Bug 29815: Set up signing machines for rcodesign

tools/.gitignore

 _repackaged
 .changelogs_token
+local

tools/signing/machines-setup/setup-signing-machine

@@ -84,11 +84,13 @@ create_user signing-gpg
 create_user signing-mar
 create_user signing-win yubihsm
 create_user signing-apk signing
+create_user signing-macos signing
 
 sudoers_file sign-gpg
 sudoers_file sign-mar
 sudoers_file sign-exe
 sudoers_file sign-apk
+sudoers_file sign-rcodesign
 
 authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub
 create_user richard signing
@@ -115,6 +117,9 @@ install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev he
 # Install deps for android/apk signing
 install_packages unzip openjdk-11-jdk-headless openjdk-11-jre-headless
 
+# Install deps for macos-rcodesign signing
+install_packages p7zip-full zstd
+
 # Build and install yubihsm-pkcs11 package
 create_user build-pkgs
 if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then
@@ -146,3 +151,11 @@ for rel in release alpha; do
     chmod 700 "$keypath"
   fi
 done
+
+# Setup for macos signing with rcodesign
+/signing/tor-browser-build/tools/signing/setup-rcodesign /signing
+# `rcodesign sign` requires access to timestamp.apple.com. We do that
+# by redirecting a local port with `ssh -R`. See tor-browser-build#29815.
+if ! grep -q 'timestamp\.apple\.com' /etc/hosts; then
+  echo '127.0.0.1 timestamp.apple.com' >> /etc/hosts
+fi

tools/signing/machines-setup/sudoers.d/sign-rcodesign

+Defaults>signing-macos env_keep += "SIGNING_PROJECTNAME tbb_version_type RCODESIGN_PW"
+%signing ALL = (signing-macos) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign

tools/signing/machines-setup/upload-tbb-to-signing-machine

@@ -4,6 +4,7 @@
 set -e
 
 script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source ../set-config.rcodesign
 
 cd "$script_dir/../../.."
 tmpdir=$(mktemp -d)
@@ -69,6 +70,10 @@ ssh "$setup_user@$signing_machine" mkdir -p $signing_dir/android-build-tools
 ssh "$setup_user@$signing_machine" unzip -qo -d $signing_dir/android-build-tools "$signing_dir/$android_build_tools_filename"
 ssh "$setup_user@$signing_machine" chmod -R o+rX "$signing_dir/$android_build_tools_filename"
 
+echo "Uploading $rcodesign_filename"
+tools/signing/setup-rcodesign
+rsync -v "tools/local/$rcodesign_filename" "$setup_user@$signing_machine:$signing_dir/$rcodesign_filename"
+
 echo "Uploading tor-browser-build.tar to $signing_machine"
 scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/"
 echo "Extracting tor-browser-build.tar on $signing_machine"

tools/signing/set-config.rcodesign

+rcodesign_version=0.22.0-bc8cc7
+rcodesign_filename=rcodesign-${rcodesign_version}.tar.gz
+rcodesign_sha256sum=2a9eda016fff116c59f52b358e7a740f6fb5c039974f0acc8266c3605d24092a
+rcodesign_url="https://build-sources.tbb.torproject.org/${rcodesign_filename}"

tools/signing/setup-rcodesign

+#!/bin/bash
+
+# usage: setup-rcodesign <localdir>
+#
+# Where <localdir> is an optional argument (default is directory `local`
+# in the tor-browser-build/tools directory), where we download the
+# rcodesign tarball and create an rcodesign directory.
+
+set -e
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source "$script_dir/set-config.rcodesign"
+
+localdir="$script_dir/../local"
+test $# -eq 1 && localdir="$1"
+rcodesign_path="$localdir/$rcodesign_filename"
+
+function download_rcodesign {
+  test -f "$rcodesign_path" && return 0
+  local tmpdir=$(mktemp -d)
+  mkdir -p "$localdir"
+  wget -O "$tmpdir/$rcodesign_filename" "$rcodesign_url"
+  if ! sha256sum "$tmpdir/$rcodesign_filename" | grep -q "^$rcodesign_sha256sum  $tmpdir/$rcodesign_filename\$"
+  then
+    echo "Error checking sha256sum of $tmpdir/$rcodesign_filename" >&2
+    exit 1
+  fi
+  mv -f "$tmpdir/$rcodesign_filename" "$rcodesign_path"
+  rmdir "$tmpdir"
+}
+
+function setup_rcodesign {
+  local rcodesign_dir="$localdir/rcodesign-$rcodesign_version"
+  test -d $rcodesign_dir && return 0
+  local tmpdir=$(mktemp -d)
+  tar -C "$tmpdir" -xf "$rcodesign_path"
+  mv "$tmpdir/rcodesign" "$rcodesign_dir"
+  chmod -R go+rX "$rcodesign_dir"
+  rm -f "$localdir/rcodesign"
+  ln -s "rcodesign-$rcodesign_version" "$localdir/rcodesign"
+}
+
+download_rcodesign
+setup_rcodesign

