[tor-commits] [builders/tor-browser-build] 20/32: Bug 40414: Update macos-signer-gatekeeper-signing

Wed Apr 20 09:38:57 UTC 2022

This is an automated email from the git hooks/post-receive script.

boklm pushed a commit to branch master
in repository builders/tor-browser-build.

commit fff6a80765402c239516539c88ea1dc8976cd21d
Author: Nicolas Vigier <boklm at torproject.org>
AuthorDate: Wed Mar 16 17:10:35 2022 +0100

    Bug 40414: Update macos-signer-gatekeeper-signing
    
    Update macos-signer-gatekeeper-signing to the version currently in use.
---
 tools/signing/macos-signer-gatekeeper-signing | 117 ++++++++++++++++++--------
 1 file changed, 83 insertions(+), 34 deletions(-)

diff --git a/tools/signing/macos-signer-gatekeeper-signing b/tools/signing/macos-signer-gatekeeper-signing
index 3f31f82..38e119e 100755
--- a/tools/signing/macos-signer-gatekeeper-signing
+++ b/tools/signing/macos-signer-gatekeeper-signing
@@ -1,34 +1,4 @@
-#!/bin/bash
-
-# Copyright (c) 2019, The Tor Project, Inc.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-
-#     * Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-#
-#     * Redistributions in binary form must reproduce the above
-# copyright notice, this list of conditions and the following disclaimer
-# in the documentation and/or other materials provided with the
-# distribution.
-#
-#     * Neither the names of the copyright owners nor the names of its
-# contributors may be used to endorse or promote products derived from
-# this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+set -x
 
 TORBROWSER_VERSION=$1
 if [ -z "$TORBROWSER_VERSION" ];
@@ -36,16 +6,95 @@ then
   echo "Please call this script with a Tor Browser version!"
   exit 1
 fi
-ENTITLEMENTS=/path/to/stable.entitlements.xml
-BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko mk nb-NO nl pl pt-BR ro ru sv-SE tr vi zh-CN zh-TW"
+ENTITLEMENTS=/Users/torbrowser/signing/alpha.entitlements.xml
+if [ -z "$BUNDLE_LOCALES" ];
+then
+  BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW"
+fi
+
+function check_signature() {
+  LANG=$1
+  TORBROWSER_VERSION=$2
+  UNZIP=$3
+  local failed_open=0
+  local failed_exec=0
+  if [ ${UNZIP} -eq 1 ]
+  then
+    test -d test_${LANG} && rm -r test_${LANG}
+    unzip -d test_${LANG} -q tb-${TORBROWSER_VERSION}_$LANG.zip
+    pushd test_${LANG}
+  fi
+  echo "Checking $LANG..."
+  spctl -vvvv --assess --type open --context context:primary-signature 'Tor Browser.app/'
+  if [ $? -ne 3 ]; then
+    echo tb-${TORBROWSER_VERSION}_$LANG.zip not signed correctly. Failed open.
+    failed_open=1
+  fi
+  spctl -vvvv --assess --type exec --context context:primary-signature 'Tor Browser.app/'
+  if [ $? -ne 0 ]; then
+    echo tb-${TORBROWSER_VERSION}_$LANG.zip not signed correctly. Failed exec.
+    failed_exec=1
+  fi
+  if [ ${UNZIP} -eq 1 ]
+  then
+    popd
+    rm -r test_${LANG}
+  fi
+  if [ ${failed_open} -ne 0 -o ${failed_exec} -ne 0 ]
+  then
+    return 1
+  fi
+}
+
 for LANG in $BUNDLE_LOCALES
 do
+  if [ -f tb-${TORBROWSER_VERSION}_${LANG}.zip ]
+  then
+    echo "Deleting tb-${TORBROWSER_VERSION}_${LANG}.zip"
+    rm tb-${TORBROWSER_VERSION}_${LANG}.zip
+  fi
+  if [ -d "Tor Browser.app" ]
+  then
+    echo "Deleting Tor Browser.app"
+    rm -r "Tor Browser.app"
+  fi
+  if [ -d '/Volumes/Tor Browser' ]; then
+    echo "DMG already mounted. Please correct."
+    exit 1
+  fi
   hdiutil attach TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg
   cp -rf "/Volumes/Tor Browser/Tor Browser.app" "Tor Browser.app"
   echo "Signing Tor Browser_$LANG.app"
-  codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "$ID" "Tor Browser.app/"
+  codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/"
+  echo "codesign exit code: $?"
+  check_signature $LANG $TORBROWSER_VERSION 0
+  if [ $? -eq 1 ]
+  then
+    echo Signature verification failed.
+    rm -r "Tor Browser.app"
+    hdiutil detach "/Volumes/Tor Browser"
+    exit 1
+  fi
   echo "Zipping up"
   zip -qr tb-${TORBROWSER_VERSION}_${LANG}.zip "Tor Browser.app"
   rm -rf "Tor Browser.app"
   hdiutil detach "/Volumes/Tor Browser"
+  check_signature $LANG $TORBROWSER_VERSION 1
+  if [ $? -eq 1 ]
+  then
+    echo Signature verification failed.
+    rm -r "Tor Browser.app"
+  fi
 done
+#for LANG in $BUNDLE_LOCALES
+#do
+#  hdiutil attach TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg
+#  cp -rf "/Volumes/Tor Browser/Tor Browser.app" "Tor Browser.app"
+#  echo "Signing Tor Browser_$LANG.app"
+#  codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/"
+#  #codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp=none -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/"
+#  echo "Zipping up"
+#  zip -qr tb-${TORBROWSER_VERSION}_${LANG}.zip "Tor Browser.app"
+#  rm -rf "Tor Browser.app"
+#  hdiutil detach "/Volumes/Tor Browser"
+#done

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.
