feat: Mac hardened signing on signingscript #872
Conversation
hneiva
force-pushed
the
hneiva/rcodesign
branch
6 times, most recently
from
80d3d53 to
f676f83
Compare
hneiva
force-pushed
the
hneiva/rcodesign
branch
from
f676f83 to
2f64c3e
Compare
hneiva
force-pushed
the
hneiva/rcodesign
branch
2 times, most recently
from
a1e4a4d to
fb47722
Compare
There was a problem hiding this comment.
(I'm going to try out Coventional Comments for this review.)
I'm marking this as request changes for the few blocking items, questions, and because I'd like a link to one or more test runs of this.
Overall it looks very good though, nice work!
| @@ -40,6 +40,7 @@ WORKDIR /app | |||
| # Install signingscript + configloader + widevine | |||
| RUN python -m venv /app \ | |||
| && cd signingscript \ | |||
| && /app/bin/pip install /app/scriptworker_client \ | |||
There was a problem hiding this comment.
question: why are we installing scriptworker_client twice? (and its related requirements). If this is not necessary, please remove it from the above block.
There was a problem hiding this comment.
I meant to remove it from the block above since it has no effect whatsoever (root user)
| $match: | ||
| 'ENV == "prod" && scope_prefix': | ||
| '${scope_prefix[0]}cert:release-signing': | ||
| - "app_credentials": {"$eval": "APPLE_APP_SIGNING_CREDENTIALS"} |
There was a problem hiding this comment.
question: Are these usernames, a username+password, or something else? If they're usernames or other singular values, app_username or similar would be better here.
(After reading further down, it looks like these might be base64 encoded pkcs12 bundles? If that's the case, I suggest names like app_pkcs12_bundle, and pkcs12_passphrase)
There was a problem hiding this comment.
Yeah that sounds better.
| '${scope_prefix[0]}cert:release-signing': | ||
| - "app_credentials": {"$eval": "APPLE_APP_SIGNING_CREDENTIALS"} | ||
| "installer_credentials": {"$eval": "APPLE_INSTALLER_SIGNING_CREDENTIALS"} | ||
| "password": {"$eval": "APPLE_SIGNING_CREDS_PASSWORD"} |
There was a problem hiding this comment.
suggestion: Similarly, what is this password associated with? (Can it named in a way that makes this clear?)
| cp msix-packaging/.vs/bin/makemsix /usr/bin | ||
| cp msix-packaging/.vs/lib/libmsix.so /usr/lib | ||
|
|
||
| rm -rf msix-packaging |
There was a problem hiding this comment.
praise: thank you for cleaning up the left I mess here :)
| @@ -0,0 +1,16 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
todo: rename this script to install_rcodesign.sh (we are not building it, so let's be clear about that in the name)
|
|
||
| signed = False | ||
| for file in os.scandir(signing_dir): | ||
| if file.is_dir() and file.name.endswith(".app"): |
There was a problem hiding this comment.
question: How confident are you about which creds to use based on filenames, or how often might these change? I'm wondering if we should have the payload be selecting which cert to use instead of hardcoding it in the code.
Either way, I think ipa files should be handled now, or soon?
There was a problem hiding this comment.
If we are not naming the bundles .app or not naming installers .pkg, I think we have bigger problems.
So far I haven't found a way of signing ipa bundles with rcodesign 😢
| # Use installer credentials | ||
| creds = context.apple_installer_signing_creds_path | ||
| else: | ||
| # If not pkg AND not a directory (.app) - then skip file |
There was a problem hiding this comment.
todo: log any files that are skipped to make debugging easier.
| if provisioning_profile_config: | ||
| copy_provisioning_profiles(bundle_path, provisioning_profile_config) | ||
|
|
||
| # TODO: widevine and omnija signing should run from formats? |
There was a problem hiding this comment.
todo: address this todo :). (I assume this means we should only be doing this if widevine & omnija signing are explicitly requested in the payload? But please correct me if that's wrong...)
There was a problem hiding this comment.
I think this should stay a TODO, and we find a better way of signing them in the future without failing due to the DMG symlink. Currently they are always signed together, so it's safe to assume here in the meantime.
There was a problem hiding this comment.
OK, let's file an issue or bug and point at that for the follow-up, in that case.
There was a problem hiding this comment.
Did this get filed somewhere?
| issuer_id: str | ||
| key_id: str | ||
| private_key: str | ||
|
|
||
|
|
||
| @dataclass |
There was a problem hiding this comment.
praise: Nice usage of dataclasses in this patch!
| hfsplus = context.config["hfsplus"] | ||
| undmg_cmd = [dmg, "extract", source, "tmp.hfs"] | ||
| log.info(undmg_cmd) | ||
| await execute_subprocess(undmg_cmd, cwd=context.config["work_dir"], log_level=logging.DEBUG) |
There was a problem hiding this comment.
question: Did we ever decide what to do about the symlinks? If we're not handling them here, have you tested to make sure the outputs from repackage-signing still contain working symlinks?
