From 2f327a3c870fd9657bfa45d2c7a74250498ee737 Mon Sep 17 00:00:00 2001 From: Cory Fields Date: Fri, 30 May 2014 19:17:55 -0400 Subject: [PATCH 1/4] build: add the deploydir target for gitian This is a helper target that stops just before the creation of the dmg. --- Makefile.am | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/Makefile.am b/Makefile.am index 6bc004431..e144fb11e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -85,14 +85,30 @@ if BUILD_DARWIN $(OSX_DMG): $(OSX_APP_BUILT) $(OSX_PACKAGING) $(OSX_DEPLOY_SCRIPT) $(OSX_APP) -add-qt-tr $(OSX_QT_TRANSLATIONS) -translations-dir=$(QT_TRANSLATION_DIR) -dmg -fancy $(OSX_FANCY_PLIST) -verbose 2 +deploydir: $(OSX_DMG) else -$(OSX_DMG): $(OSX_APP_BUILT) $(OSX_PACKAGING) - INSTALLNAMETOOL=$(INSTALLNAMETOOL) OTOOL=$(OTOOL) STRIP=$(STRIP) $(OSX_DEPLOY_SCRIPT) $(OSX_APP) -add-qt-tr $(OSX_QT_TRANSLATIONS) -translations-dir=$(QT_TRANSLATION_DIR) -verbose 2 - $(MKDIR_P) dist/.background - $(INSTALL) contrib/macdeploy/background.png dist/.background - $(INSTALL) contrib/macdeploy/DS_Store dist/.DS_Store - cd dist; $(LN_S) /Applications Applications - $(GENISOIMAGE) -no-cache-inodes -l -probe -V "Bitcoin-Qt" -no-pad -r -apple -o $@ dist +APP_DIST_DIR=$(top_builddir)/dist +APP_DIST_EXTRAS=$(APP_DIST_DIR)/.background/background.png $(APP_DIST_DIR)/.DS_Store $(APP_DIST_DIR)/Applications + +$(APP_DIST_DIR)/Applications: + @rm -f $@ + @cd $(@D); $(LN_S) /Applications $(@F) + +$(APP_DIST_EXTRAS): $(APP_DIST_DIR)/$(OSX_APP)/Contents/MacOS/Bitcoin-Qt + +$(OSX_DMG): $(APP_DIST_EXTRAS) + $(GENISOIMAGE) -no-cache-inodes -D -l -probe -V "Bitcoin-Qt" -no-pad -r -apple -o $@ dist + +$(APP_DIST_DIR)/.background/background.png: + $(MKDIR_P) $(@D) + $(INSTALL) $(top_srcdir)/contrib/macdeploy/background.png $@ +$(APP_DIST_DIR)/.DS_Store: + $(INSTALL) $(top_srcdir)/contrib/macdeploy/DS_Store $@ + +$(APP_DIST_DIR)/$(OSX_APP)/Contents/MacOS/Bitcoin-Qt: $(OSX_APP_BUILT) $(OSX_PACKAGING) + INSTALLNAMETOOL=$(INSTALLNAMETOOL) OTOOL=$(OTOOL) STRIP=$(STRIP) $(OSX_DEPLOY_SCRIPT) $(OSX_APP) -translations-dir=$(QT_TRANSLATION_DIR) -add-qt-tr $(OSX_QT_TRANSLATIONS) -verbose 2 + +deploydir: $(APP_DIST_EXTRAS) endif if TARGET_DARWIN From d69ed2b2916754bdec7e47864f0ea1407c9eabb9 Mon Sep 17 00:00:00 2001 From: Cory Fields Date: Fri, 30 May 2014 19:22:16 -0400 Subject: [PATCH 2/4] build: Clean up the dmg layout --- contrib/macdeploy/DS_Store | Bin 15364 -> 15364 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/contrib/macdeploy/DS_Store b/contrib/macdeploy/DS_Store index