Merge pull request #4601 from zen-browser/macos-signing-fix

.github/workflows/build.yml

@@ -54,6 +54,18 @@ jobs:
           echo "GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}"
           echo "GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}"
 
+  buildid:
+    name: Generate build ID
+    runs-on: ubuntu-latest
+    outputs:
+      buildids: ${{ steps.get.outputs.bid }}
+    steps:
+      - id: get
+        shell: bash -xe {0}
+        run: |
+          bdat=`date +"%Y%m%d%I%M%S"`
+          echo "bid=${bdat}" >> $GITHUB_OUTPUT
+
   start-self-host:
     runs-on: ubuntu-latest
     needs: debug-inputs
@@ -294,7 +306,7 @@ jobs:
   windows-step-1:
     name: Windows build step 1 (PGO build)
     uses: ./.github/workflows/windows-release-build.yml
-    needs: [build-data]
+    needs: [build-data, buildid]
     permissions:
       contents: write
     secrets: inherit
@@ -303,6 +315,7 @@ jobs:
       generate-gpo: true
       profile-data-path-archive: zen-windows-profile-data-and-jarlog.zip
       release-branch: ${{ inputs.update_branch }}
+      MOZ_BUILD_DATE: ${{needs.buildid.outputs.buildids}}
 
   windows-step-2:
     name: Windows build step 2 (Generate profile data)
@@ -322,11 +335,12 @@ jobs:
     permissions:
       contents: write
     secrets: inherit
-    needs: [build-data, windows-step-2, start-self-host]
+    needs: [build-data, windows-step-2, start-self-host, buildid]
     with:
       build-version: ${{ needs.build-data.outputs.version }}
       generate-gpo: false
       release-branch: ${{ inputs.update_branch }}
+      MOZ_BUILD_DATE: ${{needs.buildid.outputs.buildids}}
 
   linux:
     name: Linux build
@@ -334,10 +348,11 @@ jobs:
     permissions:
       contents: write
     secrets: inherit
-    needs: [build-data, start-self-host]
+    needs: [build-data, start-self-host, buildid]
     with:
       build-version: ${{ needs.build-data.outputs.version }}
       release-branch: ${{ inputs.update_branch }}
+      MOZ_BUILD_DATE: ${{needs.buildid.outputs.buildids}}
 
   mac:
     name: macOS build
@@ -345,7 +360,19 @@ jobs:
     permissions:
       contents: write
     secrets: inherit
-    needs: [build-data]
+    needs: [build-data, buildid]
+    with:
+      build-version: ${{ needs.build-data.outputs.version }}
+      release-branch: ${{ inputs.update_branch }}
+      MOZ_BUILD_DATE: ${{needs.buildid.outputs.buildids}}
+
+  mac-uni:
+    name: macOS build (Universal)
+    uses: ./.github/workflows/macos-universal-release-build.yml
+    permissions:
+      contents: write
+    secrets: inherit
+    needs: [build-data, mac]
     with:
       build-version: ${{ needs.build-data.outputs.version }}
       release-branch: ${{ inputs.update_branch }}
@@ -453,7 +480,7 @@ jobs:
     if: ${{ inputs.create_release || inputs.update_branch == 'twilight' }}
     permissions: write-all
     name: Release
-    needs: [build-data, linux, windows-step-3, check-release, mac, appimage, source, lint, stop-self-hosted]
+    needs: [build-data, linux, windows-step-3, check-release, mac-uni, appimage, source, lint, stop-self-hosted]
     runs-on: ubuntu-latest
     environment:
       name: ${{ inputs.update_branch == 'release' && 'Deploy-Release' || 'Deploy-Twilight' }}
@@ -503,8 +530,7 @@ jobs:
             cp -a ../windows_update_manifest_arm64/.  updates/
           fi
 
-          cp -a ../macos_update_manifest_aarch64/.  updates/
-          cp -a ../macos_update_manifest_x86_64/.  updates/
+          cp -a ../macos_update_manifest/.  updates/
 
       - name: Commit
         uses: stefanzweifel/git-auto-commit-action@v5
@@ -533,12 +559,10 @@ jobs:
             linux-aarch64.mar
             windows.mar
             windows-arm64.mar
-            macos-x86_64.mar
-            macos-aarch64.mar
+            macos.mar
             zen.installer.exe
             zen.installer-arm64.exe
-            zen.macos-x86_64.dmg
-            zen.macos-aarch64.dmg
+            zen.macos-universal.dmg
           automatic_release_tag: 'twilight'
           title: 'Twilight build - ${{ needs.build-data.outputs.version }} (${{ needs.build-data.outputs.build_date }} at ${{ needs.build-data.outputs.build_time }})'
           draft: false
@@ -569,8 +593,7 @@ jobs:
             linux-aarch64.mar
             .github/workflows/object/windows-x64-signed-x86_64/windows.mar
             .github/workflows/object/windows-x64-signed-arm64/windows-arm64.mar
-            macos-x86_64.mar
-            macos-aarch64.mar
+            macos.mar
             .github/workflows/object/windows-x64-signed-x86_64/zen.installer.exe
             .github/workflows/object/windows-x64-signed-arm64/zen.installer-arm64.exe
             zen.macos-x86_64.dmg

