projects/rcodesign/build

@@ -12,7 +12,7 @@ tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.[% c('compress_ta
 tar -C $builddir -xf $rootdir/[% c('input_files_by_name/cargo_vendor') %]
 
 cd $builddir
-mkdir .cargo
+mkdir -p .cargo
 cat >> .cargo/config << 'EOF'
 
 [source.crates-io]

projects/rcodesign/config

 # vim: filetype=yaml sw=2
-version: 0.22.0
-git_hash: cb406b5feb1439131f36ec60375f607a7f82439d
+version: 0.27.0
+git_hash: 703362f818272d43b3844105863739bcb6f1a11a
 git_url: https://github.com/indygreg/apple-platform-rs.git
 container:
   use_container: 1
@@ -16,4 +16,4 @@ steps:
         project: rcodesign
         pkg_type: cargo_vendor
         norec:
-          sha256sum: 04c21203d2948ebfa59f1039d4481e419e656ec636293b4846fdb7868cfd98f0
+          sha256sum: c778deb784f68b48a51c6c54095c6cd45e37847d65e9db36ce39b4326874ae9c

tools/signing/linux-signer-rcodesign-sign

@@ -19,5 +19,5 @@ destdir=~/"$SIGNING_PROJECTNAME-$tbb_version-macos-signed"
 mkdir -p $destdir
 rm -f "$destdir/$output_file"
 
-sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name"
+sudo -u signing-macos -- /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-128 ~/"$SIGNING_PROJECTNAME-$tbb_version"/$(project-name)-macos-${tbb_version}.dmg "$display_name"
 cp "/home/signing-macos/last-signed-$display_name.tar.zst" "$destdir/$output_file"

tools/signing/machines-setup/setup-signing-machine

@@ -91,6 +91,7 @@ sudoers_file sign-mar
 sudoers_file sign-exe
 sudoers_file sign-apk
 sudoers_file sign-rcodesign
+sudoers_file sign-rcodesign-128
 sudoers_file set-date
 
 authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub

tools/signing/machines-setup/sudoers.d/sign-rcodesign-128

+Defaults>signing-macos env_keep += "SIGNING_PROJECTNAME tbb_version_type RCODESIGN_PW"
+%signing ALL = (signing-macos) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign-128

tools/signing/macos-entitlements/firefox.browser.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the main browser process executable during
+     codesigning of production channel builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Allow loading third party libraries to support pkcs11 modules -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Firefox needs to create executable pages with MAP_JIT on aarch64 -->
+    <key>com.apple.security.cs.allow-jit</key><true/>
+
+    <!-- Firefox needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Firefox needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Firefox needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+
+    <!-- For SmartCardServices(7) -->
+    <key>com.apple.security.smartcard</key><true/>
+
+    <!-- Required for com.apple.developer.web-browser.public-key-credential -->
+    <key>com.apple.application-identifier</key>
+    <string>43AQ936H96.org.mozilla.firefox</string>
+
+    <!-- For platform passkey (webauthn) support -->
+    <key>com.apple.developer.web-browser.public-key-credential</key><true/>
+  </dict>
+</plist>

tools/signing/macos-entitlements/media-plugin-helper.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the media-plugin-helper.app bundle during
+     codesigning of production channel builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Allow loading third party CDM libraries -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+  </dict>
+</plist>

tools/signing/macos-entitlements/plugin-container.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the plugin-container.app bundle during
+     codesigning of production channel builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Firefox needs to create executable pages with MAP_JIT -->
+    <key>com.apple.security.cs.allow-jit</key><true/>
+  </dict>
+</plist>

tools/signing/rcodesign-notary-submit

@@ -21,7 +21,7 @@ display_name=$(display_name)
 
 tar -C "$tmpdir" -xf "$macos_rcodesign_signed_tar_dir/$(project-name)-macos-${tbb_version}-rcodesign-signed.tar.zst"
 
-"$script_dir/../local/rcodesign/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$display_name.app"
+"$script_dir/../local/rcodesign-128/rcodesign" notary-submit --api-key-path "$appstoreconnect_api_key_path" --staple "$tmpdir/$display_name.app"
 
 output_file="$(project-name)-${tbb_version}-notarized+stapled.tar.zst"
 tar -C "$tmpdir" -caf "$tmpdir/$output_file" "$display_name.app"

tools/signing/set-config.rcodesign

-rcodesign_version=0.22.0-bc8cc7
+rcodesign_version=0.27.0-e252fa
 rcodesign_filename=rcodesign-${rcodesign_version}.tar.gz
-rcodesign_sha256sum=2a9eda016fff116c59f52b358e7a740f6fb5c039974f0acc8266c3605d24092a
+rcodesign_sha256sum=c228c5fb06a088bc6c50a212d8d5a15425c2bcdf448bfa7f94ea5cc41321c533
 rcodesign_url="https://build-sources.tbb.torproject.org/${rcodesign_filename}"