b9a1e1486405136607eedf433af8d469ef7059b8..7527dc671fbe8730abc2497c2717778a19a024c6 100644 GIT binary patch literal 15364 zcmeHMU2Ggz6+Yuk+FjeR*LK>ZX&P3zKoQy9*~7X>B`Q<_y+^up&iy&(-t*19XU^RvBCWV?C5fU$6hdJh>BVCY;(ji>s7tmS0N0>T zZVA$>rCPPp@OF(>4GIB;fI>hapb$_9{5K$gZ#Gk?M{xC22q**;0!;)sK15NN7bM>n z+z%ai_*VdM9nC&Lj<5h8mAoMNw&3UiX+jlTsA}?xp$T=gN9DMJZM8-D*=dOJ^$f=3?aFr0aNQ#j)$Ya>cSSAy9ZRa(HViZ5YR+$-Hstcyuena(X0n=~9Hkp?f}(KKZGV zd-16+f90!Bf9?723kNkBBxs<+;TKTXC|)UVNN@EYieD=X;}4PkroY`iz3?|OFgSGZ zuDcH%zURojM~@y`j0}~`^6GM(S3T)g-FmUQZo|V?>+G7jY)@1xX5+Etdc~TnndOSJ zyx`eScypD{VeDXQtZ(7dw)L4-)BJ_n?e_dJpQzimZvgaDHLv12jWc$=0e;r3*G*^HE?#)NYL@KkDW~Xqp1Zaf>GyTZuJdr+X1#?9 zWM1d+$r}Q4pjaLB03-ge$Yxi@zy;2(ZL7cTII$!(LccQE2~#IuNB`H8|(jYYx!ess$*V(gIyHsctT-TH+wYT6s4P7eh3dm$SK{%bz=M=;kz{@Y>PJ>cJ<6=VxDGzI*J z{izZ>Q=&Oh8`c7;A<_~=cVV49ytlXv7tRWYhYJr#Avgw+uI7mt7F`$~2%(5J@3@W~ z4i6U=WMhavN+;LGnVKcWxoAJXG`PA}*a z`lLRi&+4BPHoAfk_JLp`!Sy+Cgs@t%Xo!HVMGU6=xX+r8tTCS0kXx-J5AJ8Zcif#j zF#Qkg0-pLZ@~VDt9r@HeIMaT}KM*2CAYYeq0rIb;j2A%>4g;XBD3J#{Opz#dxi4Yo zKt3w{8-)CK***lhSGGqX&q%odc}2?FZ;5Wo@e#<^Wmwq0L3CWsi*A9?sz7M}t0mW6 zed7*R(<6q|ekXPlmhQv={*cJ?iW4vDtvyTRM;MH0JM)MgVqE9hk8nHIz<@9kyvsh0 zf>=fRKBCWOAb^5;5buJzExMci=Vd*xTSc9t$kQm#p|BoLHt~~NkMKGVqj1(Nf%M-l z4{0Y2eh2f><a(XHkOQ&+_Sbo&N<3YoinjD!- z7Dto8oTfi-i2izr=l3o8(=rzO;QP0*)%fMHUH=02|TQ4UMFd7@DdaBjU1akc|I zJm`KA`U~{l2%vdV>0~j{57j_#ANT!+P-kuEW+JQEsB>Fy(7A&OaTU z;8+;=^f&bLKPv1)doT>DPz3suEot-t!nc#)-WBbgVh*h$GcO z@tSu-$IfzKwjyQt^8i36Ek7;lR zXI+l(j9RY+_A!q4%3cY=Jo?yQx`DHT^TMI*Kehf~zq0M74Eur1E^xf!z5fOp-$c=I zSebMACHKLHjFqx8B{ON6sgY58w3N%3Su2&dGpSN$$;_mT{OCx!WLV9&zFT-#dx@u~ z_{Ln_sk(l)$qVj5vbIMGH(Pbf@|uGkLg!FUus$aMptsR#yBz&KxGuC^j(Wm9ef>S} z`Q<3gm!m^lTd8ygm!lNljdD5MjYjfm+>O4}c{lp*_k0)qE#^y|cO$+#y$t{z;D!P2 z6wT2h3g=&SvTp}g4xJEm=3(3P^E;aww~zN< z-o>^#dT9drd5x;b$IH<2z+KGMp{La`&vR{heS2o|aae%0jybnGbW!~uCIk|uC}#%` zB8c+WN|8c9A@Ke}K+~t@ri$=cW-GhA=L{u^avp_=$88JltKi`$G2loD{0e8a53r0j zgEhapb$_9 bCy)5Kssx1QY`Qmk9g|T$FB3 literal 15364 zcmeHMU2Ggz6+Yu^8ar|9^-n_RUq*GQ3V3(NJKi7LNZG9IU`wr>){bk_lrTFpyB>Kx zvzZ;+2_e)VBwou~9}vwOs48kz0STfYORZE@f`})?Lsbw$6d@!k0TK_C@|~GGyK6gu ziV#BK9_h~c?%%oheD}_|cXo+LDQ{Y1L@E(=Be72Q;&BJzdQJzVOO*6LE9g&N1?c5U zqwX|=1FdC&WI!??8ITM}1|$Rj3k=}QX6Zf_Y59~4NCqSWEe1F~s7S0!LhnR63>|oc zp8(Ja6o&$wWB{!ST@rdH(x`zbQCH}wt0F!zl&Cw(Rne{_^iHIs?xcv14@Hcuh%Xc+ z93A%6usJEENXw^WKr(QUf#};kUD<9nD)r9qcTM}5(sd|t_?{!(klu?=Ij-exm%UBb zYCgTV=4~%JmR&LYXF?np!Dh2;_+ia?BUnRCh?hLC4t!Cxe#)_ewM)rU*RExAxluJ+ z(65iG*9rw~R2|m~*RS_LlDpj}9!h^|Zprw<^)EiV6U|u>?>!yg=fjtgS19e6Tf%|F zH=`dQH0>A3{@8_{qsMxW_w^?S28V`EoczeCkKQ|Q{{s(RN)A;FbG_!XSJPhI^UL*3 z`%<#M3IFCz&pq$kTaLZG;s7r?pSM>6`%1vzQgU!