From fae36a95ecc27402a447f685f1d717138239876b Mon Sep 17 00:00:00 2001
From: Brian Smith <brian@dbsoft.org>
Date: Mon, 8 May 2023 20:18:12 -0500
Subject: [PATCH] No Issue - Updates to Mac packaging for notarization. Add Mac
 entitlements. Switch to using "create" instead of "makehybrid" when creating
 the disk image. This fixes bogus extended attributes which interfere with the
 code signature. Finally add any -bin or dylibs in the Resources folder since
 --deep skips that folder.

---
 python/mozbuild/mozpack/dmg.py           | 28 +++++++++++------
 security/mac/developer.entitlements.xml  | 38 ++++++++++++++++++++++++
 security/mac/production.entitlements.xml | 23 ++++++++++++++
 3 files changed, 80 insertions(+), 9 deletions(-)
 create mode 100644 security/mac/developer.entitlements.xml
 create mode 100644 security/mac/production.entitlements.xml

diff --git a/python/mozbuild/mozpack/dmg.py b/python/mozbuild/mozpack/dmg.py
index ade25aeac3..b231f731b8 100644
--- a/python/mozbuild/mozpack/dmg.py
+++ b/python/mozbuild/mozpack/dmg.py
@@ -5,6 +5,7 @@
 import errno
 import mozfile
 import os
+import fnmatch
 import platform
 import shutil
 import subprocess
@@ -46,11 +47,11 @@ def create_dmg_from_staged(stagedir, output_dmg, tmpdir, volume_name):
     if not is_linux:
         # Running on OS X
         hybrid = os.path.join(tmpdir, 'hybrid.dmg')
-        subprocess.check_call(['hdiutil', 'makehybrid', '-hfs',
-                               '-hfs-volume-name', volume_name,
-                               '-hfs-openfolder', stagedir,
-                               '-ov', stagedir,
-                               '-o', hybrid])
+        subprocess.check_call(['hdiutil', 'create',
+                               '-fs', 'HFS+',
+                               '-volname', volume_name,
+                               '-srcfolder', stagedir,
+                               '-ov', hybrid])
         subprocess.check_call(['hdiutil', 'convert', '-format', 'UDBZ',
                                '-imagekey', 'bzip2-level=9',
                                '-ov', hybrid, '-o', output_dmg])
@@ -70,8 +71,8 @@ def create_dmg_from_staged(stagedir, output_dmg, tmpdir, volume_name):
             uncompressed,
             output_dmg
         ],
-                              # dmg is seriously chatty
-                              stdout=open(os.devnull, 'wb'))
+        # dmg is seriously chatty
+        stdout=open(os.devnull, 'wb'))
 
 def check_tools(*tools):
     '''
@@ -87,7 +88,6 @@ def check_tools(*tools):
         if not os.access(path, os.X_OK):
             raise Exception('Required tool "%s" at path "%s" is not executable' % (tool, path))
 
-
 def create_dmg(source_directory, output_dmg, volume_name, extra_files):
     '''
     Create a DMG disk image at the path output_dmg from source_directory.
@@ -122,6 +122,16 @@ def create_dmg(source_directory, output_dmg, volume_name, extra_files):
         if not is_linux:
             identity = buildconfig.substs['MOZ_MACBUNDLE_IDENTITY']
             if identity != '':
+                dylibs = []
                 appbundle = os.path.join(stagedir, buildconfig.substs['MOZ_MACBUNDLE_NAME'])
-                subprocess.check_call(['codesign', '--deep', '-s', identity, appbundle])
+                # If the -bin file is in Resources add it to the dylibs as well
+                resourcebin = os.path.join(appbundle, 'Contents/Resources/' + buildconfig.substs['MOZ_APP_NAME'] + '-bin')
+                if os.path.isfile(resourcebin):
+                    dylibs.append(resourcebin)
+                # Create a list of dylibs in Contents/Resources that won't get signed by --deep
+                for root, dirnames, filenames in os.walk('Contents/Resources/'):
+                    for filename in fnmatch.filter(filenames, '*.dylib'):
+                        dylibs.append(os.path.join(root, filename))
+                entitlement = os.path.abspath(os.path.join(os.getcwd(), '../../platform/security/mac/production.entitlements.xml'))
+                subprocess.check_call(['codesign', '--deep', '--timestamp', '--options', 'runtime', '--entitlements', entitlement, '-s', identity] + dylibs + [appbundle])
         create_dmg_from_staged(stagedir, output_dmg, tmpdir, volume_name)
diff --git a/security/mac/developer.entitlements.xml b/security/mac/developer.entitlements.xml
new file mode 100644
index 0000000000..1560ab9c62
--- /dev/null
+++ b/security/mac/developer.entitlements.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply during codesigning of developer builds. These
+     differ from the production entitlements in that they allow debugging of
+     executables and allow dyld environment variables to be used. This set of
+     entitlements is intended to be used for signing of builds used in
+     automated testing or local developer builds where debugging of a signed
+     build might be necessary. The com.apple.security.get-task-allow
+     entitlement must be set to true to allow debuggers to attach to
+     application processes but prohibits notarization with the notary service.
+     dyld environment variables are used for some tests and may be useful for
+     developers.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- UXP needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables for gtests and debugging -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+
+    <!-- UXP needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- UXP needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- UXP needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+  </dict>
+</plist>
diff --git a/security/mac/production.entitlements.xml b/security/mac/production.entitlements.xml
new file mode 100644
index 0000000000..6c2d751728
--- /dev/null
+++ b/security/mac/production.entitlements.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply during codesigning of production builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- UXP needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- UXP needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- UXP needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- UXP needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+  </dict>
+</plist>