feat: Mac hardened signing on signingscript

Author: hneiva

signingscript/Dockerfile

@@ -11,6 +11,7 @@ RUN groupadd --gid 10001 app && \
 
 # Copy only required folders
 COPY ["signingscript", "/app/signingscript/"]
+COPY ["scriptworker_client", "/app/scriptworker_client/"]
 COPY ["configloader", "/app/configloader/"]
 COPY ["docker.d", "/app/docker.d/"]
 COPY ["vendored", "/app/vendored/"]
@@ -19,19 +20,18 @@ COPY ["vendored", "/app/vendored/"]
 COPY ["version.jso[n]", "/app/"]
 
 # Change owner of /app to app:app
+# Build and install libdmg_hfsplus
 # Install msix
 # Install rcodesign
-RUN chown -R app:app /app && \
-    cd /app/signingscript/docker.d && \
-    bash build_msix_packaging.sh && \
-    cp msix-packaging/.vs/bin/makemsix /usr/bin && \
-    cp msix-packaging/.vs/lib/libmsix.so /usr/lib && \
-    cd .. && \
-    rm -rf msix-packaging && \
-    wget -qO- \
-    https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.22.0/apple-codesign-0.22.0-x86_64-unknown-linux-musl.tar.gz \
-    | tar xvz -C /usr/bin --transform 's/.*\///g' --wildcards --no-anchored 'rcodesign' && \
-    chmod +x /usr/bin/rcodesign
+RUN chown -R app:app /app \
+ && cd /app/scriptworker_client \
+ && pip install /app/scriptworker_client \
+ && pip install -r requirements/base.txt \
+ && pip install . \
+ && cd /app/signingscript/docker.d \
+ && bash build_libdmg_hfsplus.sh /usr/bin \
+ && bash build_rcodesign.sh /usr/bin \
+ && bash build_msix_packaging.sh
 
 # Set user and workdir
 USER app
@@ -40,6 +40,7 @@ WORKDIR /app
 # Install signingscript + configloader + widevine
 RUN python -m venv /app \
  && cd signingscript \
+ && /app/bin/pip install /app/scriptworker_client \
  && /app/bin/pip install -r requirements/base.txt \
  && /app/bin/pip install . \
  && python -m venv /app/configloader_venv \

signingscript/docker.d/apple_signing_creds.yml

@@ -0,0 +1,24 @@
+$let:
+  scope_prefix:
+    $match:
+      'COT_PRODUCT == "firefox"': 'project:releng:signing:'
+      'COT_PRODUCT == "thunderbird"': 'project:comm:thunderbird:releng:signing:'
+      'COT_PRODUCT == "mozillavpn"': 'project:mozillavpn:releng:signing:'
+      'COT_PRODUCT == "adhoc"': 'project:adhoc:releng:signing:'
+in:
+  $merge:
+    $match:
+      'ENV == "prod" && scope_prefix':
+        '${scope_prefix[0]}cert:release-signing':
+          - "app_credentials": {"$eval": "APPLE_APP_SIGNING_CREDENTIALS"}
+            "installer_credentials": {"$eval": "APPLE_INSTALLER_SIGNING_CREDENTIALS"}
+            "password": {"$eval": "APPLE_SIGNING_CREDS_PASSWORD"}
+        '${scope_prefix[0]}cert:nightly-signing':
+          - "app_credentials": {"$eval": "APPLE_APP_SIGNING_CREDENTIALS"}
+            "installer_credentials": {"$eval": "APPLE_INSTALLER_SIGNING_CREDENTIALS"}
+            "password": {"$eval": "APPLE_SIGNING_CREDS_PASSWORD"}
+      'ENV != "prod" && scope_prefix':
+        '${scope_prefix[0]}cert:dep-signing':
+          - "app_credentials": {"$eval": "APPLE_APP_SIGNING_DEP_CREDENTIALS"}
+            "installer_credentials": {"$eval": "APPLE_INSTALLER_SIGNING_DEP_CREDENTIALS"}
+            "password": {"$eval": "APPLE_SIGNING_DEP_CREDS_PASSWORD"}

