From 9e88f80d13864331ce706db6a25b02adc494a0d9 Mon Sep 17 00:00:00 2001 From: mauro-balades Date: Wed, 4 Sep 2024 18:06:38 +0200 Subject: [PATCH] chore: Update codesigning script to sign the .app bundle with Apple Developer ID certificate --- .github/workflows/macos-alpha-build.yml | 12 +- build/codesign/sign.bash | 155 ------------------------ 2 files changed, 6 insertions(+), 161 deletions(-) delete mode 100644 build/codesign/sign.bash diff --git a/.github/workflows/macos-alpha-build.yml b/.github/workflows/macos-alpha-build.yml index cbc725c55..884eaeff3 100644 --- a/.github/workflows/macos-alpha-build.yml +++ b/.github/workflows/macos-alpha-build.yml @@ -132,12 +132,12 @@ jobs: ls engine ls engine/obj-${{ matrix.arch == 'x64' && 'x86_64' || 'aarch64' }}-apple-darwin ls engine/obj-${{ matrix.arch == 'x64' && 'x86_64' || 'aarch64' }}-apple-darwin/dist - chmod +x ./build/codesign/sign.bash - ./build/codesign/sign.bash \ - -a "./engine/obj-${{ matrix.arch == 'x64' && 'x86_64' || 'aarch64' }}-apple-darwin/dist/Zen Browser.app" \ - -i "${{ secrets.macOS_AppleDeveloperId }}" \ - -b "./build/codesign/browser.developer.entitlements.xml" \ - -p "./build/codesign/plugin-container.developer.entitlements.xml" + cd engine + ./mach macos-sign \ + --verbose \ + -a "./obj-${{ matrix.arch == 'x64' && 'x86_64' || 'aarch64' }}-apple-darwin/dist/Zen Browser.app" \ + -s "${{ secrets.macOS_AppleDeveloperId }}" \ + -e production - name: Package env: diff --git a/build/codesign/sign.bash b/build/codesign/sign.bash deleted file mode 100644 index 9319ddddb..000000000 --- a/build/codesign/sign.bash +++ /dev/null @@ -1,155 +0,0 @@ -#!/bin/bash -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at https://mozilla.org/MPL/2.0/. -# -# Runs codesign commands to codesign a Firefox .app bundle and enable macOS -# Hardened Runtime. Intended to be manually run by developers working on macOS -# 10.14+ who want to enable Hardened Runtime for manual testing. This is -# provided as a stop-gap until automated build tooling is available that signs -# binaries with a certificate generated during builds (bug 1522409). This -# script requires macOS 10.14 because Hardened Runtime is only available for -# applications running on 10.14 despite support for the codesign "-o runtime" -# option being available in 10.13.6 and newer. -# -# The script requires an identity string (-i option) from an Apple Developer -# ID certificate. This can be found in the macOS KeyChain after configuring an -# Apple Developer ID certificate. -# -# Example usage on macOS 10.14: -# -# $ ./mach build -# $ ./mach build package -# $ open -# -# $ ./security/mac/hardenedruntime/codesign.bash \ -# -a ~/Nightly.app \ -# -i \ -# -b security/mac/hardenedruntime/browser.developer.entitlements.xml -# -p security/mac/hardenedruntime/plugin-container.developer.entitlements.xml -# $ open ~/Nightly.app -# - -set -x - -usage () -{ - echo "Usage: $0 " - echo " -a " - echo " -i " - echo " -b " - echo " -p " - echo " [-o ]" - exit -1 -} - -# Make sure we are running on macOS with the sw_vers command available. -SWVERS=/usr/bin/sw_vers -if [ ! -x ${SWVERS} ]; then - echo "ERROR: macOS 10.14 or later is required" - exit -1 -fi - -# Require macOS 10.14 or newer. -OSVERSION=`${SWVERS} -productVersion|sed -En 's/[0-9]+\.