From c063c017d063e938ae8bcdfb452ae55962f0d636 Mon Sep 17 00:00:00 2001 From: Heitor Neiva Date: Wed, 18 Oct 2023 13:06:43 -0700 Subject: [PATCH 1/2] Sign firefox nightly with provisioning profile --- signing-manifests/nightly-pprofile.yml | 52 ++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 signing-manifests/nightly-pprofile.yml diff --git a/signing-manifests/nightly-pprofile.yml b/signing-manifests/nightly-pprofile.yml new file mode 100644 index 0000000..9031bde --- /dev/null +++ b/signing-manifests/nightly-pprofile.yml @@ -0,0 +1,52 @@ +--- +bug: 0000000 +sha256: 5ab5244e5e55c41f6cdb92cb369ab3263874d2314c2cb3350140416bf686026d +filesize: 89825128 +private-artifact: false +signing-formats: ["macapp", "autograph_widevine", "autograph_omnija"] +requestor: Heitor Neiva +reason: Firefox Nighly with provisioning profile +product: firefox +artifact-name: target.tar.gz +mac-behavior: mac_sign_and_pkg_hardened +signingscript-notarization: true +hardened-sign-config: + - deep: false + runtime: true + force: true + entitlements: security/mac/hardenedruntime/v2/production/plugin-container.xml + globs: + - "/Contents/MacOS/plugin-container.app" + + - deep: false + runtime: true + force: true + entitlements: security/mac/hardenedruntime/v2/production/media-plugin-helper.xml + globs: + - "/Contents/MacOS/media-plugin-helper.app" + + - deep: false + runtime: true + force: true + # These files are signed wihtout entitlements + globs: + - "/Contents/MacOS/crashreporter.app" + - "/Contents/MacOS/updater.app" + - "/Contents/Library/LaunchServices/org.mozilla.updater" + - "/Contents/MacOS/XUL" + - "/Contents/MacOS/pingsender" + - "/Contents/MacOS/minidump-analyzer" + - "/Contents/MacOS/*.dylib" + - "/Contents/Resources/gmp-clearkey/*/*.dylib" + + - deep: false + runtime: true + force: true + entitlements: security/mac/hardenedruntime/v2/production/browser.xml + globs: + - "/Contents/MacOS/firefox-bin" + - "/" # The .app + +fetch: + type: static-url + url: https://github.com/mozilla-releng/adhoc-signing-blobs/raw/hneiva/nightly-pprofile/target.tar.gz From 8a7e6ae473176b47546483c8fd8daccd817151b6 Mon Sep 17 00:00:00 2001 From: Heitor Neiva Date: Wed, 18 Oct 2023 13:19:50 -0700 Subject: [PATCH 2/2] Fix nightly profile --- signing-manifests/nightly-pprofile.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/signing-manifests/nightly-pprofile.yml b/signing-manifests/nightly-pprofile.yml index 9031bde..35e8e8b 100644 --- a/signing-manifests/nightly-pprofile.yml +++ b/signing-manifests/nightly-pprofile.yml @@ -1,7 +1,7 @@ --- bug: 0000000 -sha256: 5ab5244e5e55c41f6cdb92cb369ab3263874d2314c2cb3350140416bf686026d -filesize: 89825128 +sha256: 295ed2e298cd64bb8c28d320b93979bbd90845232317b9d8c7bd279654ed90da +filesize: 102225095 private-artifact: false signing-formats: ["macapp", "autograph_widevine", "autograph_omnija"] requestor: Heitor Neiva @@ -14,14 +14,14 @@ hardened-sign-config: - deep: false runtime: true force: true - entitlements: security/mac/hardenedruntime/v2/production/plugin-container.xml + entitlements: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/mac/hardenedruntime/v2/production/plugin-container.xml globs: - "/Contents/MacOS/plugin-container.app" - deep: false runtime: true force: true - entitlements: security/mac/hardenedruntime/v2/production/media-plugin-helper.xml + entitlements: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/mac/hardenedruntime/v2/production/media-plugin-helper.xml globs: - "/Contents/MacOS/media-plugin-helper.app" @@ -42,11 +42,11 @@ hardened-sign-config: - deep: false runtime: true force: true - entitlements: security/mac/hardenedruntime/v2/production/browser.xml + entitlements: https://github.com/mozilla-releng/adhoc-signing-blobs/raw/hneiva/nightly-pprofile/browser.xml globs: - "/Contents/MacOS/firefox-bin" - "/" # The .app fetch: type: static-url - url: https://github.com/mozilla-releng/adhoc-signing-blobs/raw/hneiva/nightly-pprofile/target.tar.gz + url: https://github.com/mozilla-releng/adhoc-signing-blobs/raw/hneiva/nightly-pprofile/target.dmg