signingscript/docker.d/build_libdmg_hfsplus.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+set -x -e -v
+
+# This script is for building libdmg-hfsplus to get the `dmg` and `hfsplus`
+# tools for handling DMG archives on Linux.
+
+DEST=$1
+if [ -d "$DEST" ]; then
+  echo "Binaries will be installed to: $DEST"
+else
+  echo "Destination directory doesn't exist!"
+  exit 1
+fi
+
+git clone --depth=1 --branch mozilla --single-branch https://github.com/mozilla/libdmg-hfsplus/ libdmg-hfsplus
+
+pushd libdmg-hfsplus
+
+# The openssl libraries in the sysroot cannot be linked in a PIE executable so we use -no-pie
+cmake \
+  -DOPENSSL_USE_STATIC_LIBS=1 \
+  -DCMAKE_EXE_LINKER_FLAGS=-no-pie \
+  .
+
+make VERBOSE=1 -j$(nproc)
+
+# We only need the dmg and hfsplus tools.
+strip dmg/dmg hfs/hfsplus
+cp dmg/dmg hfs/hfsplus "$DEST"
+
+popd
+rm -rf libdmg-hfsplus
+echo "Done."

signingscript/docker.d/build_msix_packaging.sh

@@ -8,3 +8,8 @@ cd msix-packaging
 ./makelinux.sh --pack
 
 cd ..
+
+cp msix-packaging/.vs/bin/makemsix /usr/bin
+cp msix-packaging/.vs/lib/libmsix.so /usr/lib
+
+rm -rf msix-packaging

signingscript/docker.d/build_rcodesign.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -x -e -v
+
+DEST=$1
+if [ -d "$DEST" ]; then
+  echo "Binaries will be installed to: $DEST"
+else
+  echo "Destination directory doesn't exist!"
+  exit 1
+fi
+
+
+wget -qO- https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.26.0/apple-codesign-0.26.0-x86_64-unknown-linux-musl.tar.gz \
+ | tar xvz -C "$DEST" --transform 's/.*\///g' --wildcards --no-anchored 'rcodesign'
+
+chmod +x "${DEST}/rcodesign"

signingscript/docker.d/init_worker.sh

@@ -21,11 +21,12 @@ test_var_set 'PROJECT_NAME'
 test_var_set 'PUBLIC_IP'
 test_var_set 'TEMPLATE_DIR'
 
-export DMG_PATH=$APP_DIR/signingscript/files/dmg
-export HFSPLUS_PATH=$APP_DIR/signingscript/files/hfsplus
+export DMG_PATH=/usr/bin/dmg
+export HFSPLUS_PATH=/usr/bin/hfsplus
 
 export PASSWORDS_PATH=$CONFIG_DIR/passwords.json
 export APPLE_NOTARIZATION_CREDS_PATH=$CONFIG_DIR/apple_notarization_creds.json
+export APPLE_SIGNING_CONFIG_PATH=$CONFIG_DIR/apple_signing_config.json
 export GPG_PUBKEY_PATH=$APP_DIR/signingscript/src/signingscript/data/gpg_pubkey_dep.asc
 export WIDEVINE_CERT_PATH=$CONFIG_DIR/widevine.crt
 export AUTHENTICODE_TIMESTAMP_STYLE=old
@@ -260,3 +261,4 @@ esac
 
 $CONFIG_LOADER $TEMPLATE_DIR/passwords.yml $PASSWORDS_PATH
 $CONFIG_LOADER $TEMPLATE_DIR/apple_notarization_creds.yml $APPLE_NOTARIZATION_CREDS_PATH
+$CONFIG_LOADER $TEMPLATE_DIR/apple_signing_creds.yml $APPLE_SIGNING_CONFIG_PATH

signingscript/docker.d/worker.yml

@@ -4,6 +4,7 @@ verbose: { "$eval": "VERBOSE == 'true'" }
 my_ip: { "$eval": "PUBLIC_IP" }
 autograph_configs: { "$eval": "PASSWORDS_PATH" }
 apple_notarization_configs: { "$eval": "APPLE_NOTARIZATION_CREDS_PATH" }
+apple_signing_configs: { "$eval": "APPLE_SIGNING_CONFIG_PATH" }
 taskcluster_scope_prefixes:
   $flatten:
     $match: