Merge #22191: [0.21] gitian: Use custom MacOS code signing tool

0fe60a8 Use latest signapple commit (Andrew Chow)
5313d6a gitian: Remove codesign_allocate and pagestuff from MacOS build (Andrew Chow)
27d691b gitian: use signapple to create the MacOS code signature (Andrew Chow)
2f33e33 gitian: use signapple to apply the MacOS code signature (Andrew Chow)
65ce833 gitian: install signapple in gitian-osx-signer.yml (Andrew Chow)

Pull request description:

  Backport of #20880 and #22190

ACKs for top commit:
  MarcoFalke:
    cherry-pick-only ACK 0fe60a8 🍀

Tree-SHA512: e864048fab02a1857161602dd53abba552ca3f859c133a47a5e62c28d3e4de9cd099bce86123a1b5892042b09f51cc1ddd2ed1b0c71bfba162710eaee3f5bf91

Author: MarcoFalke

contrib/gitian-descriptors/gitian-osx-signer.yml

@@ -7,9 +7,13 @@ architectures:
 - "amd64"
 packages:
 - "faketime"
+- "python3-pip"
 remotes:
 - "url": "https://github.com/xep-core/xep-detached-sigs.git"
   "dir": "signature"
+- "url": "https://github.com/achow101/signapple.git"
+  "dir": "signapple"
+  "commit": "b084cbbf44d5330448ffce0c7d118f75781b64bd"
 files:
 - "xep-osx-unsigned.tar.gz"
 script: |
@@ -30,11 +34,19 @@ script: |
     chmod +x ${WRAP_DIR}/${prog}
   done
 
-  UNSIGNED=xep-osx-unsigned.tar.gz
+  # Install signapple
+  cd signapple
+  python3 -m pip install -U pip setuptools
+  python3 -m pip install .
+  export PATH="$HOME/.local/bin":$PATH
+  cd ..
+
+  UNSIGNED_TARBALL=xep-osx-unsigned.tar.gz
+  UNSIGNED_APP=dist/XEP-Qt.app
   SIGNED=xep-osx-signed.dmg
 
-  tar -xf ${UNSIGNED}
+  tar -xf ${UNSIGNED_TARBALL}
   OSX_VOLNAME="$(cat osx_volname)"
-  ./detached-sig-apply.sh ${UNSIGNED} signature/osx
+  ./detached-sig-apply.sh ${UNSIGNED_APP} signature/osx/dist
   ${WRAP_DIR}/genisoimage -no-cache-inodes -D -l -probe -V "${OSX_VOLNAME}" -no-pad -r -dir-mode 0755 -apple -o uncompressed.dmg signed-app
   ${WRAP_DIR}/dmg dmg uncompressed.dmg ${OUTDIR}/${SIGNED}

contrib/gitian-descriptors/gitian-osx.yml

@@ -138,8 +138,6 @@ script: |
     cp contrib/macdeploy/detached-sig-apply.sh unsigned-app-${i}
     cp contrib/macdeploy/detached-sig-create.sh unsigned-app-${i}
     cp ${BASEPREFIX}/${i}/native/bin/dmg ${BASEPREFIX}/${i}/native/bin/genisoimage unsigned-app-${i}
-    cp ${BASEPREFIX}/${i}/native/bin/${i}-codesign_allocate unsigned-app-${i}/codesign_allocate
-    cp ${BASEPREFIX}/${i}/native/bin/${i}-pagestuff unsigned-app-${i}/pagestuff
     mv dist unsigned-app-${i}
     pushd unsigned-app-${i}
     find . | sort | tar --mtime="$REFERENCE_DATETIME" --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-osx-unsigned.tar.gz

contrib/macdeploy/detached-sig-apply.sh

@@ -8,10 +8,9 @@ set -e
 
 UNSIGNED="$1"
 SIGNATURE="$2"
-ARCH=x86_64
 ROOTDIR=dist
-TEMPDIR=signed.temp
 OUTDIR=signed-app
+SIGNAPPLE=signapple
 
 if [ -z "$UNSIGNED" ]; then
   echo "usage: $0 <unsigned app> <signature>"
@@ -23,35 +22,6 @@ if [ -z "$SIGNATURE" ]; then
   exit 1
 fi
 