#&nIo`v+bg#s|~anZWn~sKkeJL z`*h8Btc7Z|X$LDEc=cj9Xkc&5yHyYNdEkXc;COCx+4h^z&(w{IU0-m^UJ!U2d(6*o z7&ZHB-7%W0hVL70%`RUJjW0F~({XDfXWol=>lrDnL};Y+r~q+Yva8i>B&s56f$pTz zvoO&04p-ob@O!lE1g7V>sV5Hp*mL{lPkuP}Nji+ixxO|F>4sa2Eq@rDzkT!eLfqj4 z2+?tI0K}zqEZrW54oqs$zlEXqQs-1agCPU#7!$X20zr8p@%z@h&pwQjm|y;m;By>vA$tA>=04gv^~noO?Bhx9 zK6%Hf_R%M3_yCUq*|Y(s>sSHCX)wPLvVJf1(&OQ}FyjH3Z_*m>4RbUD=1+&iWq7z2 zw|kixA|*p~0`ok^JBrhi>$&zwX_Xy?bkoP_3|8_pSl27`Rr&_KNZ+H^>F4wtdS5xB z3@P_34=9f)8KtO9D$~ki$^~UvSy5IKQ;AY&fx6ycN7->!Jx`i*^aubX&c{I{ z&TmB3*jSN`C1?u?!_g@&LkB@dxI!q}BMRmo+oJQAL-U;H$(+6UtFK)Kd>Dy+o6ySV zX2!DFRPO9pA*G)ipH59o7iUwmT6tn(Rx1|E`dB=s5suqUe>lVAhZfmt=;I;ybpzXl zgDu+)_dRf&uNhm8i#(cz^-bSw)m;uMfr;`VQP<`-&F@MWL6}44vk2RBNGnJdQh*fu zy83-Ig2eg1T;S2$`S;(9{#=ObpR@+|)PMVT_%i|$kM$C4zlQWfNj}-T1KUjEu z+4nz-I`;iB9Fywe;!NC@c2B-@AKGy~T!Zhv@WCGe<2A@l6le3(kSDUDM+=_!9at_xslX!-l*fme8w=u~t^GXjodlV&<}WZNkjwja*f$ z+PbOf`Qq3_PR|wc)oeC9r3q<)D4*4)Om8D?G#YiApQ)zdS{3g~+P4iWwe35B9rqZU z((JHP+nA>5W42*fQ<+T;xtVYWWU%g;aJ@4Xad2M_+N(_T9n7605bq@xe!n;ZJ;x40 zI0F4u;LZrtr4qdo?sOcxz~cfB09yicq?r+zBh8Y)D)4gxYrt`IQFigZiShwp-ghj6 zyLg{PIY*t>1djLbolesw^kcsW?XO_Ja47mu%{ktKY`cYFKgK-mBoeKuhL+Xss%4v%s$rPARmm0$dNEt97+I@e#*44Dz`wt5tbI1} z*f(3^QqtZj2ktJki#bCO?Y9-jq0JNPVy{L_2azP`L&PlsLOzIVEjr7=2YvbQhopl|26$V!n6 z+~o`)7P6>(Z=Xe+`Un62hmGVzG9VeaI~h`BK9fzHmRv7-br37T}W5JCQ~S Date: Fri, 21 Nov 2014 19:26:45 -0500 Subject: [PATCH 3/4] build: add a deterministic dmg signer --- Makefile.am | 4 +- .../gitian-descriptors/gitian-osx-signer.yml | 37 +++++++++++++ contrib/gitian-descriptors/gitian-osx.yml | 15 +++++- contrib/macdeploy/detached-sig-apply.sh | 53 +++++++++++++++++++ contrib/macdeploy/detached-sig-create.sh | 46 ++++++++++++++++ 5 files changed, 153 insertions(+), 2 deletions(-) create mode 100644 contrib/gitian-descriptors/gitian-osx-signer.yml create mode 100755 contrib/macdeploy/detached-sig-apply.sh create mode 100755 contrib/macdeploy/detached-sig-create.sh diff --git a/Makefile.am b/Makefile.am index e144fb11e..b51f477b7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -26,7 +26,9 @@ WINDOWS_PACKAGING = $(top_srcdir)/share/pixmaps/bitcoin.ico \ OSX_PACKAGING = $(OSX_DEPLOY_SCRIPT) $(OSX_FANCY_PLIST) $(OSX_INSTALLER_ICONS) \ $(top_srcdir)/contrib/macdeploy/background.png \ - $(top_srcdir)/contrib/macdeploy/DS_Store + $(top_srcdir)/contrib/macdeploy/DS_Store \ + $(top_srcdir)/contrib/macdeploy/detached-sig-apply.sh \ + $(top_srcdir)/contrib/macdeploy/detached-sig-create.sh COVERAGE_INFO = baseline_filtered_combined.info baseline.info block_test.info \ leveldb_baseline.info