Merge bitcoin/bitcoin#22191: [0.21] gitian: Use custom MacOS code signing tool

0fe60a84ae Use latest signapple commit (Andrew Chow) 5313d6aed2 gitian: Remove codesign_allocate and pagestuff from MacOS build (Andrew Chow) 27d691b6b5 gitian: use signapple to create the MacOS code signature (Andrew Chow) 2f33e339a8 gitian: use signapple to apply the MacOS code signature (Andrew Chow) 65ce833042 gitian: install signapple in gitian-osx-signer.yml (Andrew Chow) Pull request description: Backport of #20880 and #22190 ACKs for top commit: MarcoFalke: cherry-pick-only ACK 0fe60a84ae 🍀 Tree-SHA512: e864048fab02a1857161602dd53abba552ca3f859c133a47a5e62c28d3e4de9cd099bce86123a1b5892042b09f51cc1ddd2ed1b0c71bfba162710eaee3f5bf91
2025-04-29 23:09:44 -04:00 · 2021-06-19 09:50:05 +02:00 · 2021-06-19 09:50:05 +02:00 · 926f76cb20
commit 926f76cb20
parent 419f9b3b3b 0fe60a84ae
4 changed files with 24 additions and 67 deletions
--- a/contrib/gitian-descriptors/gitian-osx-signer.yml
+++ b/contrib/gitian-descriptors/gitian-osx-signer.yml
@ -7,9 +7,13 @@ architectures:
 - "amd64"
 packages:
 - "faketime"
 - "python3-pip"
 remotes:
 - "url": "https://github.com/bitcoin-core/bitcoin-detached-sigs.git"
  "dir": "signature"
 - "url": "https://github.com/achow101/signapple.git"
  "dir": "signapple"
  "commit": "b084cbbf44d5330448ffce0c7d118f75781b64bd"
 files:
 - "bitcoin-osx-unsigned.tar.gz"
 script: |
@ -30,11 +34,19 @@ script: |
    chmod +x ${WRAP_DIR}/${prog}
  done
-  UNSIGNED=bitcoin-osx-unsigned.tar.gz
+  # Install signapple
  cd signapple
  python3 -m pip install -U pip setuptools
  python3 -m pip install .
  export PATH="$HOME/.local/bin":$PATH
  cd ..
  UNSIGNED_TARBALL=bitcoin-osx-unsigned.tar.gz
  UNSIGNED_APP=dist/Bitcoin-Qt.app
  SIGNED=bitcoin-osx-signed.dmg
-  tar -xf ${UNSIGNED}
+  tar -xf ${UNSIGNED_TARBALL}
  OSX_VOLNAME="$(cat osx_volname)"
-  ./detached-sig-apply.sh ${UNSIGNED} signature/osx
+  ./detached-sig-apply.sh ${UNSIGNED_APP} signature/osx/dist
  ${WRAP_DIR}/genisoimage -no-cache-inodes -D -l -probe -V "${OSX_VOLNAME}" -no-pad -r -dir-mode 0755 -apple -o uncompressed.dmg signed-app
  ${WRAP_DIR}/dmg dmg uncompressed.dmg ${OUTDIR}/${SIGNED}
--- a/contrib/gitian-descriptors/gitian-osx.yml
+++ b/contrib/gitian-descriptors/gitian-osx.yml
@ -138,8 +138,6 @@ script: |
    cp contrib/macdeploy/detached-sig-apply.sh unsigned-app-${i}
    cp contrib/macdeploy/detached-sig-create.sh unsigned-app-${i}
    cp ${BASEPREFIX}/${i}/native/bin/dmg ${BASEPREFIX}/${i}/native/bin/genisoimage unsigned-app-${i}
    cp ${BASEPREFIX}/${i}/native/bin/${i}-codesign_allocate unsigned-app-${i}/codesign_allocate
    cp ${BASEPREFIX}/${i}/native/bin/${i}-pagestuff unsigned-app-${i}/pagestuff
    mv dist unsigned-app-${i}
    pushd unsigned-app-${i}
    find . | sort | tar --mtime="$REFERENCE_DATETIME" --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-osx-unsigned.tar.gz
--- a/contrib/macdeploy/detached-sig-apply.sh
+++ b/contrib/macdeploy/detached-sig-apply.sh
@ -8,10 +8,9 @@ set -e
 UNSIGNED="$1"
 SIGNATURE="$2"
 ARCH=x86_64
 ROOTDIR=dist
 TEMPDIR=signed.temp
 OUTDIR=signed-app
 SIGNAPPLE=signapple
 if [ -z "$UNSIGNED" ]; then
  echo "usage: $0 <unsigned app> <signature>"
@ -23,35 +22,6 @@ if [ -z "$SIGNATURE" ]; then
  exit 1
 fi
-rm -rf ${TEMPDIR} && mkdir -p ${TEMPDIR}
+${SIGNAPPLE} apply ${UNSIGNED} ${SIGNATURE}
-tar -C ${TEMPDIR} -xf ${UNSIGNED}
+mv ${ROOTDIR} ${OUTDIR}
 cp -rf "${SIGNATURE}"/* ${TEMPDIR}
 if [ -z "${PAGESTUFF}" ]; then
  PAGESTUFF=${TEMPDIR}/pagestuff
 fi
 if [ -z "${CODESIGN_ALLOCATE}" ]; then
  CODESIGN_ALLOCATE=${TEMPDIR}/codesign_allocate
 fi
 find ${TEMPDIR} -name "*.sign" | while read i; do
  SIZE=$(stat -c %s "${i}")
  TARGET_FILE="$(echo "${i}" | sed 's/\.sign$//')"
  echo "Allocating space for the signature of size ${SIZE} in ${TARGET_FILE}"
  ${CODESIGN_ALLOCATE} -i "${TARGET_FILE}" -a ${ARCH} ${SIZE} -o "${i}.tmp"
  OFFSET=$(${PAGESTUFF} "${i}.tmp" -p | tail -2 | grep offset | sed 's/[^0-9]*//g')
  if [ -z ${QUIET} ]; then
    echo "Attaching signature at offset ${OFFSET}"
  fi
  dd if="$i" of="${i}.tmp" bs=1 seek=${OFFSET} count=${SIZE} 2>/dev/null
  mv "${i}.tmp" "${TARGET_FILE}"
  rm "${i}"
  echo "Success."
 done
 mv ${TEMPDIR}/${ROOTDIR} ${OUTDIR}
 rm -rf ${TEMPDIR}
 echo "Signed: ${OUTDIR}"
--- a/contrib/macdeploy/detached-sig-create.sh
+++ b/contrib/macdeploy/detached-sig-create.sh
@ -8,44 +8,21 @@ set -e
 ROOTDIR=dist
 BUNDLE="${ROOTDIR}/Bitcoin-Qt.app"
-CODESIGN=codesign
+SIGNAPPLE=signapple
 TEMPDIR=sign.temp
 TEMPLIST=${TEMPDIR}/signatures.txt
 OUT=signature-osx.tar.gz
-OUTROOT=osx
+OUTROOT=osx/dist
 if [ -z "$1" ]; then
-  echo "usage: $0 <codesign args>"
+  echo "usage: $0 <signapple args>"
-  echo "example: $0 -s MyIdentity"
+  echo "example: $0 <path to key>"
  exit 1
 fi
-rm -rf ${TEMPDIR} ${TEMPLIST}
+rm -rf ${TEMPDIR}
 mkdir -p ${TEMPDIR}
-${CODESIGN} -f --file-list ${TEMPLIST} "$@" "${BUNDLE}"
+${SIGNAPPLE} sign -f --detach "${TEMPDIR}/${OUTROOT}"  "$@" "${BUNDLE}"
 grep -v CodeResources < "${TEMPLIST}" | while read i; do
  TARGETFILE="${BUNDLE}/$(echo "${i}" | sed "s|.*${BUNDLE}/||")"
  SIZE=$(pagestuff "$i" -p | tail -2 | grep size | sed 's/[^0-9]*//g')
  OFFSET=$(pagestuff "$i" -p | tail -2 | grep offset | sed 's/[^0-9]*//g')
  SIGNFILE="${TEMPDIR}/${OUTROOT}/${TARGETFILE}.sign"
  DIRNAME="$(dirname "${SIGNFILE}")"
  mkdir -p "${DIRNAME}"
  echo "Adding detached signature for: ${TARGETFILE}. Size: ${SIZE}. Offset: ${OFFSET}"
  dd if="$i" of="${SIGNFILE}" bs=1 skip=${OFFSET} count=${SIZE} 2>/dev/null
 done
 grep CodeResources < "${TEMPLIST}" | while read i; do
  TARGETFILE="${BUNDLE}/$(echo "${i}" | sed "s|.*${BUNDLE}/||")"
  RESOURCE="${TEMPDIR}/${OUTROOT}/${TARGETFILE}"
  DIRNAME="$(dirname "${RESOURCE}")"
  mkdir -p "${DIRNAME}"
  echo "Adding resource for: \"${TARGETFILE}\""
  cp "${i}" "${RESOURCE}"
 done
 rm ${TEMPLIST}
 tar -C "${TEMPDIR}" -czf "${OUT}" .
 rm -rf "${TEMPDIR}"