.github/workflows/linux-release-build.yml

@@ -11,6 +11,10 @@ on:
         description: 'The branch to build'
         required: true
         type: string
+      MOZ_BUILD_DATE:
+        type: string
+        required: true
+        default: ""
 
 jobs:
   build-linux:
@@ -130,6 +134,9 @@ jobs:
         continue-on-error: true
         run: |
           export SURFER_PLATFORM="linux"
+          if [[ -n ${{ inputs.MOZ_BUILD_DATE }} ]];then
+            export MOZ_BUILD_DATE=${{ inputs.MOZ_BUILD_DATE }}
+          fi
           bash .github/workflows/src/release-build.sh
 
       - name: Package

.github/workflows/macos-release-build.yml

@@ -11,6 +11,10 @@ on:
         description: 'The branch to build'
         required: true
         type: string
+      MOZ_BUILD_DATE:
+        type: string
+        required: true
+        default: ""
 
 jobs:
   mac-build:
@@ -118,72 +122,47 @@ jobs:
           ZEN_RELEASE_BRANCH: ${{ inputs.release-branch }}
         run: |
           export SURFER_PLATFORM="darwin"
+          if [[ -n ${{ inputs.MOZ_BUILD_DATE }} ]];then
+            export MOZ_BUILD_DATE=${{ inputs.MOZ_BUILD_DATE }}
+          fi
           bash .github/workflows/src/release-build.sh
 
-      - name: Import APPLE DEVELOPER ID CERTIFICATE for .app
-        uses: Apple-Actions/import-codesign-certs@v3
-        with:
-          p12-file-base64: ${{ secrets.macOS_CERTIFICATES_P12_For_App_BASE64 }}
-          p12-password: ${{ secrets.macOS_CERTIFICATES_P12_PASSWORD }}
-
-      - name: Import provisioning profile for .app
-        run: |
-          echo "${{ secrets.macOS_PROVISIONING_PROFILE }}" | base64 --decode > ./engine/Zen_Browser.provisionprofile
-          ls -la
-
       - name: Package
         env:
           SURFER_COMPAT: ${{ matrix.arch }}
           ZEN_GA_DISABLE_PGO: true
-          MACOS_APPLE_ACCOUNT_ID: ${{ secrets.macOS_AppleAccountId }}
-          MACOS_APPLE_DEVELOPER_ID_TEAM_ID: ${{ secrets.macOS_AppleDeveloperIdTeamId }}
-          MACOS_APPLE_DEVELOPER_ID_PASSWORD: ${{ secrets.macOS_AppleDeveloperIdPassword }}
         run: |
           export SURFER_PLATFORM="darwin"
-          export MACOS_APPLE_DEVELOPER_ID="${{ secrets.macOS_AppleDeveloperId }}"
           export ZEN_RELEASE=1
           pnpm package
 
       - name: Rename artifacts
         run: |
-          mv ./dist/output.mar macos-${{ matrix.arch }}.mar
-
-      - name: Remove sensitive information
-        run: |
-          rm -f ./engine/Zen_Browser.provisionprofile
-
-      - name: Sign .dmg
-        run: |
+          echo "Tarballing DMG"
           set -ex
-          hdiutil convert ./dist/*.dmg -format UDZO -imagekey zlib-level=9 -o zen.macos-${{ matrix.arch }}.dmg
-          xattr -cr zen.macos-${{ matrix.arch }}.dmg
-          codesign -s "${{ secrets.macOS_AppleDeveloperId }}" zen.macos-${{ matrix.arch }}.dmg
-          xcrun notarytool submit "zen.macos-${{ matrix.arch }}.dmg" \
-            --apple-id "${{ secrets.macOS_AppleAccountId }}" \
-            --team-id "${{ secrets.macOS_AppleDeveloperIdTeamId }}" \
-            --password "${{ secrets.macOS_AppleDeveloperIdPassword }}" \
-            --no-s3-acceleration \
-            --verbose \
-            --wait
-          xcrun stapler staple "zen.macos-${{ matrix.arch }}.dmg"
+          mv ./dist/*.dmg ./zen-${{ matrix.arch }}-apple-darwin-dist.dmg
+          mv ./engine/obj-${{ matrix.arch }}-apple-darwin/dist/host/bin/mar ./zen-macos-host-mar
+          mv ./engine/obj-${{ matrix.arch }}-apple-darwin/dist/bin/platform.ini ./platform.ini
 
-      - name: Upload build artifact
+      - name: Upload dist dmg
         uses: actions/upload-artifact@v4
         with:
-          retention-days: 5
-          name: zen.macos-${{ matrix.arch }}.dmg
-          path: ./zen.macos-${{ matrix.arch }}.dmg
+          retention-days: 1
+          name: zen-${{ matrix.arch }}-apple-darwin-dist.dmg
+          path: ./zen-${{ matrix.arch }}-apple-darwin-dist.dmg
 