([0-9]+)\.[0-9]+/\1/p'`; -if [ ${OSVERSION} \< 14 ]; then - echo "ERROR: macOS 10.14 or later is required" - exit -1 -fi - -while getopts "a:i:b:o:p:" opt; do - case ${opt} in - a ) BUNDLE=$OPTARG ;; - i ) IDENTITY=$OPTARG ;; - b ) BROWSER_ENTITLEMENTS_FILE=$OPTARG ;; - p ) PLUGINCONTAINER_ENTITLEMENTS_FILE=$OPTARG ;; - o ) OUTPUT_DMG_FILE=$OPTARG ;; - \? ) usage; exit -1 ;; - esac -done - -if [ -z "${BUNDLE}" ] || - [ -z "${IDENTITY}" ] || - [ -z "${PLUGINCONTAINER_ENTITLEMENTS_FILE}" ] || - [ -z "${BROWSER_ENTITLEMENTS_FILE}" ]; then - usage - exit -1 -fi - -if [ ! -d "${BUNDLE}" ]; then - echo "Invalid bundle. Bundle should be a .app directory" - usage - exit -1 -fi - -if [ ! -e "${PLUGINCONTAINER_ENTITLEMENTS_FILE}" ]; then - echo "Invalid entitlements file" - usage - exit -1 -fi - -if [ ! -e "${BROWSER_ENTITLEMENTS_FILE}" ]; then - echo "Invalid entitlements file" - usage - exit -1 -fi - -# DMG file output flag is optional -if [ ! -z "${OUTPUT_DMG_FILE}" ] && - [ -e "${OUTPUT_DMG_FILE}" ]; then - echo "Output dmg file ${OUTPUT_DMG_FILE} exists. Please delete it first." - usage - exit -1 -fi - -echo "-------------------------------------------------------------------------" -echo "bundle: $BUNDLE" -echo "identity: $IDENTITY" -echo "browser entitlements file: $BROWSER_ENTITLEMENTS_FILE" -echo "plugin-container entitlements file: $PLUGINCONTAINER_ENTITLEMENTS_FILE" -echo "output dmg file (optional): $OUTPUT_DMG_FILE" -echo "-------------------------------------------------------------------------" - -# Clear extended attributes which cause codesign to fail -xattr -cr "${BUNDLE}" - -# Sign these binaries first. Signing of some binaries has an ordering -# requirement where other binaries must be signed first. -codesign --force -o runtime --verbose --sign "$IDENTITY" \ -"${BUNDLE}/Contents/Library/LaunchServices/org.mozilla.updater" \ -"${BUNDLE}/Contents/MacOS/XUL" \ -"${BUNDLE}/Contents/MacOS/pingsender" \ -"${BUNDLE}/Contents/MacOS/minidump-analyzer" \ -"${BUNDLE}/Contents/MacOS/*.dylib" \ - -codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \ -"${BUNDLE}"/Contents/MacOS/crashreporter.app - -codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \ -"${BUNDLE}"/Contents/MacOS/updater.app - -# Sign zen main executable -codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \ ---entitlements ${BROWSER_ENTITLEMENTS_FILE} \ -"${BUNDLE}"/Contents/MacOS/zen - -# Sign Library/LaunchServices -codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \ -"${BUNDLE}"/Contents/Library/LaunchServices/org.mozilla.updater - -# Sign gmp-clearkey files -find "${BUNDLE}"/Contents/Resources/gmp-clearkey -type f -exec \ -codesign --force -o runtime --verbose --sign "$IDENTITY" {} \; - -# Sign the main bundle -codesign --force -o runtime --verbose --sign "$IDENTITY" \ ---entitlements ${BROWSER_ENTITLEMENTS_FILE} "${BUNDLE}" - -# Sign the plugin-container bundle with deep -codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \ ---entitlements ${PLUGINCONTAINER_ENTITLEMENTS_FILE} \ -"${BUNDLE}"/Contents/MacOS/plugin-container.app - -# Validate -codesign -vvv --verbose=4 --deep "${BUNDLE}"