tools/signing/setup-rcodesign

@@ -35,8 +35,8 @@ function setup_rcodesign {
   tar -C "$tmpdir" -xf "$rcodesign_path"
   mv "$tmpdir/rcodesign" "$rcodesign_dir"
   chmod -R go+rX "$rcodesign_dir"
-  rm -f "$localdir/rcodesign"
-  ln -s "rcodesign-$rcodesign_version" "$localdir/rcodesign"
+  rm -f "$localdir/rcodesign-128"
+  ln -s "rcodesign-$rcodesign_version" "$localdir/rcodesign-128"
 }
 
 download_rcodesign

tools/signing/wrappers/sign-rcodesign-128

+#!/bin/bash
+set -e
+
+function exit_error {
+  for msg in "$@"
+  do
+    echo "$msg" >&2
+  done
+  exit 1
+}
+
+test $# -eq 2 || exit_error "Wrong number of arguments"
+dmg_file="$1"
+display_name="$2"
+
+output_file="/home/signing-macos/last-signed-$display_name.tar.zst"
+rm -f "$output_file"
+
+rcodesign=/signing/rcodesign-128/rcodesign
+rcodesign_signing_p12_file=/home/signing-macos/keys/key-1.p12
+test -f "$rcodesign_signing_p12_file" || exit_error "$rcodesign_signing_p12_file is missing"
+
+tmpdir=$(mktemp -d)
+trap "rm -Rf $tmpdir" EXIT
+cd "$tmpdir"
+7z x "$dmg_file"
+
+# Fix permission on files:
+# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2957050
+# FIXME: Maybe we should extract the .mar file instead of the .dmg to
+# preserve permissions
+chmod ugo+x "$display_name/$display_name.app/Contents/MacOS"/* \
+            "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \
+            "$display_name/$display_name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/* \
+            "$display_name/$display_name.app/Contents/MacOS/media-plugin-helper.app/Contents/MacOS"/* \
+            "$display_name/$display_name.app/Contents/Frameworks/ChannelPrefs.framework/ChannelPrefs" \
+            "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework/UpdateSettings"
+test -d "$display_name/$display_name.app/Contents/MacOS/Tor" && \
+  chmod -R ugo+x "$display_name/$display_name.app/Contents/MacOS/Tor"
+
+pwdir=/run/lock/rcodesign-pw
+trap "rm -Rf $pwdir" EXIT
+rm -Rf "$pwdir"
+mkdir "$pwdir"
+chmod 700 "$pwdir"
+cat > "$pwdir/rcodesign-pw-2" << EOF
+$RCODESIGN_PW
+EOF
+tr -d '\n' < "$pwdir/rcodesign-pw-2" > "$pwdir/rcodesign-pw"
+rm "$pwdir/rcodesign-pw-2"
+
+# unset RCODESIGN_PW since it conflicts with rcodesign config
+unset RCODESIGN_PW
+rcodesign_opts="
+  --code-signature-flags runtime
+  --timestamp-url http://timestamp.apple.com:8080/ts01
+  --p12-file $rcodesign_signing_p12_file
+  --p12-password-file $pwdir/rcodesign-pw
+  "
+
+flags=()
+for dir in Contents/MacOS Contents/MacOS/Tor Contents/MacOS/Tor/PluggableTransports
+do
+  d="$display_name/$display_name.app/$dir"
+  test -d "$d" || continue
+  pushd "$d"
+  for file in *
+  do
+    test -f "$file" || continue
+    flags+=('--code-signature-flags' "$dir/$file:runtime")
+  done
+  popd
+done
+echo "code-signature-flags: ${flags[@]}"
+
+echo "**** Signing main bundle ($display_name.app) ****"
+$rcodesign sign \
+  $rcodesign_opts \
+  "${flags[@]}" \
+  --code-signature-flags Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework:runtime \
+  --code-signature-flags Contents/MacOS/updater.app:runtime \
+  --code-signature-flags Contents/Frameworks/ChannelPrefs.framework:runtime \
+  --code-signature-flags Contents/MacOS/plugin-container.app:runtime \
+  --code-signature-flags Contents/MacOS/media-plugin-helper.app:runtime \
+  --entitlements-xml-path Contents/MacOS/plugin-container.app:/signing/tor-browser-build/tools/signing/macos-entitlements/plugin-container.xml \
+  --entitlements-xml-path Contents/MacOS/media-plugin-helper.app:/signing/tor-browser-build/tools/signing/macos-entitlements/media-plugin-helper.xml \
+  --entitlements-xml-path /signing/tor-browser-build/tools/signing/macos-entitlements/firefox.browser.xml \
+  -- \
+  "$display_name/$display_name.app"
+
+rm -f "$pwdir/rcodesign-pw"
+rmdir "$pwdir"
+tar -C "$display_name" -caf "$output_file" "$display_name.app"
+cd -
+rm -Rf "$tmpdir"