Adding upstream version 86.0.1.upstream/86.0.1upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 167 insertions, 0 deletions

diff --git a/security/mac/hardenedruntime/codesign.bash b/security/mac/hardenedruntime/codesign.bash
new file mode 100755
index 0000000000..068f404270
--- /dev/null
+++ b/security/mac/hardenedruntime/codesign.bash
@@ -0,0 +1,167 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# Runs codesign commands to codesign a Firefox .app bundle and enable macOS
+# Hardened Runtime. Intended to be manually run by developers working on macOS
+# 10.14+ who want to enable Hardened Runtime for manual testing. This is
+# provided as a stop-gap until automated build tooling is available that signs
+# binaries with a certificate generated during builds (bug 1522409). This
+# script requires macOS 10.14 because Hardened Runtime is only available for
+# applications running on 10.14 despite support for the codesign "-o runtime"
+# option being available in 10.13.6 and newer.
+#
+# The script requires an identity string (-i option) from an Apple Developer
+# ID certificate. This can be found in the macOS KeyChain after configuring an
+# Apple Developer ID certificate.
+#
+# Example usage on macOS 10.14:
+#
+#   $ ./mach build
+#   $ ./mach build package
+#   $ open </PATH/TO/DMG/FILE.dmg>
+#   <Drag Nightly.app to ~>
+#   $ ./security/mac/hardenedruntime/codesign.bash \
+#         -a ~/Nightly.app \
+#         -i <MY-IDENTITY-STRING> \
+#         -b security/mac/hardenedruntime/browser.developer.entitlements.xml
+#         -p security/mac/hardenedruntime/plugin-container.developer.entitlements.xml
+#   $ open ~/Nightly.app
+#
+
+usage ()
+{
+  echo  "Usage: $0 "
+  echo  "    -a <PATH-TO-BROWSER.app>"
+  echo  "    -i <IDENTITY>"
+  echo  "    -b <ENTITLEMENTS-FILE>"
+  echo  "    -p <CHILD-ENTITLEMENTS-FILE>"
+  echo  "    [-o <OUTPUT-DMG-FILE>]"
+  exit -1
+}
+
+# Make sure we are running on macOS with the sw_vers command available.
+SWVERS=/usr/bin/sw_vers
+if [ ! -x ${SWVERS} ]; then
+    echo "ERROR: macOS 10.14 or later is required"
+    exit -1
+fi
+
+# Require macOS 10.14 or newer.
+OSVERSION=`${SWVERS} -productVersion|sed -En 's/[0-9]+\.([0-9]+)\.[0-9]+/\1/p'`;
+if [ ${OSVERSION} \< 14 ]; then
+    echo "ERROR: macOS 10.14 or later is required"
+    exit -1
+fi
+
+while getopts "a:i:b:o:p:" opt; do
+  case ${opt} in
+    a ) BUNDLE=$OPTARG ;;
+    i ) IDENTITY=$OPTARG ;;
+    b ) BROWSER_ENTITLEMENTS_FILE=$OPTARG ;;
+    p ) PLUGINCONTAINER_ENTITLEMENTS_FILE=$OPTARG ;;
+    o ) OUTPUT_DMG_FILE=$OPTARG ;;
+    \? ) usage; exit -1 ;;
+  esac
+done
+
+if [ -z "${BUNDLE}" ] ||
+   [ -z "${IDENTITY}" ] ||
+   [ -z "${PLUGINCONTAINER_ENTITLEMENTS_FILE}" ] ||
+   [ -z "${BROWSER_ENTITLEMENTS_FILE}" ]; then
+    usage
+    exit -1
+fi
+
+if [ ! -d "${BUNDLE}" ]; then
+  echo "Invalid bundle. Bundle should be a .app directory"
+  usage
+  exit -1
+fi
+
+if [ ! -e "${PLUGINCONTAINER_ENTITLEMENTS_FILE}" ]; then
+  echo "Invalid entitlements file"
+  usage
+  exit -1
+fi
+
+if [ ! -e "${BROWSER_ENTITLEMENTS_FILE}" ]; then
+  echo "Invalid entitlements file"
+  usage
+  exit -1
+fi
+
+# DMG file output flag is optional
+if [ ! -z "${OUTPUT_DMG_FILE}" ] &&
+   [ -e "${OUTPUT_DMG_FILE}" ]; then
+  echo "Output dmg file ${OUTPUT_DMG_FILE} exists. Please delete it first."
+  usage
+  exit -1
+fi
+
+echo "-------------------------------------------------------------------------"
+echo "bundle:                              $BUNDLE"
+echo "identity:                            $IDENTITY"
+echo "browser entitlements file:           $BROWSER_ENTITLEMENTS_FILE"
+echo "plugin-container entitlements file:  $PLUGINCONTAINER_ENTITLEMENTS_FILE"
+echo "output dmg file (optional):          $OUTPUT_DMG_FILE"
+echo "-------------------------------------------------------------------------"
+
+# Clear extended attributes which cause codesign to fail
+xattr -cr "${BUNDLE}"
+
+# Sign these binaries first. Signing of some binaries has an ordering
+# requirement where other binaries must be signed first.
+codesign --force -o runtime --verbose --sign "$IDENTITY" \
+"${BUNDLE}/Contents/MacOS/XUL" \
+"${BUNDLE}/Contents/MacOS/pingsender" \
+"${BUNDLE}/Contents/MacOS/minidump-analyzer" \
+"${BUNDLE}"/Contents/MacOS/*.dylib
+
+codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
+"${BUNDLE}"/Contents/MacOS/crashreporter.app
+
+codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
+"${BUNDLE}"/Contents/MacOS/updater.app
+
+# Sign firefox main exectuable
+codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
+--entitlements ${BROWSER_ENTITLEMENTS_FILE} \
+"${BUNDLE}"/Contents/MacOS/firefox-bin \
+"${BUNDLE}"/Contents/MacOS/firefox
+
+# Sign gmp-clearkey files
+find "${BUNDLE}"/Contents/Resources/gmp-clearkey -type f -exec \
+codesign --force -o runtime --verbose --sign "$IDENTITY" {} \;
+
+# Sign the main bundle
+codesign --force -o runtime --verbose --sign "$IDENTITY" \
+--entitlements ${BROWSER_ENTITLEMENTS_FILE} "${BUNDLE}"
+
+# Sign the plugin-container bundle with deep
+codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
+--entitlements ${PLUGINCONTAINER_ENTITLEMENTS_FILE} \
+"${BUNDLE}"/Contents/MacOS/plugin-container.app
+
+# Validate
+codesign -vvv --deep --strict "${BUNDLE}"
+
+# Create a DMG
+if [ ! -z "${OUTPUT_DMG_FILE}" ]; then
+  DISK_IMAGE_DIR=`mktemp -d`
+  TEMP_FILE=`mktemp`
+  TEMP_DMG=${TEMP_FILE}.dmg
+  NAME=`basename "${BUNDLE}"`
+
+  ditto "${BUNDLE}" "${DISK_IMAGE_DIR}/${NAME}"
+  hdiutil create -size 400m -fs HFS+ \
+    -volname Firefox -srcfolder "${DISK_IMAGE_DIR}" "${TEMP_DMG}"
+  hdiutil convert -format UDZO \
+    -o "${OUTPUT_DMG_FILE}" "${TEMP_DMG}"
+
+  rm ${TEMP_FILE}
+  rm ${TEMP_DMG}
+  rm -rf "${DISK_IMAGE_DIR}"
+fi