-      - name: Upload build artifact (.mar)
+      - name: Upload host mar
         uses: actions/upload-artifact@v4
+        if: matrix.arch == 'aarch64'
         with:
-          retention-days: 5
-          name: macos-${{ matrix.arch }}.mar
-          path: ./macos-${{ matrix.arch }}.mar
+          retention-days: 1
+          name: zen-macos-host-mar
+          path: ./zen-macos-host-mar
 
-      - name: Upload build artifact (update manifests)
+      - name: Upload platform.ini
         uses: actions/upload-artifact@v4
+        if: matrix.arch == 'x86_64'
         with:
-          retention-days: 5
-          name: macos_update_manifest_${{ matrix.arch }}
-          path: ./dist/update
+          retention-days: 1
+          name: platform.ini
+          path: ./platform.ini

.github/workflows/macos-universal-release-build.yml

@@ -0,0 +1,271 @@
+name: macOS Release Build
+
+on:
+  workflow_call:
+    inputs:
+      build-version:
+        description: 'The version to build'
+        required: true
+        type: string
+      release-branch:
+        description: 'The branch to build'
+        required: true
+        type: string
+
+jobs:
+  mac-build:
+    name: Unify macOS (Universal)
+    runs-on: 'macos-14'
+
+    strategy:
+      fail-fast: false
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+          token: ${{ secrets.DEPLOY_KEY }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        # note: This will use the version defined in '.python-version' by default
+
+      - name: Setup Git
+        run: |
+          git config --global user.email "mauro-balades@users.noreply.github.com"
+          git config --global user.name "mauro-balades"
+
+      - name: Install system dependencies
+        run: |
+          brew update
+          brew install cairo sccache gnu-tar mercurial
+          sudo pip install setuptools
+
+          brew uninstall --ignore-dependencies python3.12 -f
+
+          export PATH="$(python3 -m site --user-base)/bin":$PATH
+          python3 -m pip install --user mercurial
+
+          rm '/usr/local/bin/2to3-3.11' '/usr/local/bin/2to3-3.12' '/usr/local/bin/2to3'
+          rm '/usr/local/bin/idle3.11' '/usr/local/bin/idle3.12' '/usr/local/bin/idle3'
+          rm '/usr/local/bin/pydoc3.11' '/usr/local/bin/pydoc3.12' '/usr/local/bin/pydoc3'
+          rm '/usr/local/bin/python3.11' '/usr/local/bin/python3.12' '/usr/local/bin/python3'
+          rm '/usr/local/bin/python3.11-config' '/usr/local/bin/python3.12-config' '/usr/local/bin/python3-config'
+
+          brew install watchman
+
+          cargo install apple-codesign
+
+      - name: Force usage of gnu-tar
+        run: |
+          echo 'export PATH="/usr/local/opt/gnu-tar/libexec/gnubin:$PATH"' >> ~/.bash_profile
+          echo 'export PATH="/usr/local/opt/gnu-tar/libexec/gnubin:$PATH"' >> ~/.zsh
+          source ~/.bash_profile
+
+      - name: Setup pnpm
+        run: npm install -g pnpm
+
+      - name: Get pnpm store directory
+        id: pnpm-cache
+        shell: bash
+        run: |
+          echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
+
+      - name: Install dependencies
+        run: |
+          pnpm install
+
+      - name: Load surfer CI setup
+        run: pnpm surfer ci --brand ${{ inputs.release-branch }} --display-version ${{ inputs.build-version }}
+
+      - name: Download Firefox source and dependencies
+        run: pnpm surfer download
+
+      - name: Bootstrap
+        run: |
+          cd engine
+          export SURFER_PLATFORM="darwin"
+          export PATH="$(python3 -m site --user-base)/bin":$PATH
+          ./mach --no-interactive bootstrap --application-choice browser --no-system-changes
+          cd ..
+
+      - name: Import
+        run: pnpm surfer import
+
+      - name: Populate mozconfig
+        env:
+          SURFER_MOZCONFIG_ONLY: true
+        run: |
+              pnpm build
+              cd engine
+              ./mach configure
+
+      - name: Download x86_64 DMG from artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: zen-x86_64-apple-darwin-dist.dmg
+
+      - name: Download aarch64 DMG from artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: zen-aarch64-apple-darwin-dist.dmg
+
+      - name: Remove any existing .app folders
+        run: |
+          set -x
+          cd engine
+          rm -rf "./obj-x86_64-apple-darwin/" || true
+          rm -rf "./obj-aarch64-apple-darwin/" || true
+
+      - name: Extract .app from dmg
+        run: |
+          set -ex
+          cd engine
+          echo "Extracting x86_64 .app from dmg"
+          mkdir -p ./obj-x86_64-apple-darwin/dist
+          mkdir -p ./obj-aarch64-apple-darwin/dist
+          ./mach python -m mozbuild.action.unpack_dmg \
+            ../zen-x86_64-apple-darwin-dist.dmg \
+            ./obj-x86_64-apple-darwin/dist
+          echo "Extracting aarch64 .app from dmg"
+          ./mach python -m mozbuild.action.unpack_dmg \
+            ../zen-aarch64-apple-darwin-dist.dmg \
+            ./obj-aarch64-apple-darwin/dist
+
