blob: 068f4042707d57bfab689bcdfc8889920812f340 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
#!/bin/bash
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.
#
# Runs codesign commands to codesign a Firefox .app bundle and enable macOS
# Hardened Runtime. Intended to be manually run by developers working on macOS
# 10.14+ who want to enable Hardened Runtime for manual testing. This is
# provided as a stop-gap until automated build tooling is available that signs
# binaries with a certificate generated during builds (bug 1522409). This
# script requires macOS 10.14 because Hardened Runtime is only available for
# applications running on 10.14 despite support for the codesign "-o runtime"
# option being available in 10.13.6 and newer.
#
# The script requires an identity string (-i option) from an Apple Developer
# ID certificate. This can be found in the macOS KeyChain after configuring an
# Apple Developer ID certificate.
#
# Example usage on macOS 10.14:
#
# $ ./mach build
# $ ./mach build package
# $ open </PATH/TO/DMG/FILE.dmg>
# <Drag Nightly.app to ~>
# $ ./security/mac/hardenedruntime/codesign.bash \
# -a ~/Nightly.app \
# -i <MY-IDENTITY-STRING> \
# -b security/mac/hardenedruntime/browser.developer.entitlements.xml
# -p security/mac/hardenedruntime/plugin-container.developer.entitlements.xml
# $ open ~/Nightly.app
#
usage ()
{
echo "Usage: $0 "
echo " -a <PATH-TO-BROWSER.app>"
echo " -i <IDENTITY>"
echo " -b <ENTITLEMENTS-FILE>"
echo " -p <CHILD-ENTITLEMENTS-FILE>"
echo " [-o <OUTPUT-DMG-FILE>]"
exit -1
}
# Make sure we are running on macOS with the sw_vers command available.
SWVERS=/usr/bin/sw_vers
if [ ! -x ${SWVERS} ]; then
echo "ERROR: macOS 10.14 or later is required"
exit -1
fi
# Require macOS 10.14 or newer.
OSVERSION=`${SWVERS} -productVersion|sed -En 's/[0-9]+\.([0-9]+)\.[0-9]+/\1/p'`;
if [ ${OSVERSION} \< 14 ]; then
echo "ERROR: macOS 10.14 or later is required"
exit -1
fi
while getopts "a:i:b:o:p:" opt; do
case ${opt} in
a ) BUNDLE=$OPTARG ;;
i ) IDENTITY=$OPTARG ;;
b ) BROWSER_ENTITLEMENTS_FILE=$OPTARG ;;
p ) PLUGINCONTAINER_ENTITLEMENTS_FILE=$OPTARG ;;
o ) OUTPUT_DMG_FILE=$OPTARG ;;
\? ) usage; exit -1 ;;
esac
done
if [ -z "${BUNDLE}" ] ||
[ -z "${IDENTITY}" ] ||
[ -z "${PLUGINCONTAINER_ENTITLEMENTS_FILE}" ] ||
[ -z "${BROWSER_ENTITLEMENTS_FILE}" ]; then
usage
exit -1
fi
if [ ! -d "${BUNDLE}" ]; then
echo "Invalid bundle. Bundle should be a .app directory"
usage
exit -1
fi
if [ ! -e "${PLUGINCONTAINER_ENTITLEMENTS_FILE}" ]; then
echo "Invalid entitlements file"
usage
exit -1
fi
if [ ! -e "${BROWSER_ENTITLEMENTS_FILE}" ]; then
echo "Invalid entitlements file"
usage
exit -1
fi
# DMG file output flag is optional
if [ ! -z "${OUTPUT_DMG_FILE}" ] &&
[ -e "${OUTPUT_DMG_FILE}" ]; then
echo "Output dmg file ${OUTPUT_DMG_FILE} exists. Please delete it first."
usage
exit -1
fi
echo "-------------------------------------------------------------------------"
echo "bundle: $BUNDLE"
echo "identity: $IDENTITY"
echo "browser entitlements file: $BROWSER_ENTITLEMENTS_FILE"
echo "plugin-container entitlements file: $PLUGINCONTAINER_ENTITLEMENTS_FILE"
echo "output dmg file (optional): $OUTPUT_DMG_FILE"
echo "-------------------------------------------------------------------------"
# Clear extended attributes which cause codesign to fail
xattr -cr "${BUNDLE}"
# Sign these binaries first. Signing of some binaries has an ordering
# requirement where other binaries must be signed first.
codesign --force -o runtime --verbose --sign "$IDENTITY" \
"${BUNDLE}/Contents/MacOS/XUL" \
"${BUNDLE}/Contents/MacOS/pingsender" \
"${BUNDLE}/Contents/MacOS/minidump-analyzer" \
"${BUNDLE}"/Contents/MacOS/*.dylib
codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
"${BUNDLE}"/Contents/MacOS/crashreporter.app
codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
"${BUNDLE}"/Contents/MacOS/updater.app
# Sign firefox main exectuable
codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
--entitlements ${BROWSER_ENTITLEMENTS_FILE} \
"${BUNDLE}"/Contents/MacOS/firefox-bin \
"${BUNDLE}"/Contents/MacOS/firefox
# Sign gmp-clearkey files
find "${BUNDLE}"/Contents/Resources/gmp-clearkey -type f -exec \
codesign --force -o runtime --verbose --sign "$IDENTITY" {} \;
# Sign the main bundle
codesign --force -o runtime --verbose --sign "$IDENTITY" \
--entitlements ${BROWSER_ENTITLEMENTS_FILE} "${BUNDLE}"
# Sign the plugin-container bundle with deep
codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
--entitlements ${PLUGINCONTAINER_ENTITLEMENTS_FILE} \
"${BUNDLE}"/Contents/MacOS/plugin-container.app
# Validate
codesign -vvv --deep --strict "${BUNDLE}"
# Create a DMG
if [ ! -z "${OUTPUT_DMG_FILE}" ]; then
DISK_IMAGE_DIR=`mktemp -d`
TEMP_FILE=`mktemp`
TEMP_DMG=${TEMP_FILE}.dmg
NAME=`basename "${BUNDLE}"`
ditto "${BUNDLE}" "${DISK_IMAGE_DIR}/${NAME}"
hdiutil create -size 400m -fs HFS+ \
-volname Firefox -srcfolder "${DISK_IMAGE_DIR}" "${TEMP_DMG}"
hdiutil convert -format UDZO \
-o "${OUTPUT_DMG_FILE}" "${TEMP_DMG}"
rm ${TEMP_FILE}
rm ${TEMP_DMG}
rm -rf "${DISK_IMAGE_DIR}"
fi
|
