macOS PKG doesn't properly support M1
Categories
(Release Engineering :: General, defect)
Tracking
(firefox98 fixed)
| Tracking | Status | |
|---|---|---|
| firefox98 | --- | fixed |
People
(Reporter: mkaply, Assigned: ahal)
References
Details
Attachments
(4 files)
|
63 bytes,
text/x-github-pull-request
|
Details | Review | |
|
102.02 KB,
image/png
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
4.48 KB,
patch
|
RyanVM
:
approval-mozilla-esr91-
|
Details | Diff | Splinter Review |
Screenshot of it working correctly.
Apparently our PKG file doesn't properly report that it supports M1 even though the packaged binary is universal.
Per:
https://scriptingosx.com/2020/12/platform-support-in-macos-installer-packages-pkg/
We need to make some changes to mark the PKG file.
Per discussion on mac Slack, we think it's a simple as adding:
<options hostArchitectures="x86_64,arm64" />
to the Distribution XML file.
This can be verified with this tool:
|
||
Updated•3 years ago
|
|
Reporter | |
Comment 1•3 years ago
|
||
Here's where we did the original work to create a distribution package:
https://bugzilla.mozilla.org/show_bug.cgi?id=1689376
What version of macOS do we build Firefox on? It looks like if we were on Big Sure, this would just work.
If we're on Catalina or lower, it looks like the easiest option is to create a file like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>arch</key>
<array>
<string>x86_64</string>
<string>arm64</string>
</array>
</dict>
</plist>
and just pass it to productbuild:
--product requirements.plist
|
||
Comment 2•3 years ago
|
||
(In reply to Mike Kaply [:mkaply] from comment #1)
What version of macOS do we build Firefox on? It looks like if we were on Big Sure, this would just work.
none, we build on linux :)
|
||
Comment 3•3 years ago
|
||
We build the pkg files on the mac signers, which are Mojave. Our productbuild call is here. We may need to support some sort of task or product flag that specifies this, since we might sign apps that don't support both arches, but we could also hardcode until that becomes a problem.
|
|
||
Comment 4•3 years ago
|
||
We probably want to:
- quarantine a mac signer
- ssh in
- patch iscript, and possibly the configs
- test iscript
- push the pkg somewhere for someone (qa?) to test
- repeat the previous 3 steps until it looks good
- productionize the changes in iscript and/or ronin-puppet
- find a window to roll out: these changes will be live as soon as we roll out to the mac signers. if we want to be able to ride the trains or avoid affecting chemspills, we need to include some in-tree in-task flag; otherwise we'll be live on all branches once we roll out.
- roll out
- verify in the next nightly/beta/release/esr
|
Assignee | |
Comment 5•3 years ago
|
||
I'll take a look at this.
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 6•3 years ago
|
||
I've quarantined mac-v3-signing2 to start looking into this.
|
|
Assignee | |
Comment 7•3 years ago
|
||
This is untested (just getting something up to iterate on).
|
|
Assignee | |
Comment 8•3 years ago
|
||
Hey Mike, your suggested fix from comment 1 produced this package file:
https://nextcloud.ahal.ca/s/QATwiDgNMK8zQXb
I don't know anything about MacOS packaging though, would you (or someone) be able to verify that it's packaged as you expect?
Note: the PR is still not finished as we don't want to check the requirements.plist into scriptworker-scripts, but we can at least verify that the suggested fix works.
|
|
Assignee | |
Updated•3 years ago
|
|
|
Reporter | |
Comment 9•3 years ago
|
||
Just had the original reporter verify and it looks good.
|
|
Assignee | |
Comment 10•3 years ago
|
||
Thanks! I've update the PR to something close to how we'll want to handle this in iscript. Since I'm heading out on holidays tomorrow, writing down next steps for the new year:
- Finish iscript PR (at least need to tweak schema still, also need to check if tests need adding/updating)
- Write Gecko counter-part patch (figure out where to check-in
requirements.plist) - FIgure out how to test this
- Land + delpoy iscript patch
- Land Gecko patch
|
|
Assignee | |
Comment 11•3 years ago
|
||
|
|
Assignee | |
Comment 12•3 years ago
|
||
Hey Mike, I'd like to check this requirements.plist file into mozilla-central. Do you know where it should live, or can you suggest someone to ask? Thanks!
|
|
Assignee | |
Comment 13•3 years ago
|
||
I've updated the linked pkg file to one that was generated using the attached iscript PR. Though it's just using the same requirements.plist as before and I verified that the productbuild command is constructed appropriately.. so I don't think it needs re-validation.
|
|
Reporter | |
Comment 14•3 years ago
|
||
Aki might have some ideas on where this should live?
|
|
||
Comment 15•3 years ago
|
||
Lol :)
I thought maybe next to the entitlement files, but security/mac/hardenedruntime/ seems specifically not this.
https://searchfox.org/mozilla-central/source/browser/installer / mac something?
https://searchfox.org/mozilla-central/source/build/package/mac_osx ?
I think I'm just guessing a path, based on a) will it affect any other part of a build (let's not), and b) does it make any sort of intuitive sense. Not sure if a build peer or similar should chime in.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 16•3 years ago
|
||
Alright, here's a build-signing task with all the pieces finally put together:
https://firefox-ci-tc.services.mozilla.com/tasks/AWLIaxb8Qiat3affF44eQg#artifacts
The target.pkg there should be using the checked in requirements.plist. I'll find someone to verify.
|
|
Assignee | |
Comment 17•3 years ago
|
||
Heitor verified that the artifact produced by the above task reports that it installs natively on Apple Silicon.
|
||
Comment 18•3 years ago
|
||
|
||
Comment 19•3 years ago
|
||
| bugherder | ||
|
|
Reporter | |
Comment 20•3 years ago
|
||
Would this be easy to put on the ESR?
|
|
||
Comment 21•3 years ago
|
||
I think it's a matter of uplifting https://hg.mozilla.org/mozilla-central/rev/e7d8b37032ca.
|
|
Reporter | |
Comment 22•3 years ago
|
||
Looks like gecko_taskgraph was just taskgraph on the ESR and I had to fix one conflict.
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: Mainly enterprise feature (PKG)
User impact if declined: PKG can't be used on M1
Fix Landed on Version: 98
Risk to taking this patch (and alternatives if risky): Low
See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
|
||
Comment 23•3 years ago
|
||
Comment on attachment 9265938 [details] [diff] [review]
ESR version of diff
Approved for ESR91.
|
|
||
Comment 24•3 years ago
|
||
Comment on attachment 9265938 [details] [diff] [review]
ESR version of diff
This breaks the Gecko decision task. Please verify that it works on Try before re-requesting uplift.
|
|
Reporter | |
Comment 25•3 years ago
|
||
I'm getting errors just running ./mach bootstrap.
I think I'm just going to punt on this one for now.
I haven't heard complaints about ESR, just a nice to have and we're approaching 102 fast.
|
|
Reporter | |
Comment 26•3 years ago
|
||
Just FYI, the error I get is:
extra keys not allowed @ data['mac-notarization']['mac-requirements']
So I Think something else is missing.
See:
https://treeherder.mozilla.org/jobs?repo=try&revision=52479d963694d57a8c2f6476aab7f067d17b3ba6
|
|
||
Comment 27•3 years ago
|
||
Ah. That's in this file in the patch, taskcluster/gecko_taskgraph/config.py. We renamed taskcluster/taskgraph to taskcluster/gecko_taskgraph in central; I'm guessing we didn't in ESR. So I bet that portion of the patch needs to be applied to taskcluster/taskgraph/config.py in esr.
Description
•