tools/signing/wrappers/sign-rcodesign

+#!/bin/bash
+set -e
+
+function exit_error {
+  for msg in "$@"
+  do
+    echo "$msg" >&2
+  done
+  exit 1
+}
+
+test $# -eq 2 || exit_error "Wrong number of arguments"
+dmg_file="$1"
+Proj_Name="$2"
+
+output_file="/home/signing-macos/last-signed-$Proj_Name.tar.zst"
+rm -f "$output_file"
+
+rcodesign_signing_p12_file=/home/signing-macos/keys/key-1.p12
+test -f "$rcodesign_signing_p12_file" || exit_error "$rcodesign_signing_p12_file is missing"
+
+tmpdir=$(mktemp -d)
+trap "rm -Rf $tmpdir" EXIT
+cd "$tmpdir"
+7z x "$dmg_file"
+
+# Fix permission on files:
+# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2957050
+# FIXME: Maybe we should extract the .mar file instead of the .dmg to
+# preserve permissions
+chmod ugo+x "$Proj_Name/$Proj_Name.app/Contents/MacOS"/* \
+            "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \
+            "$Proj_Name/$Proj_Name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/*
+test -d "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor" && \
+  chmod -R ugo+x "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor"
+
+pwdir=/run/lock/rcodesign-pw
+trap "rm -Rf $pwdir" EXIT
+rm -Rf "$pwdir"
+mkdir "$pwdir"
+chmod 700 "$pwdir"
+cat > "$pwdir/rcodesign-pw-2" << EOF
+$RCODESIGN_PW
+EOF
+tr -d '\n' < "$pwdir/rcodesign-pw-2" > "$pwdir/rcodesign-pw"
+rm "$pwdir/rcodesign-pw-2"
+
+rcodesign_opts="
+  --code-signature-flags runtime
+  --timestamp-url http://timestamp.apple.com:8080/ts01
+  --p12-file $rcodesign_signing_p12_file
+  --p12-password-file $pwdir/rcodesign-pw
+  "
+
+# sign updater.app and plugin-container.app separately
+echo '**** Signing updater.app ****'
+/signing/rcodesign/rcodesign sign \
+  $rcodesign_opts \
+  --info-plist-path "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app/Contents/Info.plist" \
+  -- \
+  "$Proj_Name/$Proj_Name.app/Contents/MacOS/updater.app"
+echo '**** Signing plugin-container.app ****'
+/signing/rcodesign/rcodesign sign \
+  $rcodesign_opts \
+  --entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \
+  -- \
+  "$Proj_Name/$Proj_Name.app/Contents/MacOS/plugin-container.app"
+
+# Setting binary-identifier on some files, to avoid signature errors. See:
+# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2956149
+pushd "$Proj_Name/$Proj_Name.app/Contents/MacOS/"
+for lib in *.dylib
+do
+  binident=$(echo $lib | sed 's/\.dylib$//')
+  binident="--binary-identifier Contents/MacOS/$lib:$binident"
+  echo "Adding option $binident"
+  rcodesign_opts="$rcodesign_opts $binident"
+done
+popd
+
+if test -d "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor/PluggableTransports/"
+then
+  pushd "$Proj_Name/$Proj_Name.app/Contents/MacOS/Tor/PluggableTransports/"
+  for file in echo *
+  do
+    binident="--binary-identifier Contents/MacOS/Tor/PluggableTransports/$file:$file"
+    echo "Adding option $binident"
+    rcodesign_opts="$rcodesign_opts $binident"
+  done
+  popd
+fi
+
+echo "**** Signing main bundle ($Proj_Name.app) ****"
+# We use `--exclude '**'` to avoid re-signing nested bundles
+/signing/rcodesign/rcodesign sign \
+  $rcodesign_opts \
+  --entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \
+  --exclude '**' \
+  -- \
+  "$Proj_Name/$Proj_Name.app"
+
+rm -f "$pwdir/rcodesign-pw"
+rmdir "$pwdir"
+tar -C "$Proj_Name" -caf "$output_file" "$Proj_Name.app"
+cd -
+rm -Rf "$tmpdir"