+      - name: Find first .app folder name
+        run: |
+          cd engine/obj-x86_64-apple-darwin/dist
+          export APP_NAME=$(basename "$(find . -maxdepth 1 -name "Zen *.app" -type d | head -n 1)" .app)
+          echo "APP_NAME=$APP_NAME" >> $GITHUB_ENV
+          echo "APP_NAME=$APP_NAME"
+
+      - name: List .app folders
+        run: |
+          ls engine/
+          echo "--------------------"
+          cd engine/obj-x86_64-apple-darwin/dist
+          find . -maxdepth 1 -name "*.app" -type d
+          cd ../..
+
+      - name: create .p12 for codesign 🖊️
+        run: |
+          cd engine
+          echo "${{ secrets.macOS_CERTIFICATES_P12_For_App_BASE64 }}" > cert.txt
+          base64 --decode -i cert.txt -o zenCert.p12
+          echo "${{ secrets.macOS_CERTIFICATES_P12_PASSWORD }}" > zenpCertPassword.passwd
+
+      - name: Remove certificate sensitive information
+        run: |
+          rm engine/cert.txt || true
+
+      - name: Import provisioning profile for .app
+        run: |
+          echo "${{ secrets.macOS_PROVISIONING_PROFILE }}" | base64 --decode > ./engine/Zen_Browser.provisionprofile
+          ls -la
+
+      - name: Unify architectures
+        run: |
+          cd engine
+          ./mach python "./toolkit/mozapps/installer/unify.py" "./obj-x86_64-apple-darwin/dist/${{ env.APP_NAME }}.app" "./obj-aarch64-apple-darwin/dist/${{ env.APP_NAME }}.app"
+          echo "Merged aaarch64 into x86_64!"
+
+      - name: Import APPLE DEVELOPER ID CERTIFICATE for .app
+        uses: Apple-Actions/import-codesign-certs@v3
+        with:
+          p12-file-base64: ${{ secrets.macOS_CERTIFICATES_P12_For_App_BASE64 }}
+          p12-password: ${{ secrets.macOS_CERTIFICATES_P12_PASSWORD }}
+
+      - name: Copy provisioning profile for .app (embedded in .app)
+        run: |
+          cd engine
+          echo "Copying provisioning profile for .app on both architectures (${{ env.APP_NAME }})"
+          cp ./Zen_Browser.provisionprofile "./embedded.provisionprofile"
+
+
+      - name: Sign .app
+        run: |
+          cd engine
+          # TODO: Change it to "production" once we figure out the issue with the webauth
+          ./mach macos-sign -v -r -c "release" -e "production-without-restricted" -a "./obj-x86_64-apple-darwin/dist/${{ env.APP_NAME }}.app" --rcodesign-p12-file zenCert.p12 --rcodesign-p12-password-file zenpCertPassword.passwd
+
+      - name: Create DMG
+        run: |
+          cd engine
+          ./mach python -m mozbuild.action.make_dmg \
+            --volume-name "${{ env.APP_NAME }}" \
+            --background ./browser/branding/${{ inputs.release-branch }}/background.png \
+            --icon ./browser/branding/${{ inputs.release-branch }}/firefox.icns \
+            --dsstore ./browser/branding/${{ inputs.release-branch }}/dsstore \
+            ./obj-x86_64-apple-darwin/dist/ ../zen-macOS-universal-temp.dmg
+
+      - name: Remove sensitive information
+        run: |
+          rm -f ./engine/Zen_Browser.provisionprofile
+
+      - name: Sign .dmg
+        run: |
+          set -ex
+          hdiutil convert zen-macOS-universal-temp.dmg -format UDZO -imagekey zlib-level=9 -o zen.macos-universal.dmg
+          codesign -s "${{ secrets.macOS_AppleDeveloperId }}" zen.macos-universal.dmg
+          xcrun notarytool submit "zen.macos-universal.dmg" \
+            --apple-id "${{ secrets.macOS_AppleAccountId }}" \
+            --team-id "${{ secrets.macOS_AppleDeveloperIdTeamId }}" \
+            --password "${{ secrets.macOS_AppleDeveloperIdPassword }}" \
+            --no-s3-acceleration \
+            --wait
+          xcrun stapler staple "zen.macos-universal.dmg"
+
+      - name: Download host mar
+        uses: actions/download-artifact@v4
+        with:
+          name: zen-macos-host-mar
+
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 5
+          name: zen.macos-universal.dmg
+          path: ./zen.macos-universal.dmg
+
+      - name: Download platform.ini
+        uses: actions/download-artifact@v4
+        with:
+          name: platform.ini
+
+      - name: Package for mar
+        env:
+          JUST_MAR: true
+        run: |
+          # we don't need it anymore
+          set -ex
+          rm -rf ./engine/obj-aarch64-apple-darwin
+          mkdir -p ./engine/obj-x86_64-apple-darwin/dist/bin
+          mv ./platform.ini ./engine/obj-x86_64-apple-darwin/dist/bin/platform.ini
+          export SURFER_PLATFORM="darwin"
+          export ZEN_RELEASE=1
+          # full path to zen-macos-host-mar
+          export MAR=$(pwd)/zen-macos-host-mar
+          chmod +x $MAR
+          echo "MAR=$MAR"
+          pnpm package --verbose
+          mv ./dist/output.mar ./macos.mar
+
+      - name: Upload build artifact (.mar)
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 5
+          name: macos.mar
+          path: ./macos.mar
+
+      - name: Upload build artifact (update manifests)
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 5
+          name: macos_update_manifest
+          path: ./dist/update

