Bug 40990: Remove old macos signing scripts

steps_dir="$signed_version_dir.steps"

test -d "$steps_dir" || mkdir -p "$steps_dir"

if test -n "$use_rcodesign"

then

test -f "$steps_dir/linux-signer-rcodesign-sign.done" ||

  read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW

echo

else

  test -f "$steps_dir/macos-signer-gatekeeper-signing.done" ||

    read -sp "Enter macos keychain passphrase: " KEYCHAIN_PW

  echo

  test -f "$steps_dir/macos-signer-notarization.done" ||

    read -sp "Enter macos notarization passphrase: " NOTARIZATION_PW

  echo

fi

is_project torbrowser && nssdb=torbrowser-nssdb7

is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb-1

test -f "$steps_dir/linux-signer-signmars.done" ||

  "$script_dir/rcodesign-notary-submit"

}

function macos-signer-directory-not-present {

  # To avoid doing two signings at the same time, or to avoid unknowingly

  # using parts from a previous signing attempt, we check that the

  # directory does not exist yet (see tor-browser-build#40497)

  if ssh "$ssh_host_macos_signer" "test -d $tbb_version"

  then

    echo "The directory $tbb_version already exists on $ssh_host_macos_signer"

    return 1

  fi

  return 0

}

function sync-scripts-to-macos-signer {

  "$script_dir/sync-scripts-to-macos-signer"

}

function macos-signer-enable-network-proxy-settings {

  ssh "$ssh_host_macos_signer" 'networksetup -setsecurewebproxystate Ethernet on'

}

function macos-signer-gatekeeper-signing {

  "$script_dir/sync-macos-local-to-macos-signer"

  ssh "$ssh_host_macos_signer" 'bash -s' << EOF

  export KEYCHAIN_PW=$KEYCHAIN_PW

  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-gatekeeper-signing.$SIGNING_PROJECTNAME

EOF

  unset KEYCHAIN_PW

}

function macos-signer-notarization {

  ssh "$ssh_host_macos_signer" 'bash -s' << EOF

  export PW=$NOTARIZATION_PW

  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-notarization.$SIGNING_PROJECTNAME

EOF

  unset NOTARIZATION_PW

}

function macos-signer-stapler {

  ssh "$ssh_host_macos_signer" "~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-stapler.$SIGNING_PROJECTNAME"

  "$script_dir/sync-macos-signer-stapled-to-macos-local-stapled"

}

function macos-signer-disable-network-proxy-settings {

  ssh "$ssh_host_macos_signer" 'networksetup -setsecurewebproxystate Ethernet off'

}

function gatekeeper-bundling {

  "$script_dir/gatekeeper-bundling.sh"

}

  "$script_dir/upload-update_responses-to-staticiforme"

}

function finished-signing-clean-macos-signer {

  "$script_dir/finished-signing-clean-macos-signer"

}

function finished-signing-clean-linux-signer {

  "$script_dir/finished-signing-clean-linux-signer"

}

do_step wait-for-finished-build

do_step sync-builder-unsigned-to-local-signed

if test -n "$use_rcodesign";

then

do_step sync-scripts-to-linux-signer

do_step sync-before-linux-signer-rcodesign-sign

do_step linux-signer-rcodesign-sign

do_step sync-linux-signer-macos-signed-tar-to-local

do_step rcodesign-notary-submit

else

  do_step macos-signer-directory-not-present

  do_step sync-scripts-to-macos-signer

  do_step macos-signer-enable-network-proxy-settings

  do_step macos-signer-gatekeeper-signing

  do_step macos-signer-notarization

  do_step macos-signer-stapler

  do_step macos-signer-disable-network-proxy-settings

fi

do_step gatekeeper-bundling

do_step dmg2mar

do_step sync-scripts-to-linux-signer

do_step sync-scripts-to-staticiforme

do_step staticiforme-prepare-cdn-dist-upload

do_step upload-update_responses-to-staticiforme

do_step finished-signing-clean-macos-signer

do_step finished-signing-clean-linux-signer

#!/bin/bash

# Remove current tbb version from macos-signer. You should run this

# when all signing has been done.

set -e

script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )

source "$script_dir/functions"

var_is_defined ssh_host_macos_signer tbb_version

ssh "$ssh_host_macos_signer" 'bash -s' << EOF

  test -n "$tbb_version" && rm -Rfv ~/"$SIGNING_PROJECTNAME-$tbb_version"