There was a problem hiding this comment.
I was testing this in adhoc signer, which doesn't have repackaging setup.
I guess we could try this on Try?
There was a problem hiding this comment.
That sounds like a good next step!
| @@ -40,6 +40,7 @@ WORKDIR /app | |||
| # Install signingscript + configloader + widevine | |||
| RUN python -m venv /app \ | |||
| && cd signingscript \ | |||
| && /app/bin/pip install /app/scriptworker_client \ | |||
There was a problem hiding this comment.
I meant to remove it from the block above since it has no effect whatsoever (root user)
| $match: | ||
| 'ENV == "prod" && scope_prefix': | ||
| '${scope_prefix[0]}cert:release-signing': | ||
| - "app_credentials": {"$eval": "APPLE_APP_SIGNING_CREDENTIALS"} |
There was a problem hiding this comment.
Yeah that sounds better.
| '${scope_prefix[0]}cert:release-signing': | ||
| - "app_credentials": {"$eval": "APPLE_APP_SIGNING_CREDENTIALS"} | ||
| "installer_credentials": {"$eval": "APPLE_INSTALLER_SIGNING_CREDENTIALS"} | ||
| "password": {"$eval": "APPLE_SIGNING_CREDS_PASSWORD"} |
| @@ -0,0 +1,16 @@ | |||
| #!/bin/bash | |||
| PROVISIONING_PROFILE_FILENAMES = { | ||
| "firefox": "orgmozillafirefox.provisionprofile", | ||
| "devedition": "orgmozillafirefoxdeveloperedition.provisionprofile", | ||
| "nightly": "orgmozillanightly.provisionprofile", |
There was a problem hiding this comment.
Added the missing files
| # Resolve absolute destination path | ||
| target_abs_path = os.path.join(bundlepath, target_path if target_path[0] != "/" else target_path[1:]) | ||
| if os.path.exists(target_abs_path): | ||
| log.warning("Provisioning profile at {target_path} already exists, overriding.") |
There was a problem hiding this comment.
Under normal scenarios it shouldn't happen. But when testing things, this makes sure the profile is always "what it should be".
|
|
||
| signed = False | ||
| for file in os.scandir(signing_dir): | ||
| if file.is_dir() and file.name.endswith(".app"): |
There was a problem hiding this comment.
If we are not naming the bundles .app or not naming installers .pkg, I think we have bigger problems.
So far I haven't found a way of signing ipa bundles with rcodesign 😢
| # Use installer credentials | ||
| creds = context.apple_installer_signing_creds_path | ||
| else: | ||
| # If not pkg AND not a directory (.app) - then skip file |
| if provisioning_profile_config: | ||
| copy_provisioning_profiles(bundle_path, provisioning_profile_config) | ||
|
|
||
| # TODO: widevine and omnija signing should run from formats? |
There was a problem hiding this comment.
I think this should stay a TODO, and we find a better way of signing them in the future without failing due to the DMG symlink. Currently they are always signed together, so it's safe to assume here in the meantime.
| hfsplus = context.config["hfsplus"] | ||
| undmg_cmd = [dmg, "extract", source, "tmp.hfs"] | ||
| log.info(undmg_cmd) | ||
| await execute_subprocess(undmg_cmd, cwd=context.config["work_dir"], log_level=logging.DEBUG) |
There was a problem hiding this comment.
I was testing this in adhoc signer, which doesn't have repackaging setup.
I guess we could try this on Try?
hneiva
force-pushed
the
hneiva/rcodesign
branch
from
b52c549 to
aac1754
Compare
hneiva
force-pushed
the
hneiva/rcodesign
branch
from
aac1754 to
98cc8ba
Compare
There was a problem hiding this comment.
Approving, but please make sure that the symlink situation is verified before this is used in prod. (You can deploy this is to prod safely, I think, this it's a new format, but it shouldn't be used outside of try or a project branch until we know the symlinks are fine.)
Nice work!
| if provisioning_profile_config: | ||
| copy_provisioning_profiles(bundle_path, provisioning_profile_config) | ||
|
|
||
| # TODO: widevine and omnija signing should run from formats? |
There was a problem hiding this comment.
Did this get filed somewhere?
| hfsplus = context.config["hfsplus"] | ||
| undmg_cmd = [dmg, "extract", source, "tmp.hfs"] | ||
| log.info(undmg_cmd) | ||
| await execute_subprocess(undmg_cmd, cwd=context.config["work_dir"], log_level=logging.DEBUG) |
No description provided.