.github/workflows/windows-release-build.yml

@@ -18,6 +18,10 @@ on:
         description: 'The branch to build'
         required: true
         type: string
+      MOZ_BUILD_DATE:
+        type: string
+        required: true
+        default: ""
 
 jobs:
   windows-build:
@@ -216,6 +220,9 @@ jobs:
           if test ${{ inputs.generate-gpo }} = true; then
             export ZEN_GA_GENERATE_PROFILE=1
           fi
+          if [[ -n ${{ inputs.MOZ_BUILD_DATE }} ]];then
+            export MOZ_BUILD_DATE=${{ inputs.MOZ_BUILD_DATE }}
+          fi
           bash .github/workflows/src/release-build.sh
 
       - name: Package

.gitignore

@@ -9,3 +9,5 @@ dist/
 
 windsign-temp/
 venv/
+
+!firefox-cache/

build/codesign/browser.developer.entitlements.xml

@@ -1,39 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<!--
-     Entitlements to apply to the main browser process executable during
-     codesigning of production channel builds.
--->
-<plist version="1.0">
-  <dict>
-    <!-- Firefox needs to create executable pages (without MAP_JIT) -->
-    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
-
-    <!-- Firefox needs to create executable pages with MAP_JIT on aarch64 -->
-    <key>com.apple.security.cs.allow-jit</key><true/>
-
-    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
-    <key>com.apple.security.cs.disable-library-validation</key><true/>
-
-    <!-- Firefox needs to access the microphone on sites the user allows -->
-    <key>com.apple.security.device.audio-input</key><true/>
-
-    <!-- Firefox needs to access the camera on sites the user allows -->
-    <key>com.apple.security.device.camera</key><true/>
-
-    <!-- Firefox needs to access the location on sites the user allows -->
-    <key>com.apple.security.personal-information.location</key><true/>
-
-    <!-- Allow Firefox to send Apple events to other applications. Needed
-         for native messaging webextension helper applications launched by
-         Firefox which rely on Apple Events to signal other processes. -->
-    <key>com.apple.security.automation.apple-events</key><true/>
-
-    <!-- For SmartCardServices(7) -->
-    <key>com.apple.security.smartcard</key><true/>
-
-    <!-- Required for com.apple.developer.web-browser.public-key-credential -->
-    <key>com.apple.application-identifier</key>
-    <string>H36NPCN86W.app.zen-browser.zen</string>
-  </dict>
-</plist>

