richard pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
-
8a492802
by Richard Pospesel at 2024-02-26T15:45:39+00:00
6 changed files:
- projects/release/dmg2mar
- tools/signing/functions
- tools/signing/linux-signer-rcodesign-sign
- tools/signing/rcodesign-notary-submit
- tools/signing/set-config
- tools/signing/wrappers/sign-rcodesign
Changes:
| ... | ... | @@ -2,7 +2,7 @@ |
| 2 | 2 | [% c("var/set_default_env") -%]
|
| 3 | 3 | cd [% shell_quote(path(dest_dir)) %]/[% c("var/signed_status") %]/[% c("version") %]
|
| 4 | 4 | |
| 5 | -export TOR_APPNAME_BUNDLE_OSX='[% c("var/Project_Name") -%]'
|
|
| 5 | +export TOR_APPNAME_BUNDLE_OSX='[% c("var/display_name") -%]'
|
|
| 6 | 6 | export TOR_APPNAME_DMGFILE='[% c("var/project-name") -%]'
|
| 7 | 7 | export TOR_APPNAME_MARFILE='[% c("var/project-name") -%]'
|
| 8 | 8 | [% shell_quote(c("basedir")) %]/tools/dmg2mar [% c("var/mar_channel_id") %] |
| ... | ... | @@ -39,7 +39,7 @@ function generate_config { |
| 39 | 39 | p1=$("$rbm" showconf browser var/project-name --target "$SIGNING_PROJECTNAME")
|
| 40 | 40 | p2=$("$rbm" showconf browser var/Project_Name --target "$SIGNING_PROJECTNAME")
|
| 41 | 41 | p3=$("$rbm" showconf browser var/ProjectName --target "$SIGNING_PROJECTNAME")
|
| 42 | - p4=$("$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME")
|
|
| 42 | + p4=$("$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME" --target "$tbb_version_type")
|
|
| 43 | 43 | echo 'rbm_not_available=1' > "$script_dir/set-config.generated-config"
|
| 44 | 44 | echo "SIGNING_PROJECTNAMES=(\"$p1\" \"$p2\" \"$p3\" \"$p4\")" >> "$script_dir/set-config.generated-config"
|
| 45 | 45 | }
|
| ... | ... | @@ -72,7 +72,7 @@ function display_name { |
| 72 | 72 | if test -n "${rbm_not_available+x}"; then
|
| 73 | 73 | echo "${SIGNING_PROJECTNAMES[3]}"
|
| 74 | 74 | else
|
| 75 | - "$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME"
|
|
| 75 | + "$rbm" showconf browser var/display_name --target "$SIGNING_PROJECTNAME" --target "$tbb_version_type"
|
|
| 76 | 76 | fi
|
| 77 | 77 | }
|
| 78 | 78 |
| ... | ... | @@ -13,11 +13,11 @@ if [ -z "$RCODESIGN_PW" ]; then |
| 13 | 13 | export RCODESIGN_PW
|
| 14 | 14 | fi
|
| 15 | 15 | |
| 16 | -Proj_Name=$(Project_Name)
|
|
| 16 | +display_name=$(display_name)
|
|
| 17 | 17 | output_file=$(project-name)-macos-${tbb_version}-rcodesign-signed.tar.zst
|
| 18 | 18 | destdir=~/"$SIGNING_PROJECTNAME-$tbb_version-macos-signed"
|
| 19 | 19 | mkdir -p $destdir
|
| 20 | 20 | rm -f "$destdir/$output_file"
|
| 21 | 21 | |
| 22 | -sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$Proj_Name"
|
|
| 23 | -cp "/home/signing-macos/last-signed-$Proj_Name.tar.zst" "$destdir/$output_file" |
|
| 22 | +sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name"
|
|
| 23 | +cp "/home/signing-macos/last-signed-$display_name.tar.zst" "$destdir/$output_file" |
| ... | ... | @@ -17,14 +17,14 @@ test -f "$appstoreconnect_api_key_path" || \ |
| 17 | 17 | tmpdir=$(mktemp -d -p /var/tmp)
|
| 18 | 18 | trap "rm -Rf $tmpdir" EXIT
