gui: package signing changes (bug 1810744) (#1324)

- add entitlements/requirements files for codesign - add app bundle to gzipped tarball and remove dmg - add script to generate manifest - add script to generate dmg package - add build step to generate signing manifest
mozilla · Jun 19, 2023 · dbde2c2 · dbde2c2
1 parent 81fb0f4
commit dbde2c2
Show file tree

Hide file tree

Showing 9 changed files with 118 additions and 12 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -129,7 +129,7 @@ jobs:
         run: |
           source env/bin/activate
           python gui/build.py bundle
-          ls -alh gui/dist/mozregression-gui.dmg
+          ls -alh gui/mozregression-gui-app-bundle.tar.gz
       - name: Test
         run: |
           source env/bin/activate

diff --git a/.github/workflows/deploy-gui.yml b/.github/workflows/deploy-gui.yml
@@ -76,14 +76,19 @@ jobs:
         run: |
           source env/bin/activate
           python gui/build.py bundle
-          ls -alh gui/dist/mozregression-gui.dmg
+          ls -alh gui/mozregression-gui-app-bundle.tar.gz
       - name: Upload
         uses: actions/upload-release-asset@v1
         with:
           upload_url: ${{ github.event.release.upload_url }}
-          asset_path: ./gui/dist/mozregression-gui.dmg
-          asset_name: mozregression-gui.dmg
+          asset_path: ./gui/mozregression-gui-app-bundle.tar.gz
+          asset_name: mozregression-gui-app-bundle.tar.gz
           asset_content_type: application/octet-stream
+      - name: Print signing manifest
+        run: |
+          source env/bin/activate
+          ./bin/adhoc-sign.py ${{ github.event.release.tag_name }}
+
   build-and-publish-windows-gui:
     runs-on: windows-latest
     env:

diff --git a/.gitignore b/.gitignore
@@ -11,6 +11,7 @@ mozregression.egg-info/
 
 gui/build/
 gui/dist/
+gui/*.tar.gz
 gui/venv/
 gui/mozregression-gui.spec
 gui/mozregui/ui/*.py

diff --git a/README.md b/README.md
@@ -121,3 +121,14 @@ Follow the following conventions for pre-releases:
 - For alpha, beta, or release candidates, tags should be appended with aN, bN, or rcN, starting with N=0. For example, 6.2.1a0.dev4, 6.2.1rc2, etc...
 
 For more info, see [PEP 440](https://peps.python.org/pep-0440/).
+
+#### Signing and notarizing macOS releases
+
+Uploading the signed artifacts is a manual process at this time. To sign and notarize a macOS release, follow these steps:
+
+- Copy the signing manifest output from the build job.
+- Create a pull request to update `signing-manifests/mozregression-macOS.yml` in the [adhoc-signing](https://github.com/mozilla-releng/adhoc-signing) repo with those changes.
+- Wait for pull request to be merged, and the signing task to finish.
+- After the signing task is finished, download `mozregression-gui-app-bundle.tar.gz` and extract it in `gui/dist`.
+- Run `./bin/dmgbuild`.
+- Upload new dmg artifact (gui/dist/mozregression-gui.dmg) to the corresponding release.
diff --git a/bin/adhoc-sign.py b/bin/adhoc-sign.py
@@ -0,0 +1,67 @@
+#! /usr/bin/env python
+
+import argparse
+import hashlib
+
+import yaml
+import requests
+
+
+def main(args: argparse.Namespace):
+    release = args.release[0]
+    filename = "mozregression-gui-app-bundle.tar.gz"
+    urls = {
+        "macOS": "https://github.com/mozilla/mozregression"
+        f"/releases/download/{release}/{filename}",
+        "windows": "https://github.com/mozilla/mozregression"
+        f"/releases/download/{release}/mozregression-gui.exe",
+    }
+
+    operating_systems = {
+        "macOS": ["macapp"],
+    }
+
+    params = {}
+
+    for os, signing_formats in operating_systems.items():
+        url = urls[os]
+        response = requests.get(url)
+        if response.status_code != 200:
+            raise ValueError(f"Could not fetch {url} ({response.status_code})")
+
+        params[os] = {
+            "artifact-name": url.split("/")[-1],
+            "bug": int(args.bug),
+            "fetch": {"url": url},
+            "filesize": len(response.content),
+            "private-artifact": False,
+            "product": "mozregression",
+            "reason": f"Sign application bundle for mozregression {release}.",
+            "requestor": args.requestor,
+            "sha256": hashlib.sha256(response.content).hexdigest(),
+            "signing-formats": signing_formats,
+            "signingscript-notarization": True,
+        }
+
+        if os == "macOS":
+            params[os]["mac-behavior"] = "mac_sign"
+
+    print(yaml.dump_all(params.values()))
+
+
+def create_parser():
+    parser = argparse.ArgumentParser(description="print ad-hoc signing manifest")
+    parser.add_argument("release", nargs=1, help="signing manifest release tag")
+    parser.add_argument("--bug", default="0", help="optional bug number to include")
+    parser.add_argument(
+        "--requestor",
+        default="Zeid Zabaneh <[email protected]>",
+        help="the person who is requesting the signing",
+    )
+    return parser
+
+
+if __name__ == "__main__":
+    parser = create_parser()
+    args = parser.parse_args()
+    main(args)
diff --git a/bin/dmgbuild b/bin/dmgbuild
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+source env/bin/activate
+cd gui/dist
+dmgbuild -s ../dmg_settings.py "mozregression GUI" mozregression-gui.dmg
+cd ../..
+echo "Finished building dmg."
+ls -alh gui/dist |grep dmg
diff --git a/gui/build.py b/gui/build.py
@@ -90,14 +90,8 @@ def do_bundle(options):
         makensis_path = os.path.join(options.nsis_path, "makensis.exe")
         call(makensis_path, "wininst.nsi", cwd="wininst")
     elif IS_MAC:
-        os.chdir("dist")
-        call(
-            "dmgbuild",
-            "-s",
-            "../dmg_settings.py",
-            "mozregression GUI",
-            "mozregression-gui.dmg",
-        )
+        with tarfile.open("mozregression-gui-app-bundle.tar.gz", "w:gz") as tar:
+            tar.add(r"dist", arcname="mozregression-gui-app-bundle")
     else:
         # seems like some qml stuff is also bundled on Linux
         try:

diff --git a/gui/mac/entitlements.xml b/gui/mac/entitlements.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply during codesigning of mozregression builds.
+-->
+<plist version="1.0">
+  <dict>
+  </dict>
+</plist>
diff --git a/gui/mac/requirements.plist b/gui/mac/requirements.plist
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+        <key>arch</key>
+        <array>
+                <string>x86_64</string>
+                <string>arm64</string>
+        </array>
+</dict>
+</plist>