build/codesign/codesign.bash

@@ -1,179 +0,0 @@
-#!/bin/bash
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# Runs codesign commands to codesign a Firefox .app bundle and enable macOS
-# Hardened Runtime. Intended to be manually run by developers working on macOS
-# 10.14+ who want to enable Hardened Runtime for manual testing. This is
-# provided as a stop-gap until automated build tooling is available that signs
-# binaries with a certificate generated during builds (bug 1522409). This
-# script requires macOS 10.14 because Hardened Runtime is only available for
-# applications running on 10.14 despite support for the codesign "-o runtime"
-# option being available in 10.13.6 and newer.
-#
-# The script requires an identity string (-i option) from an Apple Developer
-# ID certificate. This can be found in the macOS KeyChain after configuring an
-# Apple Developer ID certificate.
-#
-# Example usage on macOS 10.14:
-#
-#   $ ./mach build
-#   $ ./mach build package
-#   $ open </PATH/TO/DMG/FILE.dmg>
-#   <Drag Nightly.app to ~>
-#   $ ./security/mac/hardenedruntime/codesign.bash \
-#         -a ~/Nightly.app \
-#         -i <MY-IDENTITY-STRING> \
-#         -b security/mac/hardenedruntime/browser.developer.entitlements.xml
-#         -p security/mac/hardenedruntime/plugin-container.developer.entitlements.xml
-#   $ open ~/Nightly.app
-#
-
-usage ()
-{
-  echo  "Usage: $0 "
-  echo  "    -a <PATH-TO-BROWSER.app>"
-  echo  "    -i <IDENTITY>"
-  echo  "    -b <ENTITLEMENTS-FILE>"
-  echo  "    -p <CHILD-ENTITLEMENTS-FILE>"
-  echo  "    [-o <OUTPUT-DMG-FILE>]"
-  exit -1
-}
-
-# Make sure we are running on macOS with the sw_vers command available.
-SWVERS=/usr/bin/sw_vers
-if [ ! -x ${SWVERS} ]; then
-    echo "ERROR: macOS 10.14 or later is required"
-    exit -1
-fi
-
-# Require macOS 10.14 or newer.
-#OSVERSION=`${SWVERS} -productVersion|sed -En 's/[0-9]+\.([0-9]+)\.[0-9]+/\1/p'`;
-#if [ ${OSVERSION} \< 14 ]; then
-#    echo "ERROR: macOS 10.14 or later is required"
-#    exit -1
-#fi
-
-while getopts "a:i:b:o:p:" opt; do
-  case ${opt} in
-    a ) BUNDLE=$OPTARG ;;
-    i ) IDENTITY=$OPTARG ;;
-    b ) BROWSER_ENTITLEMENTS_FILE=$OPTARG ;;
-    p ) PLUGINCONTAINER_ENTITLEMENTS_FILE=$OPTARG ;;
-    o ) OUTPUT_DMG_FILE=$OPTARG ;;
-    \? ) usage; exit -1 ;;
-  esac
-done
-
-if [ -z "${BUNDLE}" ] ||
-   [ -z "${IDENTITY}" ] ||
-   [ -z "${PLUGINCONTAINER_ENTITLEMENTS_FILE}" ] ||
-   [ -z "${BROWSER_ENTITLEMENTS_FILE}" ]; then
-    usage
-    exit -1
-fi
-
-if [ ! -d "${BUNDLE}" ]; then
-  echo "Invalid bundle. Bundle should be a .app directory"
-  usage
-  exit -1
-fi
-
-if [ ! -e "${PLUGINCONTAINER_ENTITLEMENTS_FILE}" ]; then
-  echo "Invalid entitlements file"
-  usage
-  exit -1
-fi
-
-if [ ! -e "${BROWSER_ENTITLEMENTS_FILE}" ]; then
-  echo "Invalid entitlements file"
-  usage
-  exit -1
-fi
-
-# DMG file output flag is optional
-if [ ! -z "${OUTPUT_DMG_FILE}" ] &&
-   [ -e "${OUTPUT_DMG_FILE}" ]; then
-  echo "Output dmg file ${OUTPUT_DMG_FILE} exists. Please delete it first."
-  usage
-  exit -1
-fi
-
-echo "-------------------------------------------------------------------------"
-echo "bundle:                              $BUNDLE"
-echo "identity:                            $IDENTITY"
-echo "browser entitlements file:           $BROWSER_ENTITLEMENTS_FILE"
-echo "plugin-container entitlements file:  $PLUGINCONTAINER_ENTITLEMENTS_FILE"
-echo "output dmg file (optional):          $OUTPUT_DMG_FILE"
-echo "-------------------------------------------------------------------------"
-
-set -x
-
-# move Zen_Browser.provisionprofile to the Contents directory
-#cp Zen_Browser.provisionprofile "${BUNDLE}"/Contents/embedded.provisionprofile
-
-# Clear extended attributes which cause codesign to fail
-xattr -cr "${BUNDLE}"
-
-# Sign these binaries first. Signing of some binaries has an ordering
-# requirement where other binaries must be signed first.
-codesign --force -o runtime --verbose --sign "$IDENTITY" \
-"${BUNDLE}/Contents/Library/LaunchServices/org.mozilla.updater" \
-"${BUNDLE}/Contents/MacOS/XUL" \
-"${BUNDLE}"/Contents/embedded.provisionprofile \
-"${BUNDLE}/Contents/MacOS/pingsender"
-
-# Sign every ${BUNDLE}/Contents/MacOS/*.dylib
-find "${BUNDLE}"/Contents/MacOS -type f -name "*.dylib" -exec \
-codesign --force --verbose --sign "$IDENTITY" {} \;
-
-find "${BUNDLE}"/Contents/MacOS -type f -name "*.dylib" -exec \
-codesign -vvv --strict --deep --verbose {} \;
-
-codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
-"${BUNDLE}"/Contents/MacOS/updater.app
-
-# Sign zen main executable
-codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
---entitlements ${BROWSER_ENTITLEMENTS_FILE} \
-"${BUNDLE}"/Contents/MacOS/zen
-
-# Sign Library/LaunchServices
-codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
-"${BUNDLE}"/Contents/Library/LaunchServices/org.mozilla.updater
-
-# Sign gmp-clearkey files
-find "${BUNDLE}"/Contents/Resources/gmp-clearkey -type f -exec \
-codesign --force -o runtime --verbose --sign "$IDENTITY" {} \;
-
-# Sign the main bundle
-codesign --force -o runtime --verbose --sign "$IDENTITY" \
---entitlements ${BROWSER_ENTITLEMENTS_FILE} "${BUNDLE}"
-
-# Sign the plugin-container bundle with deep
-codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
---entitlements ${PLUGINCONTAINER_ENTITLEMENTS_FILE} \
-"${BUNDLE}"/Contents/MacOS/plugin-container.app
-
-# Validate
-codesign -vvv --deep --strict "${BUNDLE}"
-
-# Create a DMG
-if [ ! -z "${OUTPUT_DMG_FILE}" ]; then
-  DISK_IMAGE_DIR=`mktemp -d`
-  TEMP_FILE=`mktemp`
-  TEMP_DMG=${TEMP_FILE}.dmg
-  NAME=`basename "${BUNDLE}"`
-
-  ditto "${BUNDLE}" "${DISK_IMAGE_DIR}/${NAME}"
-  hdiutil create -size 400m -fs HFS+ \
-    -volname Firefox -srcfolder "${DISK_IMAGE_DIR}" "${TEMP_DMG}"
-  hdiutil convert -format UDZO \
-    -o "${OUTPUT_DMG_FILE}" "${TEMP_DMG}"
-
-  rm ${TEMP_FILE}
-  rm ${TEMP_DMG}
-  rm -rf "${DISK_IMAGE_DIR}"
-fi