|
| 19 | 19 | |
| 20 | -Proj_Name=$(Project_Name)
|
|
| 20 | +display_name=$(display_name)
|
|
| 21 | 21 | |
| 22 | 22 | tar -C "$tmpdir" -xf "$macos_rcodesign_signed_tar_dir/$(project-name)-macos-${tbb_version}-rcodesign-signed.tar.zst"
|
| 23 | 23 | |
| 24 | -"$script_dir/../local/rcodesign/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$Proj_Name.app"
|
|
| 24 | +"$script_dir/../local/rcodesign/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$display_name.app"
|
|
| 25 | 25 | |
| 26 | 26 | output_file="$(project-name)-${tbb_version}-notarized+stapled.tar.zst"
|
| 27 | -tar -C "$tmpdir" -caf "$tmpdir/$output_file" "$Proj_Name.app"
|
|
| 27 | +tar -C "$tmpdir" -caf "$tmpdir/$output_file" "$display_name.app"
|
|
| 28 | 28 | mkdir -p "$macos_stapled_dir"
|
| 29 | 29 | mv "$tmpdir/$output_file" "$macos_stapled_dir/$output_file"
|
| 30 | 30 |
| ... | ... | @@ -23,6 +23,12 @@ export SIGNING_PROJECTNAME |
| 23 | 23 | test -z "${rbm_not_available+x}" && rbm="$script_dir/../../rbm/rbm"
|
| 24 | 24 | |
| 25 | 25 | . "$script_dir/set-config.tbb-version"
|
| 26 | + |
|
| 27 | +test "$tbb_version_type" = 'release' \
|
|
| 28 | + || test "$tbb_version_type" = 'alpha' \
|
|
| 29 | + || test "$tbb_version_type" = 'nightly' \
|
|
| 30 | + || exit_error "Unknown tbb_version_type $tbb_version_type"
|
|
| 31 | + |
|
| 26 | 32 | . "$script_dir/set-config.hosts"
|
| 27 | 33 | |
| 28 | 34 | signed_dir="$script_dir/../../$SIGNING_PROJECTNAME/$tbb_version_type/signed"
|
| ... | ... | @@ -11,9 +11,9 @@ function exit_error { |
| 11 | 11 | |
| 12 | 12 | test $# -eq 2 || exit_error "Wrong number of arguments"
|
| 13 | 13 | dmg_file="$1"
|
| 14 | -Proj_Name="$2"
|
|
| 14 | +display_name="$2"
|
|
| 15 | 15 | |
| 16 | -output_file="/home/signing-macos/last-signed-$Proj_Name.tar.zst"
|
|
| 16 | +output_file="/home/signing-macos/last-signed-$display_name.tar.zst"
|
|
| 17 | 17 | rm -f "$output_file"
|
| 18 | 18 | |
| 19 | 19 | rcodesign_signing_p12_file=/home/signing-macos/keys/key-1.p12
|
| ... | ... | @@ -28,11 +28,11 @@ cd "$tmpdir" |
| 28 | 28 | # https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2957050
|
| 29 | 29 | # FIXME: Maybe we should extract the .mar file instead of the .dmg to
|
| 30 | 30 | # preserve permissions
|
| 31 | -chmod ugo+x "$Proj_Name/$Proj_Name.app/Contents/MacOS"/* \
|
|
| 32 | - "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \
|
|
| 33 | - "$Proj_Name/$Proj_Name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/*
|
|
| 34 | -test -d "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor" && \
|
|
| 35 | - chmod -R ugo+x "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor"
|
|
| 31 | +chmod ugo+x "$display_name/$display_name.app/Contents/MacOS"/* \
|
|
| 32 | + "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \
|
|
| 33 | + "$display_name/$display_name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/*
|
|
| 34 | +test -d "$display_name/$display_name.app/Contents/MacOS/Tor" && \
|
|
| 35 | + chmod -R ugo+x "$display_name/$display_name.app/Contents/MacOS/Tor"
