Bug 29815: Update signing scripts for rcodesign

tools/signing/do-all-signing

@@ -8,12 +8,19 @@ NON_INTERACTIVE=1
 steps_dir="$signed_version_dir.steps"
 test -d "$steps_dir" || mkdir -p "$steps_dir"
 
+if test -n "$use_rcodesign"
+then
+  test -f "$steps_dir/linux-signer-rcodesign-sign.done" ||
+    read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW
+  echo
+else
   test -f "$steps_dir/macos-signer-gatekeeper-signing.done" ||
     read -sp "Enter macos keychain passphrase: " KEYCHAIN_PW
   echo
   test -f "$steps_dir/macos-signer-notarization.done" ||
     read -sp "Enter macos notarization passphrase: " NOTARIZATION_PW
   echo
+fi
 is_project torbrowser && nssdb=torbrowser-nssdb7
 is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb-1
 test -f "$steps_dir/linux-signer-signmars.done" ||
@@ -40,6 +47,26 @@ function sync-builder-unsigned-to-local-signed {
   "$script_dir/sync-builder-unsigned-to-local-signed"
 }
 
+function sync-before-linux-signer-rcodesign-sign {
+  "$script_dir/sync-local-to-linux-signer"
+}
+
+function linux-signer-rcodesign-sign {
+  ssh -R 8080:timestamp.apple.com:80 "$ssh_host_linux_signer" 'bash -s' << EOF
+  export RCODESIGN_PW=$RCODESIGN_PW
+  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-rcodesign-sign.$SIGNING_PROJECTNAME
+EOF
+  unset RCODESIGN_PW
+}
+
+function sync-linux-signer-macos-signed-tar-to-local {
+  "$script_dir/sync-linux-signer-macos-signed-tar-to-local"
+}
+
+function rcodesign-notary-submit {
+  "$script_dir/rcodesign-notary-submit"
+}
+
 function macos-signer-directory-not-present {
   # To avoid doing two signings at the same time, or to avoid unknowingly
   # using parts from a previous signing attempt, we check that the
@@ -206,6 +233,14 @@ export SIGNING_PROJECTNAME
 
 do_step wait-for-finished-build
 do_step sync-builder-unsigned-to-local-signed
+if test -n "$use_rcodesign";
+then
+  do_step sync-scripts-to-linux-signer
+  do_step sync-before-linux-signer-rcodesign-sign
+  do_step linux-signer-rcodesign-sign
+  do_step sync-linux-signer-macos-signed-tar-to-local
+  do_step rcodesign-notary-submit
+else
   do_step macos-signer-directory-not-present
   do_step sync-scripts-to-macos-signer
   do_step macos-signer-enable-network-proxy-settings
@@ -213,6 +248,7 @@ do_step macos-signer-gatekeeper-signing
   do_step macos-signer-notarization
   do_step macos-signer-stapler
   do_step macos-signer-disable-network-proxy-settings
+fi
 do_step gatekeeper-bundling
 do_step dmg2mar
 do_step sync-scripts-to-linux-signer

tools/signing/finished-signing-clean-linux-signer

@@ -10,5 +10,5 @@ source "$script_dir/functions"
 var_is_defined ssh_host_linux_signer tbb_version
 
 ssh "$ssh_host_linux_signer" 'bash -s' << EOF
-  test -n "$tbb_version" && rm -Rfv ~/"$SIGNING_PROJECTNAME-$tbb_version"
+  test -n "$tbb_version" && rm -Rfv ~/"$SIGNING_PROJECTNAME-$tbb_version ~/"$SIGNING_PROJECTNAME-$tbb_version-macos-signed"
 EOF

tools/signing/gatekeeper-bundling.sh

@@ -67,7 +67,13 @@ tar -C "$tmpdir" -xf "$hfstools_file"
 export PATH="$PATH:$tmpdir/libdmg-hfsplus:$tmpdir/hfsplus-tools"
 
 cd $tmpdir/dmg
+
+if test -n "$use_rcodesign"; then
+  tar -xf $macos_stapled_dir/"${proj_name}-${tbb_version}-notarized+stapled.tar.zst"
+else
   unzip -q $macos_stapled_dir/tb-${tbb_version}_ALL-stapled.zip
+fi
+
 cd ..
 $script_dir/ddmg.sh $macos_signed_dir/${proj_name}-macos-${tbb_version}.dmg $tmpdir/dmg/ "$Proj_Name"
 rm -rf "dmg/$Proj_Name.app"

