mirrors/desktop
1
0
Fork 0
mirror of https://github.com/zen-browser/desktop.git synced 2025-09-05 19:08:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: Sign .app bundle with Apple Developer ID certificate

Browse Source
This commit is contained in:
mauro-balades
2024-09-02 19:41:49 +02:00
parent 0fe51f1a73
commit 54395acd2a
5 changed files with 253 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
.github/workflows/macos-alpha-build.yml vendored
View File

@@ -121,6 +121,24 @@ jobs:
if: failure()
run: sh .github/workflows/src/alpha-build.sh
- name: import APPLE DEVELOPER ID CERTIFICATE for .app
uses: apple-actions/import-codesign-certs@v3
with:
p12-file-base64: ${{ secrets.macOS_CERTIFICATES_P12_For_App_BASE64 }}
p12-password: ${{ secrets.macOS_CERTIFICATES_P12_PASSWORD }}
- name: Sign to .app 🖋️
run: |
ls engine
ls engine/obj-${{ matrix.arch == 'x64' && 'x86_64' || 'aarch64' }}-apple-darwin
ls engine/obj-${{ matrix.arch == 'x64' && 'x86_64' || 'aarch64' }}-apple-darwin/dist
chmod +x ./build/codesign/codesign.bash
./build/codesign/sign.bash \
-a "./engine/obj-${{ matrix.arch == 'x64' && 'x86_64' || 'aarch64' }}-apple-darwin/dist/Zen Browser.app" \
-i "${{ secrets.macOS_AppleDeveloperId }}" \
-b "./build/codesign/browser.developer.entitlements.xml" \
-p "./build/codesign/plugin-container.developer.entitlements.xml"
- name: Package
env:
SURFER_COMPAT: ${{ matrix.arch == 'x64' }}

32
build/codesign/browser.developer.entitlements.xml Normal file
View File

@@ -0,0 +1,32 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!--
Entitlements to apply to the main browser process executable during
codesigning of production channel builds.
-->
<plist version="1.0">
<dict>
<!-- Firefox needs to create executable pages (without MAP_JIT) -->
<key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
<!-- Firefox needs to create executable pages with MAP_JIT on aarch64 -->
<key>com.apple.security.cs.allow-jit</key><true/>
<!-- Allow loading third party libraries. Needed for Flash and CDMs -->
<key>com.apple.security.cs.disable-library-validation</key><true/>
<!-- Firefox needs to access the microphone on sites the user allows -->
<key>com.apple.security.device.audio-input</key><true/>
<!-- Firefox needs to access the camera on sites the user allows -->
<key>com.apple.security.device.camera</key><true/>
<!-- Firefox needs to access the location on sites the user allows -->
<key>com.apple.security.personal-information.location</key><true/>
<!-- Allow Firefox to send Apple events to other applications. Needed
for native messaging webextension helper applications launched by
Firefox which rely on Apple Events to signal other processes. -->
<key>com.apple.security.automation.apple-events</key><true/>
</dict>
</plist>

32
build/codesign/plugin-container.developer.entitlements.xml Normal file
View File

@@ -0,0 +1,32 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!--
Entitlements to apply to the plugin-container.app bundle during
codesigning of production channel builds.
-->
<plist version="1.0">
<dict>
<!-- Firefox needs to create executable pages (without MAP_JIT) -->
<key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
<!-- Firefox needs to create executable pages with MAP_JIT on aarch64 -->
<key>com.apple.security.cs.allow-jit</key><true/>
<!-- Allow loading third party libraries. Needed for Flash and CDMs -->
<key>com.apple.security.cs.disable-library-validation</key><true/>
<!-- Firefox needs to access the microphone on sites the user allows -->
<key>com.apple.security.device.audio-input</key><true/>
<!-- Firefox needs to access the camera on sites the user allows -->
<key>com.apple.security.device.camera</key><true/>
<!-- Firefox needs to access the location on sites the user allows -->
<key>com.apple.security.personal-information.location</key><true/>
<!-- Allow Firefox to send Apple events to other applications. Needed
for native messaging webextension helper applications launched by
Firefox which rely on Apple Events to signal other processes. -->
<key>com.apple.security.automation.apple-events</key><true/>
</dict>
</plist>

