From c60055c637087142696a3c804f10d7b0e6821ed6 Mon Sep 17 00:00:00 2001 From: Ava Chow Date: Mon, 11 Nov 2024 18:34:58 -0500 Subject: [PATCH] contrib: Sign and notarize all MacOS binaries Signapple has been updated to sign individual binaries, and notarize app bundles and binaries. When codesigning, all individual binaries will be codesigned, and both the app bundle and individual binaries will be notarized. Github-Pull: #31407 Rebased-From: 31d325464d0cf2d06888e0c543ae26a944f2ec6b --- contrib/macdeploy/detached-sig-create.sh | 53 +++++++++++++++++++----- doc/release-process.md | 2 +- 2 files changed, 43 insertions(+), 12 deletions(-) diff --git a/contrib/macdeploy/detached-sig-create.sh b/contrib/macdeploy/detached-sig-create.sh index 097a7c35ee4..89094403b7f 100755 --- a/contrib/macdeploy/detached-sig-create.sh +++ b/contrib/macdeploy/detached-sig-create.sh @@ -6,26 +6,57 @@ export LC_ALL=C set -e -ROOTDIR=dist -BUNDLE="${ROOTDIR}/Bitcoin-Qt.app" -BINARY="${BUNDLE}/Contents/MacOS/Bitcoin-Qt" SIGNAPPLE=signapple TEMPDIR=sign.temp -ARCH=$(${SIGNAPPLE} info ${BINARY} | head -n 1 | cut -d " " -f 1) -OUT="signature-osx-${ARCH}.tar.gz" -OUTROOT=osx/dist -if [ -z "$1" ]; then - echo "usage: $0 " - echo "example: $0 " +BUNDLE_ROOT=dist +BUNDLE_NAME="Bitcoin-Qt.app" +UNSIGNED_BUNDLE="${BUNDLE_ROOT}/${BUNDLE_NAME}" +UNSIGNED_BINARY="${UNSIGNED_BUNDLE}/Contents/MacOS/Bitcoin-Qt" + +ARCH=$(${SIGNAPPLE} info ${UNSIGNED_BINARY} | head -n 1 | cut -d " " -f 1) + +OUTDIR="osx/${ARCH}-apple-darwin" +OUTROOT="${TEMPDIR}/${OUTDIR}" + +OUT="signature-osx-${ARCH}.tar.gz" + +if [ "$#" -ne 3 ]; then + echo "usage: $0 " exit 1 fi rm -rf ${TEMPDIR} mkdir -p ${TEMPDIR} -${SIGNAPPLE} sign -f --detach "${TEMPDIR}/${OUTROOT}" "$@" "${BUNDLE}" --hardened-runtime +stty -echo +printf "Enter the passphrase for %s: " "$1" +read cs_key_pass +printf "\n" +printf "Enter the passphrase for %s: " "$2" +read api_key_pass +printf "\n" +stty echo -tar -C "${TEMPDIR}" -czf "${OUT}" . +# Sign and notarize app bundle +${SIGNAPPLE} sign -f --hardened-runtime --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${cs_key_pass}" "$1" "${UNSIGNED_BUNDLE}" +${SIGNAPPLE} apply "${UNSIGNED_BUNDLE}" "${OUTROOT}/${BUNDLE_ROOT}/${BUNDLE_NAME}" +${SIGNAPPLE} notarize --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${api_key_pass}" "$2" "$3" "${UNSIGNED_BUNDLE}" + +# Sign each binary +find . -maxdepth 3 -wholename "*/bin/*" -type f -exec realpath --relative-to=. {} \; | while read -r bin +do + bin_dir=$(dirname "${bin}") + bin_name=$(basename "${bin}") + ${SIGNAPPLE} sign -f --hardened-runtime --detach "${OUTROOT}/${bin_dir}" --passphrase "${cs_key_pass}" "$1" "${bin}" + ${SIGNAPPLE} apply "${bin}" "${OUTROOT}/${bin_dir}/${bin_name}.${ARCH}sign" +done + +# Notarize the binaries +# Binaries cannot have stapled notarizations so this does not actually generate any output +binaries_dir=$(dirname "$(find . -maxdepth 2 -wholename '*/bin' -type d -exec realpath --relative-to=. {} \;)") +${SIGNAPPLE} notarize --passphrase "${api_key_pass}" "$2" "$3" "${binaries_dir}" + +tar -C "${TEMPDIR}" -czf "${OUT}" "${OUTDIR}" rm -rf "${TEMPDIR}" echo "Created ${OUT}" diff --git a/doc/release-process.md b/doc/release-process.md index d813fa8e207..ca42c0ff496 100644 --- a/doc/release-process.md +++ b/doc/release-process.md @@ -165,7 +165,7 @@ Then open a Pull Request to the [guix.sigs repository](https://github.com/bitcoi In the `guix-build-${VERSION}/output/x86_64-apple-darwin` and `guix-build-${VERSION}/output/arm64-apple-darwin` directories: tar xf bitcoin-${VERSION}-${ARCH}-apple-darwin-codesigning.tar.gz - ./detached-sig-create.sh /path/to/codesign.p12 + ./detached-sig-create.sh /path/to/codesign.p12 /path/to/AuthKey_foo.p8 uuid Enter the keychain password and authorize the signature signature-osx.tar.gz will be created