feat: Mac hardened signing on signingscript

Author: hneiva

signingscript/Dockerfile

@@ -11,6 +11,7 @@ RUN groupadd --gid 10001 app && \
 
 # Copy only required folders
 COPY ["signingscript", "/app/signingscript/"]
+COPY ["scriptworker_client", "/app/scriptworker_client/"]
 COPY ["configloader", "/app/configloader/"]
 COPY ["docker.d", "/app/docker.d/"]
 COPY ["vendored", "/app/vendored/"]
@@ -22,14 +23,18 @@ COPY ["version.jso[n]", "/app/"]
 # Install msix
 # Install rcodesign
 RUN chown -R app:app /app && \
+    cd /app/scriptworker_client && \
+    pip install /app/scriptworker_client && \
+    pip install -r requirements/base.txt && \
+    pip install . && \
     cd /app/signingscript/docker.d && \
     bash build_msix_packaging.sh && \
     cp msix-packaging/.vs/bin/makemsix /usr/bin && \
     cp msix-packaging/.vs/lib/libmsix.so /usr/lib && \
     cd .. && \
     rm -rf msix-packaging && \
     wget -qO- \
-    https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.22.0/apple-codesign-0.22.0-x86_64-unknown-linux-musl.tar.gz \
+    https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.25.1/apple-codesign-0.25.1-x86_64-unknown-linux-musl.tar.gz \
     | tar xvz -C /usr/bin --transform 's/.*\///g' --wildcards --no-anchored 'rcodesign' && \
     chmod +x /usr/bin/rcodesign
 
@@ -40,6 +45,7 @@ WORKDIR /app
 # Install signingscript + configloader + widevine
 RUN python -m venv /app \
  && cd signingscript \
+ && /app/bin/pip install /app/scriptworker_client \
  && /app/bin/pip install -r requirements/base.txt \
  && /app/bin/pip install . \
  && python -m venv /app/configloader_venv \

signingscript/docker.d/apple_signing_creds.yml

@@ -0,0 +1,18 @@
+$let:
+  scope_prefix:
+    $match:
+      'COT_PRODUCT == "firefox"': 'project:releng:signing:'
+      'COT_PRODUCT == "thunderbird"': 'project:comm:thunderbird:releng:signing:'
+      'COT_PRODUCT == "mozillavpn"': 'project:mozillavpn:releng:signing:'
+      'COT_PRODUCT == "adhoc"': 'project:adhoc:releng:signing:'
+in:
+  $merge:
+    $match:
+      'ENV == "prod" && scope_prefix':
+        '${scope_prefix[0]}cert:release-apple-signing':
+          - "credentials": {"$eval": "APPLE_SIGNING_CREDENTIALS"}
+            "password": {"$eval": "APPLE_SIGNING_CREDS_PASSWORD"}
+      'ENV != "prod" && scope_prefix':
+        '${scope_prefix[0]}cert:dep-apple-signing':
+          - "credentials": {"$eval": "APPLE_SIGNING_DEP_CREDENTIALS"}
+            "password": {"$eval": "APPLE_SIGNING_DEP_CREDS_PASSWORD"}

signingscript/docker.d/init_worker.sh

@@ -26,6 +26,7 @@ export HFSPLUS_PATH=$APP_DIR/signingscript/files/hfsplus
 
 export PASSWORDS_PATH=$CONFIG_DIR/passwords.json
 export APPLE_NOTARIZATION_CREDS_PATH=$CONFIG_DIR/apple_notarization_creds.json
+export APPLE_SIGNING_CONFIG_PATH=$CONFIG_DIR/apple_signing_config.json
 export GPG_PUBKEY_PATH=$APP_DIR/signingscript/src/signingscript/data/gpg_pubkey_dep.asc
 export WIDEVINE_CERT_PATH=$CONFIG_DIR/widevine.crt
 export AUTHENTICODE_TIMESTAMP_STYLE=old
@@ -260,3 +261,4 @@ esac
 
