From edc18462d87b86cab9b547f70e8781a0c9126fbd Mon Sep 17 00:00:00 2001 From: Ava Chow Date: Mon, 11 Nov 2024 18:34:58 -0500 Subject: [PATCH] contrib: Sign all MacOS binaries and notarize MacOS app bundle Signapple has been updated to notarize bundles, and to sign individual binaries. The app bundle is now notarized, and the individual binaries are codesigned. --- contrib/macdeploy/detached-sig-create.sh | 46 ++++++++++++++++++------ doc/release-process.md | 2 +- 2 files changed, 36 insertions(+), 12 deletions(-) diff --git a/contrib/macdeploy/detached-sig-create.sh b/contrib/macdeploy/detached-sig-create.sh index 097a7c35ee..dc2fc73249 100755 --- a/contrib/macdeploy/detached-sig-create.sh +++ b/contrib/macdeploy/detached-sig-create.sh @@ -6,26 +6,50 @@ export LC_ALL=C set -e -ROOTDIR=dist -BUNDLE="${ROOTDIR}/Bitcoin-Qt.app" -BINARY="${BUNDLE}/Contents/MacOS/Bitcoin-Qt" SIGNAPPLE=signapple TEMPDIR=sign.temp -ARCH=$(${SIGNAPPLE} info ${BINARY} | head -n 1 | cut -d " " -f 1) -OUT="signature-osx-${ARCH}.tar.gz" -OUTROOT=osx/dist -if [ -z "$1" ]; then - echo "usage: $0 " - echo "example: $0 " +BUNDLE_ROOT=dist +BUNDLE_NAME="Bitcoin-Qt.app" +UNSIGNED_BUNDLE="${BUNDLE_ROOT}/${BUNDLE_NAME}" +UNSIGNED_BINARY="${UNSIGNED_BUNDLE}/Contents/MacOS/Bitcoin-Qt" + +ARCH=$(file ${UNSIGNED_BINARY} | cut -d " " -f 4) + +OUTDIR="osx/${ARCH}-apple-darwin" +OUTROOT="${TEMPDIR}/${OUTDIR}" + +OUT="signature-osx-${ARCH}.tar.gz" + +if [ "$#" -ne 3 ]; then + echo "usage: $0 " exit 1 fi rm -rf ${TEMPDIR} mkdir -p ${TEMPDIR} -${SIGNAPPLE} sign -f --detach "${TEMPDIR}/${OUTROOT}" "$@" "${BUNDLE}" --hardened-runtime +stty -echo +printf "Enter the passphrase for %s: " "$1" +read cs_key_pass +printf "\n" +printf "Enter the passphrase for %s: " "$2" +read api_key_pass +printf "\n" +stty echo -tar -C "${TEMPDIR}" -czf "${OUT}" . +# Sign and notarize app bundle +${SIGNAPPLE} sign -f --hardened-runtime --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${cs_key_pass}" "$1" "${UNSIGNED_BUNDLE}" +${SIGNAPPLE} apply "${UNSIGNED_BUNDLE}" "${OUTROOT}/${BUNDLE_ROOT}/${BUNDLE_NAME}" +${SIGNAPPLE} notarize --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${api_key_pass}" "$2" "$3" "${UNSIGNED_BUNDLE}" + +# Sign each binary +find . -wholename "*/bin/*" -type f -exec realpath --relative-to=. {} \; | while read -r bin +do + bin_dir="$(dirname "${bin}")" + ${SIGNAPPLE} sign -f --hardened-runtime --detach "${OUTROOT}/${bin_dir}" --passphrase "${cs_key_pass}" "$1" "${bin}" +done + +tar -C "${TEMPDIR}" -czf "${OUT}" "${OUTDIR}" rm -rf "${TEMPDIR}" echo "Created ${OUT}" diff --git a/doc/release-process.md b/doc/release-process.md index ca877cfb35..046a1bd57f 100644 --- a/doc/release-process.md +++ b/doc/release-process.md @@ -165,7 +165,7 @@ Then open a Pull Request to the [guix.sigs repository](https://github.com/bitcoi In the `guix-build-${VERSION}/output/x86_64-apple-darwin` and `guix-build-${VERSION}/output/arm64-apple-darwin` directories: tar xf bitcoin-osx-codesigning.tar.gz - ./detached-sig-create.sh /path/to/codesign.p12 + ./detached-sig-create.sh /path/to/codesign.p12 /path/to/AuthKey_foo.p8 uuid Enter the keychain password and authorize the signature signature-osx.tar.gz will be created