Bug 41199: Duplicate wrappers/sign-rcodesign as wrappers/sign-rcodesign-128

In order to modify the `sign-rcodesign` wrapper for 128esr changes,
while keeping support for the 115esr branch, we duplicate the script.

After the last 115esr based release we should remove it:
 * copying `sign-rcodesign-128` to `sign-rcodesign`,
 * reverting this commit,
 * removing tools/signing/*.entitlements.xml,
 * and adding instructions in `machines-setup/setup-signing-machine` to
   remove `/etc/sudoers.d/sign-rcodesign-128`.

tools/signing/linux-signer-rcodesign-sign

@@ -19,5 +19,5 @@ destdir=~/"$SIGNING_PROJECTNAME-$tbb_version-macos-signed"
 mkdir -p $destdir
 rm -f "$destdir/$output_file"
 
-sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name"
+sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-128 ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name"
 cp "/home/signing-macos/last-signed-$display_name.tar.zst" "$destdir/$output_file"

tools/signing/machines-setup/setup-signing-machine

@@ -91,6 +91,7 @@ sudoers_file sign-mar
 sudoers_file sign-exe
 sudoers_file sign-apk
 sudoers_file sign-rcodesign
+sudoers_file sign-rcodesign-128
 sudoers_file set-date
 
 authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub

tools/signing/machines-setup/sudoers.d/sign-rcodesign-128

+Defaults>signing-macos env_keep += "SIGNING_PROJECTNAME tbb_version_type RCODESIGN_PW"
+%signing ALL = (signing-macos) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-128

tools/signing/wrappers/sign-rcodesign-128

+#!/bin/bash
+set -e
+
+function exit_error {
+  for msg in "$@"
+  do
+    echo "$msg" >&2
+  done
+  exit 1
+}
+
+test $# -eq 2 || exit_error "Wrong number of arguments"
+dmg_file="$1"
+display_name="$2"
+
+output_file="/home/signing-macos/last-signed-$display_name.tar.zst"
+rm -f "$output_file"
+
+rcodesign_signing_p12_file=/home/signing-macos/keys/key-1.p12
+test -f "$rcodesign_signing_p12_file" || exit_error "$rcodesign_signing_p12_file is missing"
+
+tmpdir=$(mktemp -d)
+trap "rm -Rf $tmpdir" EXIT
+cd "$tmpdir"
+7z x "$dmg_file"
+
+# Fix permission on files:
+# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2957050
+# FIXME: Maybe we should extract the .mar file instead of the .dmg to
+# preserve permissions
+chmod ugo+x "$display_name/$display_name.app/Contents/MacOS"/* \
+            "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \
+            "$display_name/$display_name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/*
+test -d "$display_name/$display_name.app/Contents/MacOS/Tor" && \
+  chmod -R ugo+x "$display_name/$display_name.app/Contents/MacOS/Tor"
+
+pwdir=/run/lock/rcodesign-pw
+trap "rm -Rf $pwdir" EXIT
+rm -Rf "$pwdir"
+mkdir "$pwdir"
+chmod 700 "$pwdir"
+cat > "$pwdir/rcodesign-pw-2" << EOF
+$RCODESIGN_PW
+EOF
+tr -d '\n' < "$pwdir/rcodesign-pw-2" > "$pwdir/rcodesign-pw"
+rm "$pwdir/rcodesign-pw-2"
+
+rcodesign_opts="
+  --code-signature-flags runtime
+  --timestamp-url http://timestamp.apple.com:8080/ts01
+  --p12-file $rcodesign_signing_p12_file
+  --p12-password-file $pwdir/rcodesign-pw
+  "
+
+# sign updater.app and plugin-container.app separately
+echo '**** Signing updater.app ****'
+/signing/rcodesign/rcodesign sign \
+  $rcodesign_opts \
+  --info-plist-path "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/Info.plist" \
+  -- \
+  "$display_name/$display_name.app/Contents/MacOS/updater.app"
+echo '**** Signing plugin-container.app ****'
+/signing/rcodesign/rcodesign sign \
+  $rcodesign_opts \
+  --entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \
+  -- \
+  "$display_name/$display_name.app/Contents/MacOS/plugin-container.app"
+
+# Setting binary-identifier on some files, to avoid signature errors. See:
+# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2956149
+pushd "$display_name/$display_name.app/Contents/MacOS/"
+for lib in *.dylib
+do
+  binident=$(echo $lib | sed 's/\.dylib$//')
+  binident="--binary-identifier Contents/MacOS/$lib:$binident"
+  echo "Adding option $binident"
+  rcodesign_opts="$rcodesign_opts $binident"
+done
+popd
+
+if test -d "$display_name/$display_name.app/Contents/MacOS/Tor/PluggableTransports/"
+then
+  pushd "$display_name/$display_name.app/Contents/MacOS/Tor/PluggableTransports/"
+  for file in echo *
+  do
+    binident="--binary-identifier Contents/MacOS/Tor/PluggableTransports/$file:$file"
+    echo "Adding option $binident"
+    rcodesign_opts="$rcodesign_opts $binident"
+  done
+  popd
+fi
+
+echo "**** Signing main bundle ($display_name.app) ****"
+# We use `--exclude '**'` to avoid re-signing nested bundles
+/signing/rcodesign/rcodesign sign \
+  $rcodesign_opts \
+  --entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \
+  --exclude '**' \
+  -- \
+  "$display_name/$display_name.app"
+
+rm -f "$pwdir/rcodesign-pw"
+rmdir "$pwdir"
+tar -C "$display_name" -caf "$output_file" "$display_name.app"
+cd -
+rm -Rf "$tmpdir"