test_bitcoin_filtered.info total_coverage.info \ diff --git a/contrib/gitian-descriptors/gitian-osx-signer.yml b/contrib/gitian-descriptors/gitian-osx-signer.yml new file mode 100644 index 000000000..db9b4af93 --- /dev/null +++ b/contrib/gitian-descriptors/gitian-osx-signer.yml @@ -0,0 +1,37 @@ +--- +name: "bitcoin-dmg-signer" +suites: +- "precise" +architectures: +- "amd64" +packages: +- "libc6:i386" +- "faketime" +reference_datetime: "2013-06-01 00:00:00" +remotes: [] +files: +- "bitcoin-0.9.99-osx-unsigned.tar.gz" +- "signature.tar.gz" +script: | + WRAP_DIR=$HOME/wrapped + mkdir -p ${WRAP_DIR} + export PATH=`pwd`:$PATH + FAKETIME_PROGS="dmg genisoimage" + + # Create global faketime wrappers + for prog in ${FAKETIME_PROGS}; do + echo '#!/bin/bash' > ${WRAP_DIR}/${prog} + echo "REAL=\`which -a ${prog} | grep -v ${WRAP_DIR}/${prog} | head -1\`" >> ${WRAP_DIR}/${prog} + echo 'export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1' >> ${WRAP_DIR}/${prog} + echo "export FAKETIME=\"${REFERENCE_DATETIME}\"" >> ${WRAP_DIR}/${prog} + echo "\$REAL \$@" >> $WRAP_DIR/${prog} + chmod +x ${WRAP_DIR}/${prog} + done + + UNSIGNED=`echo bitcoin-*.tar.gz` + SIGNED=`echo ${UNSIGNED} | sed 's/.tar.*//' | sed 's/-unsigned//'`.dmg + + tar -xf ${UNSIGNED} + ./detached-sig-apply.sh ${UNSIGNED} signature.tar.gz + ${WRAP_DIR}/genisoimage -no-cache-inodes -D -l -probe -V "Bitcoin-Qt" -no-pad -r -apple -o uncompressed.dmg signed-app + ${WRAP_DIR}/dmg dmg uncompressed.dmg ${OUTDIR}/${SIGNED} diff --git a/contrib/gitian-descriptors/gitian-osx.yml b/contrib/gitian-descriptors/gitian-osx.yml index cbe28e4f3..eb6df2096 100644 --- a/contrib/gitian-descriptors/gitian-osx.yml +++ b/contrib/gitian-descriptors/gitian-osx.yml @@ -106,8 +106,21 @@ script: | ./configure --prefix=${BASEPREFIX}/${i} --bindir=${INSTALLPATH}/bin --includedir=${INSTALLPATH}/include --libdir=${INSTALLPATH}/lib --disable-ccache --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS} make ${MAKEOPTS} make install-strip + + make deploydir + mkdir -p unsigned-app-${i} + cp contrib/macdeploy/detached-sig-apply.sh unsigned-app-${i} + cp contrib/macdeploy/detached-sig-create.sh unsigned-app-${i} + cp ${BASEPREFIX}/${i}/native/bin/dmg ${BASEPREFIX}/${i}/native/bin/genisoimage unsigned-app-${i} + cp ${BASEPREFIX}/${i}/native/bin/${i}-codesign_allocate unsigned-app-${i}/codesign_allocate + cp ${BASEPREFIX}/${i}/native/bin/${i}-pagestuff unsigned-app-${i}/pagestuff + mv dist unsigned-app-${i} + pushd unsigned-app-${i} + find . | sort | tar --no-recursion -czf ${OUTDIR}/${DISTNAME}-osx-unsigned.tar.gz -T - + popd + make deploy - ${WRAP_DIR}/dmg dmg Bitcoin-Qt.dmg ${OUTDIR}/${DISTNAME}-osx.dmg + ${WRAP_DIR}/dmg dmg Bitcoin-Qt.dmg ${OUTDIR}/${DISTNAME}-osx-unsigned.dmg cd installed find . -name "lib*.la" -delete diff --git a/contrib/macdeploy/detached-sig-apply.sh b/contrib/macdeploy/detached-sig-apply.sh new file mode 100755 index 000000000..7b3eb1b19 --- /dev/null +++ b/contrib/macdeploy/detached-sig-apply.sh @@ -0,0 +1,53 @@ +#!/bin/sh +set -e + +UNSIGNED=$1 +SIGNATURE=$2 +ARCH=x86_64 +ROOTDIR=dist +BUNDLE=${ROOTDIR}/Bitcoin-Qt.app +TEMPDIR=signed.temp +OUTDIR=signed-app + +if [ -z "$UNSIGNED" ]; then + echo "usage: $0 " + exit 1 +fi + +if [ -z "$SIGNATURE" ]; then + echo "usage: $0 " + exit 1 +fi + +rm -rf ${TEMPDIR} && mkdir -p ${TEMPDIR} +tar -C ${TEMPDIR} -xf ${UNSIGNED} +tar -C ${TEMPDIR} -xf ${SIGNATURE} + +if [ -z "${PAGESTUFF}" ]; then + PAGESTUFF=${TEMPDIR}/pagestuff +fi + +if [ -z "${CODESIGN_ALLOCATE}" ]; then + CODESIGN_ALLOCATE=${TEMPDIR}/codesign_allocate +fi + +for i in `find ${TEMPDIR} -name "*.sign"`; do + SIZE=`stat -c %s ${i}` + TARGET_FILE=`echo ${i} | sed 's/\.sign$//'` + + echo "Allocating space for the signature of size ${SIZE} in ${TARGET_FILE}" + ${CODESIGN_ALLOCATE} -i ${TARGET_FILE} -a ${ARCH} ${SIZE} -o ${i}.tmp + + OFFSET=`${PAGESTUFF} ${i}.tmp -p | tail -2 | grep offset | sed 's/[^0-9]*//g'` + if [ -z ${QUIET} ]; then + echo "Attaching signature at offset ${OFFSET}" + fi + + dd if=$i of=${i}.tmp bs=1 seek=${OFFSET} count=${SIZE} 2>/dev/null + mv ${i}.tmp ${TARGET_FILE} + rm ${i} + echo "Success." +done +mv ${TEMPDIR}/${ROOTDIR} ${OUTDIR} +rm -rf ${TEMPDIR} +echo "Signed: ${OUTDIR}" diff --git a/contrib/macdeploy/detached-sig-create.sh b/contrib/macdeploy/detached-sig-create.sh new file mode 100755 index 000000000..aff4f08da --- /dev/null +++ b/contrib/macdeploy/detached-sig-create.sh @@ -0,0 +1,46 @@ +#!/bin/sh +set -e + +ROOTDIR=dist +BUNDLE=${ROOTDIR}/Bitcoin-Qt.app +CODESIGN=codesign +TEMPDIR=sign.temp +TEMPLIST=${TEMPDIR}/signatures.txt +OUT=signature.tar.gz + +if [ ! -n "$1" ]; then + echo "usage: $0 " + echo "example: $0 -s MyIdentity" + exit 1 +fi + +rm -rf ${TEMPDIR} ${TEMPLIST} +mkdir -p ${TEMPDIR} + +${CODESIGN} -f --file-list ${TEMPLIST} "$@" "${BUNDLE}" + +for i in `grep -v CodeResources ${TEMPLIST}`; do + TARGETFILE="${BUNDLE}/`echo ${i} | sed "s|.