tools/signing/linux-signer-rcodesign-sign

+#!/bin/bash
+
+set -e
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source "$script_dir/functions"
+source "$script_dir/set-config.generated-config"
+# tbb_version_type is used in wrappers/sign-rcodesign, so we export it
+export tbb_version_type
+
+if [ -z "$RCODESIGN_PW" ]; then
+    echo "Enter passphrase"
+    stty -echo; read RCODESIGN_PW; stty echo
+    export RCODESIGN_PW
+fi
+
+Proj_Name=$(Project_Name)
+output_file=$(project-name)-macos-${tbb_version}-rcodesign-signed.tar.zst
+destdir=~/"$SIGNING_PROJECTNAME-$tbb_version-macos-signed"
+mkdir -p $destdir
+rm -f "$destdir/$output_file"
+
+sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$Proj_Name"
+cp "/home/signing-macos/last-signed-$Proj_Name.tar.zst" "$destdir/$output_file"

tools/signing/linux-signer-rcodesign-sign.mullvadbrowser

+linux-signer-rcodesign-sign
\ No newline at end of file

tools/signing/linux-signer-rcodesign-sign.torbrowser

+linux-signer-rcodesign-sign
\ No newline at end of file

tools/signing/rcodesign-notary-submit

+#!/bin/bash
+
+set -e
+
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source "$script_dir/functions"
+source "$script_dir/set-config.rcodesign-appstoreconnect"
+
+test -d "$macos_rcodesign_signed_tar_dir" || \
+  exit_error "The signed macos tar files should be placed in directory $macos_rcodesign_signed_tar_dir"
+
+test -f "$appstoreconnect_api_key_path" || \
+  exit_error "$appstoreconnect_api_key_path is missing. See this page for how to create it: https://gregoryszorc.com/docs/apple-codesign/main/apple_codesign_getting_started.html#apple-codesign-app-store-connect-api-key"
+
+"$script_dir/setup-rcodesign"
+
+tmpdir=$(mktemp -d)
+trap "rm -Rf $tmpdir" EXIT
+
+Proj_Name=$(Project_Name)
+
+tar -C "$tmpdir" -xf "$macos_rcodesign_signed_tar_dir/$(project-name)-macos-${tbb_version}-rcodesign-signed.tar.zst"
+
+"$script_dir/../local/rcodesign/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$Proj_Name.app"
+
+output_file="$(project-name)-${tbb_version}-notarized+stapled.tar.zst"
+tar -C "$tmpdir" -caf "$tmpdir/$output_file" "$Proj_Name.app"
+mkdir -p "$macos_stapled_dir"
+mv "$tmpdir/$output_file" "$macos_stapled_dir/$output_file"
+
+rm -Rf "$tmpdir"

tools/signing/set-config

@@ -27,8 +27,9 @@ test -z "${rbm_not_available+x}" && rbm="$script_dir/../../rbm/rbm"
 
 signed_dir="$script_dir/../../$SIGNING_PROJECTNAME/$tbb_version_type/signed"
 signed_version_dir="$signed_dir/$tbb_version"
-macos_stapled_dir="$signed_dir/$tbb_version-macos-stapled"
-macos_signed_dir="$signed_dir/$tbb_version-macos-signed"
+macos_stapled_dir="$signed_dir/$tbb_version-macos-notarized+stapled-tar"
+macos_signed_dir="$signed_dir/$tbb_version-macos-signed-dmg"
+macos_rcodesign_signed_tar_dir="$signed_dir/$tbb_version-macos-rcodesign-signed-tar"
 
 faketime_path=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1
 
@@ -37,3 +38,5 @@ rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}"
 
 tb_builders='boklm dan henry ma1 pierov richard'
 wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers
+
+use_rcodesign=1

tools/signing/set-config.rcodesign-appstoreconnect

+appstoreconnect_api_key_path=~/.appstoreconnect/app-store-connect-api-key.json

tools/signing/sync-linux-signer-macos-signed-tar-to-local

+#!/bin/bash
+set -e
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source "$script_dir/functions"
+
+var_is_defined ssh_host_linux_signer
+
+rsync $rsync_options "$ssh_host_linux_signer:$SIGNING_PROJECTNAME-$tbb_version-macos-signed/" "$macos_rcodesign_signed_tar_dir/"

tools/signing/sync-linux-signer-macos-signed-tar-to-local.mullvadbrowser

+sync-linux-signer-macos-signed-tar-to-local
\ No newline at end of file

tools/signing/sync-linux-signer-macos-signed-tar-to-local.torbrowser

+sync-linux-signer-macos-signed-tar-to-local
\ No newline at end of file