Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MacOS] Override helper-alerts identifier for signing. #8755

Merged
merged 2 commits into from
May 12, 2021
Merged

[MacOS] Override helper-alerts identifier for signing. #8755

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
be73472
[MacOS] Override helper-alerts identifier for signing.
mkarolin May 8, 2021
c0afd8a
Pacify pylint for signing_helper.py
mkarolin May 11, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 35 additions & 13 deletions script/signing_helper.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,14 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this file,
# You can obtain one at http://mozilla.org/MPL/2.0/. */

""" This helper is a collection of functions used for signing on MacOS """

import collections
import os
import subprocess
import sys

from signing import model
from signing import model # pylint: disable=import-error

# Construct path to signing modules in chrome/installer/mac/signing
signing_path = os.path.realpath(os.path.dirname(os.path.realpath(__file__)))
Expand All @@ -19,8 +21,8 @@
sys.path.append(signing_path)

# Import the entire module to avoid circular dependencies in the functions
import signing.model # noqa: E402
import signing.signing # noqa: E402
import signing.model # pylint: disable=import-error, reimported, wrong-import-position, unused-import
import signing.signing # pylint: disable=import-error, wrong-import-position, unused-import

brave_channel = os.environ.get('BRAVE_CHANNEL')
sign_widevine_cert = os.environ.get('SIGN_WIDEVINE_CERT')
Expand All @@ -33,27 +35,32 @@


def file_exists(path):
""" Checks if file with the given path exists """
return os.path.exists(path)


def run_command(args, **kwargs):
print('Running command: {}'.format(args))
""" Runs the given executable with the given arguments """
print('Running command: {}'.format(args)) # pylint: disable=superfluous-parens
subprocess.check_call(args, **kwargs)


def GenerateBraveWidevineSigFile(paths, config, part):
""" Generates Widevine .sig file """
if sign_widevine_key and sign_widevine_passwd and file_exists(sig_generator_path):
# Framework needs to be signed before generating Widevine signature
# file. The calling script will re-sign it after Widevine signature
# file has been added (see signing.py from where this function is
# called).
from signing.signing import sign_part
from signing.signing import sign_part # pylint: disable=import-error
sign_part(paths, config, part)
# Generate signature file
chrome_framework_name = config.app_product + ' Framework'
chrome_framework_version_path = os.path.join(paths.work, part.path, 'Versions', config.version)
chrome_framework_version_path = os.path.join(paths.work, part.path,
'Versions', config.version)
sig_source_file = os.path.join(chrome_framework_version_path, chrome_framework_name)
sig_target_file = os.path.join(chrome_framework_version_path, 'Resources', chrome_framework_name + '.sig')
sig_target_file = os.path.join(chrome_framework_version_path, 'Resources',
chrome_framework_name + '.sig')
assert file_exists(sig_source_file), 'Wrong source path for sig generation'

command = ['python', sig_generator_path, '--input_file', sig_source_file,
Expand All @@ -67,8 +74,9 @@ def GenerateBraveWidevineSigFile(paths, config, part):


def AddBravePartsForSigning(parts, config):
""" Inserts Brave specific parts that need to be signed """
parts = collections.OrderedDict(parts)
from signing.model import CodeSignedProduct, VerifyOptions, CodeSignOptions
from signing.model import CodeSignedProduct, VerifyOptions, CodeSignOptions # pylint: disable=import-error

development = True if config.provisioning_profile_basename is None else False

Expand All @@ -92,14 +100,14 @@ def AddBravePartsForSigning(parts, config):
if not development:
# Add Sparkle binaries
parts['sparkle-framework-fileop'] = CodeSignedProduct(
'{.framework_dir}/Versions/{.version}/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop' # noqa: E501
'{0.framework_dir}/Versions/{1.version}/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop' # pylint: disable=line-too-long
.format(config, config),
'fileop',
verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT)
parts['sparkle-framework-fileop'].options = full_hardened_runtime_options

parts['sparkle-framework-autoupdate'] = CodeSignedProduct(
'{.framework_dir}/Versions/{.version}/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate' # noqa: E501
'{0.framework_dir}/Versions/{1.version}/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate' # pylint: disable=line-too-long
.format(config, config),
'org.sparkle-project.Sparkle.Autoupdate',
verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT)
Expand All @@ -113,16 +121,26 @@ def AddBravePartsForSigning(parts, config):

# Overwrite to avoid TeamID mismatch with widevine dylib.
parts['helper-app'].entitlements = 'helper-entitlements.plist'
parts['helper-app'].options = CodeSignOptions.RESTRICT + CodeSignOptions.KILL + CodeSignOptions.HARDENED_RUNTIME
parts['helper-app'].options = (CodeSignOptions.RESTRICT
+ CodeSignOptions.KILL
+ CodeSignOptions.HARDENED_RUNTIME)
# Alerts helper is not being distributed with Chrome yet and, because it
# uses the same identifier as the current Alerts service, the signing fails.
# For now we can set a different identifier and then remove this change once
# the helper starts being bundled into the distribution.
parts['helper-alerts'].identifier = '{}.helper.alerts'.format(config.base_bundle_id)

return parts


def GetBraveSigningConfig(config_class, mac_provisioning_profile=None):
class ConfigNonChromeBranded(config_class):
""" Creates Brave specific config used for signing """
class ConfigNonChromeBranded(config_class): # pylint: disable=too-few-public-methods
""" Config that overrides is_chrome_branded """

@staticmethod
def is_chrome_branded():
""" Not chrome branded """
return False

config_class = ConfigNonChromeBranded
Expand All @@ -134,22 +152,26 @@ def is_chrome_branded():
provisioning_profile = os.environ['MAC_PROVISIONING_PROFILE']

# If provisioning_profile is not set, then it's development config.
if not len(provisioning_profile):
if not provisioning_profile:
return config_class

class ProvisioningProfileCodeSignConfig(config_class):
""" Config with provisioning profile """

@property
def provisioning_profile_basename(self):
""" Provisioning profile base name """
return os.path.splitext(os.path.basename(
provisioning_profile))[0]

@property
def run_spctl_assess(self):
""" Run spctl check """
return True

@property
def distributions(self):
""" Brave distribution """
return [model.Distribution(channel=brave_channel)]

return ProvisioningProfileCodeSignConfig