171
build/codesign/sign.bash Normal file
View File

@@ -0,0 +1,171 @@
#!/bin/bash
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.
#
# Runs codesign commands to codesign a Firefox .app bundle and enable macOS
# Hardened Runtime. Intended to be manually run by developers working on macOS
# 10.14+ who want to enable Hardened Runtime for manual testing. This is
# provided as a stop-gap until automated build tooling is available that signs
# binaries with a certificate generated during builds (bug 1522409). This
# script requires macOS 10.14 because Hardened Runtime is only available for
# applications running on 10.14 despite support for the codesign "-o runtime"
# option being available in 10.13.6 and newer.
#
# The script requires an identity string (-i option) from an Apple Developer
# ID certificate. This can be found in the macOS KeyChain after configuring an
# Apple Developer ID certificate.
#
# Example usage on macOS 10.14:
#
# $ ./mach build
# $ ./mach build package
# $ open </PATH/TO/DMG/FILE.dmg>
# <Drag Nightly.app to ~>
# $ ./security/mac/hardenedruntime/codesign.bash \
# -a ~/Nightly.app \
# -i <MY-IDENTITY-STRING> \
# -b security/mac/hardenedruntime/browser.developer.entitlements.xml
# -p security/mac/hardenedruntime/plugin-container.developer.entitlements.xml
# $ open ~/Nightly.app
#
usage ()
{
echo "Usage: $0 "
echo " -a <PATH-TO-BROWSER.app>"
echo " -i <IDENTITY>"
echo " -b <ENTITLEMENTS-FILE>"
echo " -p <CHILD-ENTITLEMENTS-FILE>"
echo " [-o <OUTPUT-DMG-FILE>]"
exit -1
}
# Make sure we are running on macOS with the sw_vers command available.
SWVERS=/usr/bin/sw_vers
if [ ! -x ${SWVERS} ]; then
echo "ERROR: macOS 10.14 or later is required"
exit -1
fi
# Require macOS 10.14 or newer.
OSVERSION=`${SWVERS} -productVersion|sed -En 's/[0-9]+\.([0-9]+)\.[0-9]+/\1/p'`;
if [ ${OSVERSION} \< 14 ]; then
echo "ERROR: macOS 10.14 or later is required"
exit -1
fi
while getopts "a:i:b:o:p:" opt; do
case ${opt} in
a ) BUNDLE=$OPTARG ;;
i ) IDENTITY=$OPTARG ;;
b ) BROWSER_ENTITLEMENTS_FILE=$OPTARG ;;
p ) PLUGINCONTAINER_ENTITLEMENTS_FILE=$OPTARG ;;
o ) OUTPUT_DMG_FILE=$OPTARG ;;
\? ) usage; exit -1 ;;
esac
done
if [ -z "${BUNDLE}" ] ||
[ -z "${IDENTITY}" ] ||
[ -z "${PLUGINCONTAINER_ENTITLEMENTS_FILE}" ] ||
[ -z "${BROWSER_ENTITLEMENTS_FILE}" ]; then
usage
exit -1
fi
if [ ! -d "${BUNDLE}" ]; then
echo "Invalid bundle. Bundle should be a .app directory"
usage
exit -1
fi
if [ ! -e "${PLUGINCONTAINER_ENTITLEMENTS_FILE}" ]; then
echo "Invalid entitlements file"
usage
exit -1
fi
if [ ! -e "${BROWSER_ENTITLEMENTS_FILE}" ]; then
echo "Invalid entitlements file"
usage
exit -1
fi
# DMG file output flag is optional
if [ ! -z "${OUTPUT_DMG_FILE}" ] &&
[ -e "${OUTPUT_DMG_FILE}" ]; then
echo "Output dmg file ${OUTPUT_DMG_FILE} exists. Please delete it first."
usage
exit -1
fi
echo "-------------------------------------------------------------------------"
echo "bundle: $BUNDLE"
echo "identity: $IDENTITY"
echo "browser entitlements file: $BROWSER_ENTITLEMENTS_FILE"
echo "plugin-container entitlements file: $PLUGINCONTAINER_ENTITLEMENTS_FILE"
echo "output dmg file (optional): $OUTPUT_DMG_FILE"
echo "-------------------------------------------------------------------------"
# Clear extended attributes which cause codesign to fail
xattr -cr "${BUNDLE}"
# Sign these binaries first. Signing of some binaries has an ordering
# requirement where other binaries must be signed first.
codesign --force -o runtime --verbose --sign "$IDENTITY" \
"${BUNDLE}/Contents/Library/LaunchServices/org.mozilla.updater" \
"${BUNDLE}/Contents/MacOS/XUL" \
"${BUNDLE}/Contents/MacOS/pingsender" \
"${BUNDLE}/Contents/MacOS/minidump-analyzer" \
"${BUNDLE}/Contents/MacOS/*.dylib" \
codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
"${BUNDLE}"/Contents/MacOS/crashreporter.app
codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
"${BUNDLE}"/Contents/MacOS/updater.app
# Sign floorp main executable
codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
--entitlements ${BROWSER_ENTITLEMENTS_FILE} \
"${BUNDLE}"/Contents/MacOS/floorp
# Sign Library/LaunchServices
codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
"${BUNDLE}"/Contents/Library/LaunchServices/org.mozilla.updater
# Sign gmp-clearkey files
find "${BUNDLE}"/Contents/Resources/gmp-clearkey -type f -exec \
codesign --force -o runtime --verbose --sign "$IDENTITY" {} \;
# Sign the main bundle
codesign --force -o runtime --verbose --sign "$IDENTITY" \
--entitlements ${BROWSER_ENTITLEMENTS_FILE} "${BUNDLE}"
# Sign the plugin-container bundle with deep
codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
--entitlements ${PLUGINCONTAINER_ENTITLEMENTS_FILE} \
"${BUNDLE}"/Contents/MacOS/plugin-container.app
# Validate
codesign -vvv --deep --strict "${BUNDLE}"
# Create a DMG
if [ ! -z "${OUTPUT_DMG_FILE}" ]; then
DISK_IMAGE_DIR=`mktemp -d`
TEMP_FILE=`mktemp`
TEMP_DMG=${TEMP_FILE}.dmg
NAME=`basename "${BUNDLE}"`
ditto "${BUNDLE}" "${DISK_IMAGE_DIR}/${NAME}"
hdiutil create -size 400m -fs HFS+ \
-volname Firefox -srcfolder "${DISK_IMAGE_DIR}" "${TEMP_DMG}"
hdiutil convert -format UDZO \
-o "${OUTPUT_DMG_FILE}" "${TEMP_DMG}"
rm ${TEMP_FILE}
rm ${TEMP_DMG}
rm -rf "${DISK_IMAGE_DIR}"
fi

1
src/browser/app/profile/zen-browser.js
View File

@@ -114,7 +114,6 @@ pref('dom.private-attribution.submission.enabled', false);
pref('dom.security.https_only_mode', true);
pref('media.eme.enabled', true);
pref('webgl.disabled', false);
pref("app.update.url.manual", "https://www.zen-browser.app/download");
pref("app.update.url.details", "https://www.zen-browser.app/download");