|
|
| 36 | 36 | |
| 37 | 37 | pwdir=/run/lock/rcodesign-pw
|
| 38 | 38 | trap "rm -Rf $pwdir" EXIT
|
| ... | ... | @@ -56,19 +56,19 @@ rcodesign_opts=" |
| 56 | 56 | echo '**** Signing updater.app ****'
|
| 57 | 57 | /signing/rcodesign/rcodesign sign \
|
| 58 | 58 | $rcodesign_opts \
|
| 59 | - --info-plist-path "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app/Contents/Info.plist" \
|
|
| 59 | + --info-plist-path "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/Info.plist" \
|
|
| 60 | 60 | -- \
|
| 61 | - "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app"
|
|
| 61 | + "$display_name/$display_name.app/Contents/MacOS/updater.app"
|
|
| 62 | 62 | echo '**** Signing plugin-container.app ****'
|
| 63 | 63 | /signing/rcodesign/rcodesign sign \
|
| 64 | 64 | $rcodesign_opts \
|
| 65 | 65 | --entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \
|
| 66 | 66 | -- \
|
| 67 | - "$Proj_Name/$Proj_Name.app/Contents/MacOS/plugin-container.app"
|
|
| 67 | + "$display_name/$display_name.app/Contents/MacOS/plugin-container.app"
|
|
| 68 | 68 | |
| 69 | 69 | # Setting binary-identifier on some files, to avoid signature errors. See:
|
| 70 | 70 | # https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2956149
|
| 71 | -pushd "$Proj_Name/$Proj_Name.app/Contents/MacOS/"
|
|
| 71 | +pushd "$display_name/$display_name.app/Contents/MacOS/"
|
|
| 72 | 72 | for lib in *.dylib
|
| 73 | 73 | do
|
| 74 | 74 | binident=$(echo $lib | sed 's/\.dylib$//')
|
| ... | ... | @@ -78,9 +78,9 @@ do |
| 78 | 78 | done
|
| 79 | 79 | popd
|
| 80 | 80 | |
| 81 | -if test -d "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor/PluggableTransports/"
|
|
| 81 | +if test -d "$display_name/$display_name.app/Contents/MacOS/Tor/PluggableTransports/"
|
|
| 82 | 82 | then
|
| 83 | - pushd "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor/PluggableTransports/"
|
|
| 83 | + pushd "$display_name/$display_name.app/Contents/MacOS/Tor/PluggableTransports/"
|
|
| 84 | 84 | for file in echo *
|
| 85 | 85 | do
|
| 86 | 86 | binident="--binary-identifier Contents/MacOS/Tor/PluggableTransports/$file:$file"
|
| ... | ... | @@ -90,17 +90,17 @@ then |
| 90 | 90 | popd
|
| 91 | 91 | fi
|
| 92 | 92 | |
| 93 | -echo "**** Signing main bundle ($Proj_Name.app) ****"
|
|
| 93 | +echo "**** Signing main bundle ($display_name.app) ****"
|
|
| 94 | 94 | # We use `--exclude '**'` to avoid re-signing nested bundles
|
| 95 | 95 | /signing/rcodesign/rcodesign sign \
|
| 96 | 96 | $rcodesign_opts \
|
| 97 | 97 | --entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \
|
| 98 | 98 | --exclude '**' \
|
| 99 | 99 | -- \
|
| 100 | - "$Proj_Name/$Proj_Name.app"
|
|
| 100 | + "$display_name/$display_name.app"
|
|
| 101 | 101 | |
| 102 | 102 | rm -f "$pwdir/rcodesign-pw"
|
| 103 | 103 | rmdir "$pwdir"
|
| 104 | -tar -C "$Proj_Name" -caf "$output_file" "$Proj_Name.app"
|
|
| 104 | +tar -C "$display_name" -caf "$output_file" "$display_name.app"
|
|
| 105 | 105 | cd -
|
| 106 | 106 | rm -Rf "$tmpdir" |