Closed Bug 1606746 Opened 4 years ago Closed 4 years ago

Create macOS build artifact zip file containing codesigning entitlement files

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
macOS
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla74
Tracking Flags:
Tracking Status
firefox73 --- wontfix
firefox74 --- fixed

People

(Reporter: haik, Assigned: haik)

References

Details

Attachments

(1 file)

Bug 1606746 - Create macOS build artifact zip file containing codesigning entitlement files
47 bytes, text/x-phabricator-request
Details | Review

With the work planned on bug 1593071 and bug 1593072, it will be easier for the codesigning code run on automation if all the codesigning input files are in a build artifact. This bug is to update the build to generate a zip file containing codesigning input files.

Assignee: nobody → haftandilian
Priority: -- → P1
Blocks: 1593072

Create a macOS build artifact (target.codesign-entitlements.zip) containing the contents of security/mac/hardenedruntime to be consumed by codesigning infrastructure.

The posted patches add a new zip file artifact which shows up as target.codesign-entitlements.zip on treeherder.

Example task: https://firefox-ci-tc.services.mozilla.com/tasks/d_Zq9v6pS5qGVrUeNYQhWg#artifacts

Example zip file listing:

$ unzip -l target.codesign-entitlements.zip 
Archive:  target.codesign-entitlements.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     2186  01-02-2020 15:51   hardenedruntime/developer.entitlements.xml
     2155  01-02-2020 15:51   hardenedruntime/plugin-container.production.entitlements.xml
     1954  01-02-2020 15:51   hardenedruntime/browser.developer.entitlements.xml
     2175  01-02-2020 15:51   hardenedruntime/browser.production.entitlements.xml
     1934  01-02-2020 15:51   hardenedruntime/plugin-container.developer.entitlements.xml
     2112  01-02-2020 15:51   hardenedruntime/production.entitlements.xml
     5431  01-02-2020 15:51   hardenedruntime/codesign.bash
---------                     -------
    17947                     7 files

Note: some of the files in the listing will end up being removed when the codesigning changes land in the tree, but the listing shows the directory structure that will be used.

To add more context to this bug, today we sign our Mac builds using one entitlement file production.entitlements.xml, but this is going to change because using different entitlement files for different executables (firefox and plugin-container) allows us to enable stronger security hardening settings. That work will result in the codesigning consuming multiple entitlement files and some other configuration files and putting all the signing files in a build artifact is preferable (per Releng) compared to pulling individual files from the tree.

Depends on: 1606778
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/64738257ab2e
Create macOS build artifact zip file containing codesigning entitlement files r=froydnj

https://hg.mozilla.org/mozilla-central/rev/64738257ab2e

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox74: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
Blocks: 1606778
No longer depends on: 1606778
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: