diff --git a/contrib/macdeploy/detached-sig-create.sh b/contrib/macdeploy/detached-sig-create.sh index 097a7c35ee4..dc2fc732495 100755 --- a/contrib/macdeploy/detached-sig-create.sh +++ b/contrib/macdeploy/detached-sig-create.sh @@ -6,26 +6,50 @@ export LC_ALL=C set -e -ROOTDIR=dist -BUNDLE="${ROOTDIR}/Bitcoin-Qt.app" -BINARY="${BUNDLE}/Contents/MacOS/Bitcoin-Qt" SIGNAPPLE=signapple TEMPDIR=sign.temp -ARCH=$(${SIGNAPPLE} info ${BINARY} | head -n 1 | cut -d " " -f 1) -OUT="signature-osx-${ARCH}.tar.gz" -OUTROOT=osx/dist -if [ -z "$1" ]; then - echo "usage: $0 " - echo "example: $0 " +BUNDLE_ROOT=dist +BUNDLE_NAME="Bitcoin-Qt.app" +UNSIGNED_BUNDLE="${BUNDLE_ROOT}/${BUNDLE_NAME}" +UNSIGNED_BINARY="${UNSIGNED_BUNDLE}/Contents/MacOS/Bitcoin-Qt" + +ARCH=$(file ${UNSIGNED_BINARY} | cut -d " " -f 4) + +OUTDIR="osx/${ARCH}-apple-darwin" +OUTROOT="${TEMPDIR}/${OUTDIR}" + +OUT="signature-osx-${ARCH}.tar.gz" + +if [ "$#" -ne 3 ]; then + echo "usage: $0 " exit 1 fi rm -rf ${TEMPDIR} mkdir -p ${TEMPDIR} -${SIGNAPPLE} sign -f --detach "${TEMPDIR}/${OUTROOT}" "$@" "${BUNDLE}" --hardened-runtime +stty -echo +printf "Enter the passphrase for %s: " "$1" +read cs_key_pass +printf "\n" +printf "Enter the passphrase for %s: " "$2" +read api_key_pass +printf "\n" +stty echo -tar -C "${TEMPDIR}" -czf "${OUT}" . +# Sign and notarize app bundle +${SIGNAPPLE} sign -f --hardened-runtime --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${cs_key_pass}" "$1" "${UNSIGNED_BUNDLE}" +${SIGNAPPLE} apply "${UNSIGNED_BUNDLE}" "${OUTROOT}/${BUNDLE_ROOT}/${BUNDLE_NAME}" +${SIGNAPPLE} notarize --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${api_key_pass}" "$2" "$3" "${UNSIGNED_BUNDLE}" + +# Sign each binary +find . -wholename "*/bin/*" -type f -exec realpath --relative-to=. {} \; | while read -r bin +do + bin_dir="$(dirname "${bin}")" + ${SIGNAPPLE} sign -f --hardened-runtime --detach "${OUTROOT}/${bin_dir}" --passphrase "${cs_key_pass}" "$1" "${bin}" +done + +tar -C "${TEMPDIR}" -czf "${OUT}" "${OUTDIR}" rm -rf "${TEMPDIR}" echo "Created ${OUT}" diff --git a/doc/release-process.md b/doc/release-process.md index ca877cfb35a..046a1bd57fc 100644 --- a/doc/release-process.md +++ b/doc/release-process.md @@ -165,7 +165,7 @@ Then open a Pull Request to the [guix.sigs repository](https://github.com/bitcoi In the `guix-build-${VERSION}/output/x86_64-apple-darwin` and `guix-build-${VERSION}/output/arm64-apple-darwin` directories: tar xf bitcoin-osx-codesigning.tar.gz - ./detached-sig-create.sh /path/to/codesign.p12 + ./detached-sig-create.sh /path/to/codesign.p12 /path/to/AuthKey_foo.p8 uuid Enter the keychain password and authorize the signature signature-osx.tar.gz will be created