Closed Bug 1617047 Opened 4 years ago Closed 7 months ago

[macOS] Add codesign mapping files equivalent to the current dev/production codesigning

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
macOS
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1593072

People

(Reporter: haik, Assigned: haik)

References

Details

Attachments

(1 obsolete file)

Before we can switch to using codesign-tree in codesigning automation code, we need to land codesign-tree map files that result in a codesign equivalent to what we use today (one for development builds and one for production builds.) Then when we land the changes in automation, we can validate that codesigning still works before moving on to bug 1593072.

Blocks: 1593072
Assignee: nobody → haftandilian

Add codesign map files to be used in the future when our automation codesigning
code is updated to use codesign-tree[1] which consumes these map files
(bug 1593072). At that time, automation codesigning will use the map files
resulting in a signed .app equivalent to what we generate today and allowing for
codesigning changes to be more controlled by files in the tree. The new files
will be included in the build artifact added in bug 1606746 which includes the
"hardenedruntime" directory.

Once automation is updated to consume the map files and the changes are stable,
the next step will be to update the map files and entitlements to allow for more
complex codesigning where the parent process and plugin-container executables
can be signed with different entitlements. Next, this can be further improved by
updates to Firefox to use different executables for different child process
types to allow more fine grained use of entitlements specific to the process
type.

These new map files specify entitlements to be used for codesigning for all of
the files that are signed within the app. This is not necessary because not all
files need the entitlements from the respective
{developer,production}.entitlements.xml files, but is done to match what is
currently done in automation[2].

  1. https://github.com/hafta/codesign-tree
  2. https://github.com/mozilla-releng/scriptworker-scripts/blob/a7bee69dc0daf7723eb9e1adaf9a37a0ccc17c59/iscript/src/iscript/mac.py#L194
Attachment #9128541 - Attachment description: Bug 1617047 - [macOS] Add codesign mapping files equivalent to the current dev/production codesigning r?spohl! → Bug 1617047 - [macOS] Add codesign mapping files equivalent to the current dev/production codesigning
Priority: -- → P1
Attachment #9128541 - Attachment description: Bug 1617047 - [macOS] Add codesign mapping files equivalent to the current dev/production codesigning → Bug 1617047 - [macOS] Enable map-file codesigning

I'll withdraw these patches for now. This fix depends on bug 1593072 and how that will be implemented is TBD. Bug 1593072 is to have the entitlement-to-file-mapping controlled by directives in the tree and once that lands we'll need to have configuration files in the tree. This patch added configuration files assuming bug 1593072 was implemented using codesign-tree.

No longer blocks: 1593072
Depends on: 1593072
Flags: needinfo?(haftandilian)
Attachment #9128541 - Attachment is obsolete: true
Severity: normal → S3

Bug 1593072 accomplished what this bug was intended to do. With bug 1593072, mapping of entitlements to executables is specified in-tree.

Status: NEW → RESOLVED
Closed: 7 months ago
Duplicate of bug: 1593072
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: