 26 17:49:13 UTC 2024 


richard pushed to branch main at The Tor Project / Applications / tor-browser-build


Commits:
8a492802 by Richard Pospesel at 2024-02-26T15:45:39+00:00
Bug 40569: Update remaining macOS signing scripts to include channel name

- - - - -


6 changed files:

- projects/release/dmg2mar
- tools/signing/functions
- tools/signing/linux-signer-rcodesign-sign
- tools/signing/rcodesign-notary-submit
- tools/signing/set-config
- tools/signing/wrappers/sign-rcodesign


Changes:

=====================================
projects/release/dmg2mar
=====================================
@@ -2,7 +2,7 @@
 [% c("var/set_default_env") -%]
 cd [% shell_quote(path(dest_dir)) %]/[% c("var/signed_status") %]/[%  c("version") %]
 
-export TOR_APPNAME_BUNDLE_OSX='[% c("var/Project_Name") -%]'
+export TOR_APPNAME_BUNDLE_OSX='[% c("var/display_name") -%]'
 export TOR_APPNAME_DMGFILE='[% c("var/project-name") -%]'
 export TOR_APPNAME_MARFILE='[% c("var/project-name") -%]'
 [% shell_quote(c("basedir")) %]/tools/dmg2mar [% c("var/mar_channel_id") %]


=====================================
tools/signing/functions
=====================================
@@ -39,7 +39,7 @@ function generate_config {
   p1=$("$rbm" showconf browser var/project-name --target "$SIGNING_PROJECTNAME")
   p2=$("$rbm" showconf browser var/Project_Name --target "$SIGNING_PROJECTNAME")
   p3=$("$rbm" showconf browser var/ProjectName --target "$SIGNING_PROJECTNAME")
-  p4=$("$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME")
+  p4=$("$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME" --target "$tbb_version_type")
   echo 'rbm_not_available=1' > "$script_dir/set-config.generated-config"
   echo "SIGNING_PROJECTNAMES=(\"$p1\" \"$p2\" \"$p3\" \"$p4\")" >> "$script_dir/set-config.generated-config"
 }
@@ -72,7 +72,7 @@ function display_name {
    if test -n "${rbm_not_available+x}"; then
      echo "${SIGNING_PROJECTNAMES[3]}"
    else
-     "$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME"
+     "$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME" --target "$tbb_version_type"
    fi
 }
 


=====================================
tools/signing/linux-signer-rcodesign-sign
=====================================
@@ -13,11 +13,11 @@ if [ -z "$RCODESIGN_PW" ]; then
     export RCODESIGN_PW
 fi
 
-Proj_Name=$(Project_Name)
+display_name=$(display_name)
 output_file=$(project-name)-macos-${tbb_version}-rcodesign-signed.tar.zst
 destdir=~/"$SIGNING_PROJECTNAME-$tbb_version-macos-signed"
 mkdir -p $destdir
 rm -f "$destdir/$output_file"
 
-sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$Proj_Name"
-cp "/home/signing-macos/last-signed-$Proj_Name.tar.zst" "$destdir/$output_file"
+sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name"
+cp "/home/signing-macos/last-signed-$display_name.tar.zst" "$destdir/$output_file"


=====================================
tools/signing/rcodesign-notary-submit
=====================================
@@ -17,14 +17,14 @@ test -f "$appstoreconnect_api_key_path" || \
 tmpdir=$(mktemp -d -p /var/tmp)
 trap "rm -Rf $tmpdir" EXIT
 
-Proj_Name=$(Project_Name)
+display_name=$(display_name)
 
 tar -C "$tmpdir" -xf "$macos_rcodesign_signed_tar_dir/$(project-name)-macos-${tbb_version}-rcodesign-signed.tar.zst"
 
-"$script_dir/../local/rcodesign/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$Proj_Name.app"
+"$script_dir/../local/rcodesign/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$display_name.app"
 
 output_file="$(project-name)-${tbb_version}-notarized+stapled.tar.zst"
-tar -C "$tmpdir" -caf "$tmpdir/$output_file" "$Proj_Name.app"
+tar -C "$tmpdir" -caf "$tmpdir/$output_file" "$display_name.app"
 mkdir -p "$macos_stapled_dir"
 mv "$tmpdir/$output_file" "$macos_stapled_dir/$output_file"
 


=====================================
tools/signing/set-config
=====================================
@@ -23,6 +23,12 @@ export SIGNING_PROJECTNAME
 test -z "${rbm_not_available+x}" && rbm="$script_dir/../../rbm/rbm"
 
