/
sign_mac.sh
executable file
·64 lines (46 loc) · 2.04 KB
/
sign_mac.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#!/bin/bash
set -e
set -x
INPUT="$1"
OUTPUT="$2"
BUNDLE=$OUTPUT/$APP_NAME/$PKG_NAME.app
BROWSER_ENTITLEMENTS_FILE=mozilla-release/security/mac/hardenedruntime/browser.production.entitlements.xml
PLUGINCONTAINER_ENTITLEMENTS_FILE=mozilla-release/security/mac/hardenedruntime/plugin-container.production.entitlements.xml
echo "Processing $OUTPUT..."
rm -f -rf $OUTPUT
mkdir -p $OUTPUT/$APP_NAME
mozilla-release/build/package/mac_osx/unpack-diskimage $INPUT /Volumes/$APP_NAME $OUTPUT/$APP_NAME
ls -la $OUTPUT
echo "***** SIGNING *****"
security unlock-keychain -p cliqz cliqz
# Clear extended attributes which cause codesign to fail
xattr -cr "${BUNDLE}"
# Sign these binaries first. Signing of some binaries has an ordering
# requirement where other binaries must be signed first.
codesign --force -o runtime --verbose --sign "$MAC_CERT_NAME" \
"${BUNDLE}/Contents/MacOS/XUL" \
"${BUNDLE}/Contents/MacOS/pingsender" \
"${BUNDLE}"/Contents/MacOS/*.dylib
codesign --force -o runtime --verbose --sign "$MAC_CERT_NAME" --deep \
"${BUNDLE}"/Contents/MacOS/updater.app
# Sign the updater
codesign --force -o runtime --verbose --sign "$MAC_CERT_NAME" \
--entitlements ${BROWSER_ENTITLEMENTS_FILE} \
"${BUNDLE}"/Contents/Library/LaunchServices/org.mozilla.updater
# Sign main exectuable
codesign --force -o runtime --verbose --sign "$MAC_CERT_NAME" --deep \
--entitlements ${BROWSER_ENTITLEMENTS_FILE} \
"${BUNDLE}"/Contents/MacOS/$APP_NAME-bin \
"${BUNDLE}"/Contents/MacOS/$APP_NAME
# Sign gmp-clearkey files
find "${BUNDLE}"/Contents/Resources/gmp-clearkey -type f -exec \
codesign --force -o runtime --verbose --sign "$MAC_CERT_NAME" {} \;
# Sign the main bundle
codesign --force -o runtime --verbose --sign "$MAC_CERT_NAME" \
--entitlements ${BROWSER_ENTITLEMENTS_FILE} "${BUNDLE}"
# Sign the plugin-container bundle with deep
codesign --force -o runtime --verbose --sign "$MAC_CERT_NAME" --deep \
--entitlements ${PLUGINCONTAINER_ENTITLEMENTS_FILE} \
"${BUNDLE}"/Contents/MacOS/plugin-container.app
# Validate
codesign -vvv --deep --strict "${BUNDLE}"