-rm -rf ${TEMPDIR} && mkdir -p ${TEMPDIR}
-tar -C ${TEMPDIR} -xf ${UNSIGNED}
-cp -rf "${SIGNATURE}"/* ${TEMPDIR}
-
-if [ -z "${PAGESTUFF}" ]; then
-  PAGESTUFF=${TEMPDIR}/pagestuff
-fi
-
-if [ -z "${CODESIGN_ALLOCATE}" ]; then
-  CODESIGN_ALLOCATE=${TEMPDIR}/codesign_allocate
-fi
-
-find ${TEMPDIR} -name "*.sign" | while read i; do
-  SIZE=$(stat -c %s "${i}")
-  TARGET_FILE="$(echo "${i}" | sed 's/\.sign$//')"
-
-  echo "Allocating space for the signature of size ${SIZE} in ${TARGET_FILE}"
-  ${CODESIGN_ALLOCATE} -i "${TARGET_FILE}" -a ${ARCH} ${SIZE} -o "${i}.tmp"
-
-  OFFSET=$(${PAGESTUFF} "${i}.tmp" -p | tail -2 | grep offset | sed 's/[^0-9]*//g')
-  if [ -z ${QUIET} ]; then
-    echo "Attaching signature at offset ${OFFSET}"
-  fi
-
-  dd if="$i" of="${i}.tmp" bs=1 seek=${OFFSET} count=${SIZE} 2>/dev/null
-  mv "${i}.tmp" "${TARGET_FILE}"
-  rm "${i}"
-  echo "Success."
-done
-mv ${TEMPDIR}/${ROOTDIR} ${OUTDIR}
-rm -rf ${TEMPDIR}
+${SIGNAPPLE} apply ${UNSIGNED} ${SIGNATURE}
+mv ${ROOTDIR} ${OUTDIR}
 echo "Signed: ${OUTDIR}"

contrib/macdeploy/detached-sig-create.sh

@@ -8,44 +8,21 @@ set -e
 
 ROOTDIR=dist
 BUNDLE="${ROOTDIR}/XEP-Qt.app"
-CODESIGN=codesign
+SIGNAPPLE=signapple
 TEMPDIR=sign.temp
-TEMPLIST=${TEMPDIR}/signatures.txt
 OUT=signature-osx.tar.gz
-OUTROOT=osx
+OUTROOT=osx/dist
 
 if [ -z "$1" ]; then
-  echo "usage: $0 <codesign args>"
-  echo "example: $0 -s MyIdentity"
+  echo "usage: $0 <signapple args>"
+  echo "example: $0 <path to key>"
   exit 1
 fi
 
-rm -rf ${TEMPDIR} ${TEMPLIST}
+rm -rf ${TEMPDIR}
 mkdir -p ${TEMPDIR}
 
-${CODESIGN} -f --file-list ${TEMPLIST} "$@" "${BUNDLE}"
-
-grep -v CodeResources < "${TEMPLIST}" | while read i; do
-  TARGETFILE="${BUNDLE}/$(echo "${i}" | sed "s|.*${BUNDLE}/||")"
-  SIZE=$(pagestuff "$i" -p | tail -2 | grep size | sed 's/[^0-9]*//g')
-  OFFSET=$(pagestuff "$i" -p | tail -2 | grep offset | sed 's/[^0-9]*//g')
-  SIGNFILE="${TEMPDIR}/${OUTROOT}/${TARGETFILE}.sign"
-  DIRNAME="$(dirname "${SIGNFILE}")"
-  mkdir -p "${DIRNAME}"
-  echo "Adding detached signature for: ${TARGETFILE}. Size: ${SIZE}. Offset: ${OFFSET}"
-  dd if="$i" of="${SIGNFILE}" bs=1 skip=${OFFSET} count=${SIZE} 2>/dev/null
-done
-
-grep CodeResources < "${TEMPLIST}" | while read i; do
-  TARGETFILE="${BUNDLE}/$(echo "${i}" | sed "s|.*${BUNDLE}/||")"
-  RESOURCE="${TEMPDIR}/${OUTROOT}/${TARGETFILE}"
-  DIRNAME="$(dirname "${RESOURCE}")"
-  mkdir -p "${DIRNAME}"
-  echo "Adding resource for: \"${TARGETFILE}\""
-  cp "${i}" "${RESOURCE}"
-done
-
-rm ${TEMPLIST}
+${SIGNAPPLE} sign -f --detach "${TEMPDIR}/${OUTROOT}"  "$@" "${BUNDLE}"
 
 tar -C "${TEMPDIR}" -czf "${OUT}" .
 rm -rf "${TEMPDIR}"