*${BUNDLE}/||"`" + SIZE=`pagestuff $i -p | tail -2 | grep size | sed 's/[^0-9]*//g'` + OFFSET=`pagestuff $i -p | tail -2 | grep offset | sed 's/[^0-9]*//g'` + SIGNFILE="${TEMPDIR}/${TARGETFILE}.sign" + DIRNAME="`dirname ${SIGNFILE}`" + mkdir -p "${DIRNAME}" + echo "Adding detached signature for: ${TARGETFILE}. Size: ${SIZE}. Offset: ${OFFSET}" + dd if=$i of=${SIGNFILE} bs=1 skip=${OFFSET} count=${SIZE} 2>/dev/null +done + +for i in `grep CodeResources ${TEMPLIST}`; do + TARGETFILE="${BUNDLE}/`echo ${i} | sed "s|.*${BUNDLE}/||"`" + RESOURCE="${TEMPDIR}/${TARGETFILE}" + DIRNAME="`dirname "${RESOURCE}"`" + mkdir -p "${DIRNAME}" + echo "Adding resource for: "${TARGETFILE}"" + cp "${i}" "${RESOURCE}" +done + +rm ${TEMPLIST} + +tar -C ${TEMPDIR} -czf ${OUT} . +rm -rf ${TEMPDIR} +echo "Created ${OUT}" From 7a9cf80b19f3facabe53bf5a60fd813d7d63a6ff Mon Sep 17 00:00:00 2001 From: Cory Fields Date: Tue, 25 Nov 2014 19:23:18 -0500 Subject: [PATCH 4/4] docs: add/update docs for osx dmg signing --- doc/README_osx.txt | 15 +++++++++++++++ doc/release-process.md | 34 +++++++++++++++++++++++++++------- 2 files changed, 42 insertions(+), 7 deletions(-) diff --git a/doc/README_osx.txt b/doc/README_osx.txt index 8831649bd..d56234f7d 100644 --- a/doc/README_osx.txt +++ b/doc/README_osx.txt @@ -65,3 +65,18 @@ Background images and other features can be added to DMG files by inserting a .DS_Store before creation. The easiest way to create this file is to build a DMG without one, move it to a device running OSX, customize the layout, then grab the .DS_Store file for later use. That is the approach taken here. + +As of OSX Mavericks (10.9), using an Apple-blessed key to sign binaries is a +requirement in order to satisfy the new Gatekeeper requirements. Because this +private key cannot be shared, we'll have to be a bit creative in order for the +build process to remain somewhat deterministic. Here's how it works: + +- Builders use gitian to create an unsigned release. This outputs an unsigned + dmg which users may choose to bless and run. It also outputs an unsigned app + structure in the form of a tarball, which also contains all of the tools + that have been previously (deterministically) built in order to create a + final dmg. +- The Apple keyholder uses this unsigned app to create a detached signature, + using the script that is also included there. +- Builders feed the unsigned app + detached signature back into gitian. It + uses the pre-built tools to recombine the pieces into a deterministic dmg. diff --git a/doc/release-process.md b/doc/release-process.md index df27c5829..a16d4ace4 100644 --- a/doc/release-process.md +++ b/doc/release-process.md @@ -59,17 +59,18 @@ Release Process ./bin/gsign --signer $SIGNER --release ${VERSION}-win --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-win.yml mv build/out/bitcoin-*.zip build/out/bitcoin-*.exe ../ ./bin/gbuild --commit bitcoin=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml - ./bin/gsign --signer $SIGNER --release ${VERSION}-osx --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml + ./bin/gsign --signer $SIGNER --release ${VERSION}-osx-unsigned --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml + mv build/out/bitcoin-*-unsigned.tar.gz inputs mv build/out/bitcoin-*.tar.gz build/out/bitcoin-*.dmg ../ popd - +bitcoin-0.9.99-osx-unsigned.tar.gz Build output expected: 1. source tarball (bitcoin-${VERSION}.tar.gz) 2. linux 32-bit and 64-bit binaries dist tarballs (bitcoin-${VERSION}-linux[32|64].tar.gz) 3. windows 32-bit and 64-bit installers and dist zips (bitcoin-${VERSION}-win[32|64]-setup.exe, bitcoin-${VERSION}-win[32|64].zip) - 4. OSX installer (bitcoin-${VERSION}-osx.dmg) - 5. Gitian signatures (in gitian.sigs/${VERSION}-/(your gitian key)/ + 4. OSX unsigned installer (bitcoin-${VERSION}-osx-unsigned.dmg) + 5. Gitian signatures (in gitian.sigs/${VERSION}-/(your gitian key)/ ###Next steps: @@ -78,7 +79,28 @@ Commit your signature to gitian.sigs: pushd gitian.sigs git add ${VERSION}-linux/${SIGNER} git add ${VERSION}-win/${SIGNER} - git add ${VERSION}-osx/${SIGNER} + git add ${VERSION}-osx-unsigned/${SIGNER} + git commit -a + git push # Assuming you can push to the gitian.sigs tree + popd + +Wait for OSX detached signature: + Once the OSX build has 3 matching signatures, Gavin will sign it with the apple App-Store key. + He will then upload a detached signature to be combined with the unsigned app to create a signed binary. + +Create the signed OSX binary: + pushd ./gitian-builder + # Fetch the signature as instructed by Gavin + cp signature.tar.gz inputs/ + ./bin/gbuild -i ../bitcoin/contrib/gitian-descriptors/gitian-osx-signer.yml + ./bin/gsign --signer $SIGNER --release ${VERSION}-osx-signed --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-osx-signer.yml + mv build/out/bitcoin-${VERSION}-osx.dmg ../ + popd + +Commit your signature for the signed OSX binary: + + pushd gitian.sigs + git add ${VERSION}-osx-signed/${SIGNER} git commit -a git push # Assuming you can push to the gitian.sigs tree popd @@ -91,8 +113,6 @@ Commit your signature to gitian.sigs: - Code-sign Windows -setup.exe (in a Windows virtual machine using signtool) - - Code-sign MacOSX .dmg - Note: only Gavin has the code-signing keys currently. - Create `SHA256SUMS.asc` for the builds, and GPG-sign it: