Skip to content

Commit

Permalink
Part 1 of signing Sparkle components
Browse files Browse the repository at this point in the history 
This doesn't work yet as we require Autoupdate and fileop to
first be signed using the equivalent of the command:

`codesign --timestamp --verbose --force --deep -o runtime --sign $ID $FILE`

Fixes: brave/brave-browser#7731
  • Loading branch information
@mbacchi
mbacchi committed Jan 14, 2020
1 parent 390c3dc commit 6d141fd
Showing 1 changed file with 20 additions and 0 deletions.
20 changes: 20 additions & 0 deletions script/signing_helper.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,10 @@ def AddBravePartsForSigning(parts, config):

development = True if config.provisioning_profile_basename is None else False

full_hardened_runtime_options = (
CodeSignOptions.HARDENED_RUNTIME + CodeSignOptions.RESTRICT +
CodeSignOptions.LIBRARY_VALIDATION + CodeSignOptions.KILL)

# Add libs
brave_dylibs = (
'libchallenge_bypass_ristretto.dylib',
Expand All @@ -86,11 +90,27 @@ def AddBravePartsForSigning(parts, config):
'{.framework_dir}/Frameworks/Sparkle.framework'.format(config),
'org.sparkle-project.Sparkle',
verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT)
parts['sparkle-framework'].options = full_hardened_runtime_options

# Overwrite to avoid TeamID mismatch with widevine dylib.
parts['helper-app'].entitlements = 'helper-entitlements.plist'
parts['helper-app'].options = CodeSignOptions.RESTRICT + CodeSignOptions.KILL + CodeSignOptions.HARDENED_RUNTIME

# Add Sparkle binaries
parts['sparkle-framework-fileop'] = CodeSignedProduct(
'{.framework_dir}/Versions/{.version}/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop' # noqa: E501
.format(config, config),
'org.sparkle-project.Sparkle.fileop',
verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT)
parts['sparkle-framework-fileop'].options = full_hardened_runtime_options

parts['sparkle-framework-Autoupdate'] = CodeSignedProduct(
'{.framework_dir}/Versions/{.version}/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate' # noqa: E501
.format(config, config),
'org.sparkle-project.Sparkle.Autoupdate',
verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT)
parts['sparkle-framework-Autoupdate'].options = full_hardened_runtime_options


def GetBraveSigningConfig(config_class, development, mac_provisioning_profile=None):
if development:
Expand Down

0 comments on commit 6d141fd

Please sign in to comment.