build/codesign/plugin-container.developer.entitlements.xml

@@ -1,32 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<!--
-     Entitlements to apply to the plugin-container.app bundle during
-     codesigning of production channel builds.
--->
-<plist version="1.0">
-  <dict>
-    <!-- Firefox needs to create executable pages (without MAP_JIT) -->
-    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
-
-    <!-- Firefox needs to create executable pages with MAP_JIT on aarch64 -->
-    <key>com.apple.security.cs.allow-jit</key><true/>
-
-    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
-    <key>com.apple.security.cs.disable-library-validation</key><true/>
-
-    <!-- Firefox needs to access the microphone on sites the user allows -->
-    <key>com.apple.security.device.audio-input</key><true/>
-
-    <!-- Firefox needs to access the camera on sites the user allows -->
-    <key>com.apple.security.device.camera</key><true/>
-
-    <!-- Firefox needs to access the location on sites the user allows -->
-    <key>com.apple.security.personal-information.location</key><true/>
-
-    <!-- Allow Firefox to send Apple events to other applications. Needed
-         for native messaging webextension helper applications launched by
-         Firefox which rely on Apple Events to signal other processes. -->
-    <key>com.apple.security.automation.apple-events</key><true/>
-  </dict>
-</plist>

firefox-cache/l10n-last-commit-hash

@@ -0,0 +1 @@
+ffe2107fb72c9893f7500ddd8f490adb436d71c7

package.json

@@ -19,6 +19,7 @@
     "update-ff:raw": "surfer update",
     "update-newtab": "python3 scripts/update_newtab.py",
     "update-ff:rc": "python3 scripts/update_ff.py --rc",
+    "update-ff:l10n": "python3 scripts/update_ff.py --just-l10n",
     "pretty": "prettier . --write && autopep8 -r --in-place scripts/ src/",
     "lint": "npx prettier . --check && autopep8 --diff scripts/ src/",
     "prepare": "husky",
@@ -39,7 +40,7 @@
   },
   "homepage": "https://github.com/zen-browser/core#readme",
   "dependencies": {
-    "@zen-browser/surfer": "^1.9.8"
+    "@zen-browser/surfer": "^1.9.16"
   },
   "devDependencies": {
     "husky": "^9.1.7",

scripts/download-language-packs.sh

@@ -7,8 +7,13 @@ git config --global fetch.prune true
 
 cd $CURRENT_DIR
 
+LAST_FIREFOX_L10N_COMMIT=$(cat ./firefox-cache/l10n-last-commit-hash)
+
 cd ./l10n
+# clone only from LAST_FIREFOX_L10N_COMMIT
 git clone https://github.com/mozilla-l10n/firefox-l10n
+cd firefox-l10n
+git checkout $LAST_FIREFOX_L10N_COMMIT
 cd $CURRENT_DIR
 
 update_language() {

scripts/update_ff.py

@@ -56,6 +56,17 @@ def update_readme(last_version, new_version, is_rc=False):
   except FileNotFoundError as e:
     raise RuntimeError(f"README.md file not found: {e}")
 