EOF

cd $tmpdir/dmg

if test -n "$use_rcodesign"; then

tar -xf $macos_stapled_dir/"${proj_name}-${tbb_version}-notarized+stapled.tar.zst"

else

  unzip -q $macos_stapled_dir/tb-${tbb_version}_ALL-stapled.zip

fi

cd ..

$script_dir/ddmg.sh $macos_signed_dir/${proj_name}-macos-${tbb_version}.dmg $tmpdir/dmg/ "$Proj_Name"

#!/bin/bash

set -e

script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )

source "$script_dir/functions"

source "$script_dir/set-config.generated-config"

ENTITLEMENTS="$script_dir/$tbb_version_type.entitlements.xml"

app_name=$(Project_Name)

function check_signature() {

  LANG=$1

  UNZIP=$2

  local failed_open=0

  local failed_exec=0

  if [ ${UNZIP} -eq 1 ]

  then

    test -d test_${LANG} && rm -r test_${LANG}

    unzip -d test_${LANG} -q tb-${tbb_version}_$LANG.zip

    pushd test_${LANG}

  fi

  echo "Checking $LANG..."

  spctl -vvvv --assess --type open --context context:primary-signature "$app_name.app/"

  if [ $? -ne 3 ]; then

    echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed open.

    failed_open=1

  fi

  spctl -vvvv --assess --type exec --context context:primary-signature "$app_name.app/"

  if [ $? -ne 0 ]; then

    echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed exec.

    failed_exec=1

  fi

  if [ ${UNZIP} -eq 1 ]

  then

    popd

    rm -r test_${LANG}

  fi

  if [ ${failed_open} -ne 0 -o ${failed_exec} -ne 0 ]

  then

    return 1

  fi

}

cd ~/$SIGNING_PROJECTNAME-${tbb_version}

if test -n "$KEYCHAIN_PW"

then

  KPW="-p $KEYCHAIN_PW"

fi

security unlock $KPW /Users/torbrowser/Library/Keychains/tbb-signing-alpha.keychain

security unlock $KPW /Users/torbrowser/Library/Keychains/tbb-signing-2021.keychain

unset KPW KEYCHAIN_PW

for LANG in ALL

do

  if [ -f tb-${tbb_version}_${LANG}.zip ]

  then

    echo "Deleting tb-${tbb_version}_${LANG}.zip"

    rm tb-${tbb_version}_${LANG}.zip

  fi

  if [ -d "$app_name.app" ]

  then

    echo "Deleting $app_name.app"

    rm -r "$app_name.app"

  fi

  if [ -d "/Volumes/$app_name" ]; then

    echo "DMG already mounted. Please correct."

    exit 1

  fi

  hdiutil attach $(project-name)-macos-${tbb_version}.dmg

  cp -rf "/Volumes/$app_name/$app_name.app" "$app_name.app"

  echo "Signing ${app_name}_${LANG}.app"

  codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "$app_name.app/"

  echo "codesign exit code: $?"

  set +e

  check_signature $LANG 0

  if [ $? -eq 1 ]

  then

    echo Signature verification failed.

    rm -r "$app_name.app"

    hdiutil detach "/Volumes/$app_name"

    exit 1

  fi

  set -e

  echo "Zipping up tb-${tbb_version}_${LANG}.zip"

  zip -qr tb-${tbb_version}_${LANG}.zip "$app_name.app"

  rm -rf "$app_name.app"

  hdiutil detach "/Volumes/$app_name"

  set +e

  check_signature $LANG 1

  if [ $? -eq 1 ]

  then

    echo "Signature verification failed (${LANG})".

    rm -r "$app_name.app"

    exit 1

  fi

  set -e

done

macos-signer-gatekeeper-signing

 No newline at end of file