 . "$script_dir/set-config.tbb-version"
+
+test "$tbb_version_type" = 'release' \
+  || test "$tbb_version_type" = 'alpha' \
+  || test "$tbb_version_type" = 'nightly' \
+  || exit_error "Unknown tbb_version_type $tbb_version_type"
+
 . "$script_dir/set-config.hosts"
 
 signed_dir="$script_dir/../../$SIGNING_PROJECTNAME/$tbb_version_type/signed"


=====================================
tools/signing/wrappers/sign-rcodesign
=====================================
@@ -11,9 +11,9 @@ function exit_error {
 
 test $# -eq 2 || exit_error "Wrong number of arguments"
 dmg_file="$1"
-Proj_Name="$2"
+display_name="$2"
 
-output_file="/home/signing-macos/last-signed-$Proj_Name.tar.zst"
+output_file="/home/signing-macos/last-signed-$display_name.tar.zst"
 rm -f "$output_file"
 
 rcodesign_signing_p12_file=/home/signing-macos/keys/key-1.p12
@@ -28,11 +28,11 @@ cd "$tmpdir"
 # https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2957050
 # FIXME: Maybe we should extract the .mar file instead of the .dmg to
 # preserve permissions
-chmod ugo+x "$Proj_Name/$Proj_Name.app/Contents/MacOS"/* \
-            "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \
-            "$Proj_Name/$Proj_Name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/*
-test -d "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor" && \
-  chmod -R ugo+x "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor"
+chmod ugo+x "$display_name/$display_name.app/Contents/MacOS"/* \
+            "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \
+            "$display_name/$display_name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/*
+test -d "$display_name/$display_name.app/Contents/MacOS/Tor" && \
+  chmod -R ugo+x "$display_name/$display_name.app/Contents/MacOS/Tor"
 
 pwdir=/run/lock/rcodesign-pw
 trap "rm -Rf $pwdir" EXIT
@@ -56,19 +56,19 @@ rcodesign_opts="
 echo '**** Signing updater.app ****'
 /signing/rcodesign/rcodesign sign \
   $rcodesign_opts \
-  --info-plist-path "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app/Contents/Info.plist" \
+  --info-plist-path "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/Info.plist" \
   -- \
-  "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app"
+  "$display_name/$display_name.app/Contents/MacOS/updater.app"
 echo '**** Signing plugin-container.app ****'
 /signing/rcodesign/rcodesign sign \
   $rcodesign_opts \
   --entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \
   -- \
-  "$Proj_Name/$Proj_Name.app/Contents/MacOS/plugin-container.app"
+  "$display_name/$display_name.app/Contents/MacOS/plugin-container.app"
 
 # Setting binary-identifier on some files, to avoid signature errors. See:
 # https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2956149
-pushd "$Proj_Name/$Proj_Name.app/Contents/MacOS/"
+pushd "$display_name/$display_name.app/Contents/MacOS/"
 for lib in *.dylib
 do
   binident=$(echo $lib | sed 's/\.dylib$//')
@@ -78,9 +78,9 @@ do
 done
 popd
 
-if test -d "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor/PluggableTransports/"
+if test -d "$display_name/$display_name.app/Contents/MacOS/Tor/PluggableTransports/"
 then
-  pushd "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor/PluggableTransports/"
+  pushd "$display_name/$display_name.app/Contents/MacOS/Tor/PluggableTransports/"
   for file in echo *
   do
     binident="--binary-identifier Contents/MacOS/Tor/PluggableTransports/$file:$file"
@@ -90,17 +90,17 @@ then
   popd
 fi
 
-echo "**** Signing main bundle ($Proj_Name.app) ****"
+echo "**** Signing main bundle ($display_name.app) ****"
 # We use `--exclude '**'` to avoid re-signing nested bundles
 /signing/rcodesign/rcodesign sign \
   $rcodesign_opts \
   --entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \
   --exclude '**' \
   -- \
-  "$Proj_Name/$Proj_Name.app"
+  "$display_name/$display_name.app"
 
 rm -f "$pwdir/rcodesign-pw"
 rmdir "$pwdir"
-tar -C "$Proj_Name" -caf "$output_file" "$Proj_Name.app"
+tar -C "$display_name" -caf "$output_file" "$display_name.app"
 cd -
 rm -Rf "$tmpdir"



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/8a492802eb21a963937b3c045f0ea0bcf6a3d721

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/8a492802eb21a963937b3c045f0ea0bcf6a3d721
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20240226/6615d423/attachment-0001.htm>

More information about the tbb-commits mailing list