roytam1/UXP
1
0
Fork 0
mirror of https://github.com/roytam1/UXP.git synced 2026-05-26 13:58:49 +00:00
Code Issues Projects Releases Wiki Activity

No Issue - Updates to Mac packaging for notarization. Add Mac entitlements. Switch to using "create" instead of "makehybrid" when creating the disk image. This fixes bogus extended attributes which interfere with the code signature. Finally add any -bin or dylibs in the Resources folder since --deep skips that folder.

Browse Source
This commit is contained in:
Brian Smith
2023-05-08 20:18:12 -05:00
committed by roytam1
parent 1c70f64e7c
commit fae36a95ec
3 changed files with 80 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
python/mozbuild/mozpack/dmg.py
+19 -9
View File
@@ -5,6 +5,7 @@
import errno
import mozfile
import os
import fnmatch
import platform
import shutil
import subprocess
@@ -46,11 +47,11 @@ def create_dmg_from_staged(stagedir, output_dmg, tmpdir, volume_name):
if not is_linux:
# Running on OS X
hybrid = os.path.join(tmpdir, 'hybrid.dmg')
subprocess.check_call(['hdiutil', 'makehybrid', '-hfs',
'-hfs-volume-name', volume_name,
'-hfs-openfolder', stagedir,
'-ov', stagedir,
'-o', hybrid])
subprocess.check_call(['hdiutil', 'create',
'-fs', 'HFS+',
'-volname', volume_name,
'-srcfolder', stagedir,
'-ov', hybrid])
subprocess.check_call(['hdiutil', 'convert', '-format', 'UDBZ',
'-imagekey', 'bzip2-level=9',
'-ov', hybrid, '-o', output_dmg])
@@ -70,8 +71,8 @@ def create_dmg_from_staged(stagedir, output_dmg, tmpdir, volume_name):
uncompressed,
output_dmg
],
# dmg is seriously chatty
stdout=open(os.devnull, 'wb'))
# dmg is seriously chatty
stdout=open(os.devnull, 'wb'))
def check_tools(*tools):
'''
@@ -87,7 +88,6 @@ def check_tools(*tools):
if not os.access(path, os.X_OK):
raise Exception('Required tool "%s" at path "%s" is not executable' % (tool, path))
def create_dmg(source_directory, output_dmg, volume_name, extra_files):
'''
Create a DMG disk image at the path output_dmg from source_directory.
@@ -122,6 +122,16 @@ def create_dmg(source_directory, output_dmg, volume_name, extra_files):
if not is_linux:
identity = buildconfig.substs['MOZ_MACBUNDLE_IDENTITY']
if identity != '':
dylibs = []
appbundle = os.path.join(stagedir, buildconfig.substs['MOZ_MACBUNDLE_NAME'])
subprocess.check_call(['codesign', '--deep', '-s', identity, appbundle])
# If the -bin file is in Resources add it to the dylibs as well
resourcebin = os.path.join(appbundle, 'Contents/Resources/' + buildconfig.substs['MOZ_APP_NAME'] + '-bin')
if os.path.isfile(resourcebin):
dylibs.append(resourcebin)
# Create a list of dylibs in Contents/Resources that won't get signed by --deep
for root, dirnames, filenames in os.walk('Contents/Resources/'):
for filename in fnmatch.filter(filenames, '*.dylib'):
dylibs.append(os.path.join(root, filename))
entitlement = os.path.abspath(os.path.join(os.getcwd(), '../../platform/security/mac/production.entitlements.xml'))
subprocess.check_call(['codesign', '--deep', '--timestamp', '--options', 'runtime', '--entitlements', entitlement, '-s', identity] + dylibs + [appbundle])
create_dmg_from_staged(stagedir, output_dmg, tmpdir, volume_name)
security/mac/developer.entitlements.xml
+38
View File
@@ -0,0 +1,38 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!--
Entitlements to apply during codesigning of developer builds. These
differ from the production entitlements in that they allow debugging of
executables and allow dyld environment variables to be used. This set of
entitlements is intended to be used for signing of builds used in
automated testing or local developer builds where debugging of a signed
build might be necessary. The com.apple.security.get-task-allow
entitlement must be set to true to allow debuggers to attach to
application processes but prohibits notarization with the notary service.
dyld environment variables are used for some tests and may be useful for
developers.
-->
<plist version="1.0">
<dict>
<!-- UXP needs to create executable pages (without MAP_JIT) -->
<key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
<!-- Allow loading third party libraries. Needed for Flash and CDMs -->
<key>com.apple.security.cs.disable-library-validation</key><true/>
<!-- Allow dyld environment variables for gtests and debugging -->
<key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
<!-- Allow debuggers to attach to running executables -->
<key>com.apple.security.get-task-allow</key><true/>
<!-- UXP needs to access the microphone on sites the user allows -->
<key>com.apple.security.device.audio-input</key><true/>
<!-- UXP needs to access the camera on sites the user allows -->
<key>com.apple.security.device.camera</key><true/>
<!-- UXP needs to access the location on sites the user allows -->
<key>com.apple.security.personal-information.location</key><true/>
</dict>
</plist>
security/mac/production.entitlements.xml
+23
View File
@@ -0,0 +1,23 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!--
Entitlements to apply during codesigning of production builds.
-->
<plist version="1.0">
<dict>
<!-- UXP needs to create executable pages (without MAP_JIT) -->
<key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
<!-- Allow loading third party libraries. Needed for Flash and CDMs -->
<key>com.apple.security.cs.disable-library-validation</key><true/>
<!-- UXP needs to access the microphone on sites the user allows -->
<key>com.apple.security.device.audio-input</key><true/>
<!-- UXP needs to access the camera on sites the user allows -->
<key>com.apple.security.device.camera</key><true/>
<!-- UXP needs to access the location on sites the user allows -->
<key>com.apple.security.personal-information.location</key><true/>
</dict>
</plist>