+def update_l10n_last_commit_hash():
+  L10N_REPO = "https://github.com/mozilla-l10n/firefox-l10n"
+  try:
+    os.system(f"git clone {L10N_REPO} l10n-temp")
+    if not os.path.exists("firefox-cache"):
+      os.mkdir("firefox-cache")
+    with open("l10n-last-commit-hash", "w") as f:
+      os.system("cat l10n-temp/.git/refs/heads/main > firefox-cache/l10n-last-commit-hash")
+  except KeyboardInterrupt:
+    print("Exiting...")
+  shutil.rmtree("l10n-temp")
 
 def main():
   """Main function to update versions and README."""
@@ -63,15 +74,20 @@ def main():
   arg_parser = argparse.ArgumentParser()
   arg_parser.add_argument(
       "--rc", help="Indicates that this is a release candidate.", default=False, action="store_true")
+  arg_parser.add_argument(
+      "--just-l10n", help="Only update the l10n last commit hash.", default=False, action="store_true")
   args = arg_parser.parse_args()
 
   try:
-    last_version = get_version_from_file("surfer.json", args.rc)
-    update_ff(args.rc, last_version)
-    new_version = get_version_from_file("surfer.json", args.rc)
-    update_readme(last_version, new_version, args.rc)
-    print(
-        f"Updated version from {last_version} to {new_version} in README.md.")
+    if not args.just_l10n:
+      last_version = get_version_from_file("surfer.json", args.rc)
+      update_ff(args.rc, last_version)
+      new_version = get_version_from_file("surfer.json", args.rc)
+      update_readme(last_version, new_version, args.rc)
+      print(
+          f"Updated version from {last_version} to {new_version} in README.md.")
+    print("Updating l10n last commit hash.")
+    update_l10n_last_commit_hash()
   except Exception as e:
     print(f"An error occurred: {e}")
 

src/browser/base/content/ZenCustomizableUI.sys.mjs

@@ -126,7 +126,7 @@ export var ZenCustomizableUI = new (class {
     window.CustomizableUI.registerToolbarNode(window.document.getElementById('zen-sidebar-top-buttons'));
     window.CustomizableUI.registerToolbarNode(window.document.getElementById('zen-sidebar-icons-wrapper'));
     window.addEventListener(
-      'MozAfterPaint',
+      'DOMContentLoaded',
       () => {
         this._dispatchResizeEvent(window);
       },

src/security/mac/hardenedruntime/v2/production/firefox-browser-xml.patch

@@ -0,0 +1,13 @@
+diff --git a/security/mac/hardenedruntime/v2/production/firefox.browser.xml b/security/mac/hardenedruntime/v2/production/firefox.browser.xml
+index abbf33e9d2b3c9d1e0a34bd46e7cd289c435533b..4d988ca8201fa6aba6ca049e97d3cdc6b772b5eb 100644
+--- a/security/mac/hardenedruntime/v2/production/firefox.browser.xml
++++ b/security/mac/hardenedruntime/v2/production/firefox.browser.xml
+@@ -26,7 +26,7 @@
+ 
+     <!-- Required for com.apple.developer.web-browser.public-key-credential -->
+     <key>com.apple.application-identifier</key>
+-    <string>43AQ936H96.org.mozilla.firefox</string>
++    <string>H36NPCN86W.app.zen-browser.zen</string>
+ 
+     <!-- For platform passkey (webauthn) support -->
+     <key>com.apple.developer.web-browser.public-key-credential</key><true/>

src/tools/signing/macos/mach_commands-py.patch

@@ -0,0 +1,29 @@
+diff --git a/tools/signing/macos/mach_commands.py b/tools/signing/macos/mach_commands.py
+index a513ad723805459c194d27b42dac68e9babba468..be74acbfe16a4eb389bc7d0ba32820b82fe2819c 100644
+--- a/tools/signing/macos/mach_commands.py
++++ b/tools/signing/macos/mach_commands.py
+@@ -37,7 +37,6 @@ from mozbuild.base import MachCommandConditions as conditions
+     "Release channel entitlements, but the configuration used will be the "
+     "Release configuration as defined in the repo working directory, not the "
+     "configuration from the revision of the earlier 120 build.",
+-    conditions=[conditions.is_firefox],
+ )
+ @CommandArgument(
+     "-v",
+@@ -342,6 +341,7 @@ def macos_sign(
+     cs_reset_cmd = ["find", app, "-exec", "codesign", "--remove-signature", "{}", ";"]
+     run(command_context, cs_reset_cmd, capture_output=not verbose_arg)
+ 
++    run(command_context, ["mv", "./embedded.provisionprofile", os.path.join(app, "Contents")], capture_output=not verbose_arg)
+     if use_rcodesign_arg is True:
+         sign_with_rcodesign(
+             command_context,
+@@ -567,7 +567,7 @@ def sign_with_rcodesign(
+     # input path and its options are specified as standard arguments.
+     ctx.log(logging.INFO, "macos-sign", {}, "Signing with rcodesign")
+ 
+-    cs_cmd = ["rcodesign", "sign"]
++    cs_cmd = ["rcodesign", "sign", "--for-notarization"]
+     if p12_file_arg is not None:
+         cs_cmd.append("--p12-file")
+         cs_cmd.append(p12_file_arg)

surfer.json

@@ -53,4 +53,4 @@
     "licenseType": "MPL-2.0"
   },
   "updateHostname": "updates.zen-browser.app"
-}
+}