 $CONFIG_LOADER $TEMPLATE_DIR/passwords.yml $PASSWORDS_PATH
 $CONFIG_LOADER $TEMPLATE_DIR/apple_notarization_creds.yml $APPLE_NOTARIZATION_CREDS_PATH
+$CONFIG_LOADER $TEMPLATE_DIR/apple_signing_creds.yml $APPLE_SIGNING_CONFIG_PATH

signingscript/docker.d/worker.yml

@@ -4,6 +4,7 @@ verbose: { "$eval": "VERBOSE == 'true'" }
 my_ip: { "$eval": "PUBLIC_IP" }
 autograph_configs: { "$eval": "PASSWORDS_PATH" }
 apple_notarization_configs: { "$eval": "APPLE_NOTARIZATION_CREDS_PATH" }
+apple_signing_configs: { "$eval": "APPLE_SIGNING_CONFIG_PATH" }
 taskcluster_scope_prefixes:
   $flatten:
     $match:

signingscript/setup.py

@@ -5,7 +5,8 @@
 with open(os.path.join(os.path.abspath(os.path.dirname(__file__)), "version.txt")) as f:
     version = f.read().rstrip()
 
-install_requires = ["arrow", "mar", "scriptworker", "taskcluster", "mohawk", "winsign", "macholib"]
+with open(os.path.join(os.path.abspath(os.path.dirname(__file__)), "requirements", "base.in")) as f:
+    install_requires = ["scriptworker_client"] + f.readlines()
 
 setup(
     name="signingscript",

signingscript/src/signingscript/rcodesign.py

@@ -1,8 +1,15 @@
 #!/usr/bin/env python
 """Functions that interface with rcodesign"""
 import asyncio
+from collections import namedtuple
 import logging
+import os
 import re
+from glob import glob
+from shutil import copy2
+
+from scriptworker_client.aio import download_file, raise_future_exceptions, retry_async
+from scriptworker_client.exceptions import DownloadError
 from signingscript.exceptions import SigningScriptError
 
 log = logging.getLogger(__name__)
@@ -41,13 +48,14 @@ async def _execute_command(command):
         stderr = (await proc.stderr.readline()).decode("utf-8").rstrip()
         if stderr:
             # Unfortunately a lot of outputs from rcodesign come out to stderr
-            log.warn(stderr)
+            log.warning(stderr)
             output_lines.append(stderr)
 
     exitcode = await proc.wait()
     log.info("exitcode {}".format(exitcode))
     return exitcode, output_lines
 
+
 def find_submission_id(logs):
     """Given notarization logs, find and return the submission id
     Args:
@@ -128,6 +136,7 @@ async def rcodesign_check_result(logs):
             raise RCodesignError("Notarization failed!")
     return
 
+
 async def rcodesign_staple(path):
     """Staples a given app
     Args:
@@ -146,3 +155,129 @@ async def rcodesign_staple(path):
     if exitcode > 0:
         raise RCodesignError(f"Error stapling notarization. Exit code {exitcode}")
     return
+
+
+def _create_empty_entitlements_file(dest):
+    contents = """<?xml version="1.0" encoding="UTF-8"?>
+    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+    <plist version="1.0">
+    <dict>
+    </dict>
+    </plist>
+    """.lstrip()
+    with open(dest, "wt") as fd:
+        fd.writelines(contents)
+
+
+async def _download_entitlements(hardened_sign_config, workdir):
+    """Download entitlements listed in the hardened signing config
+    Args:
+        hardened_sign_config (list): hardened signing configs
+        workdir (str): current work directory where entitlements will be saved
+
+    Returns:
+        Map of url -> local file location
+    """
+    empty_file = os.path.join(workdir, "0-empty.xml")
+    _create_empty_entitlements_file(empty_file)
+    # rcodesign requires us to specify an "empty" entitlements file
+    url_map = {None: empty_file}
+
+    # Unique urls to be downloaded
+    urls_to_download = set([i["entitlements"] for i in hardened_sign_config if "entitlements" in i])
+    # If nothing found, skip
+    if not urls_to_download:
+        log.warn("No entitlements urls provided! Skipping download.")
+        return url_map
+
+    futures = []
+    for index, url in enumerate(urls_to_download, start=1):
+        # Prefix filename with an index in case filenames are the same
+        filename = "{}-{}".format(index, url.split("/")[-1])
+        dest = os.path.join(workdir, filename)
+        url_map[url] = dest
+        log.info(f"Downloading resource: {filename} from {url}")
+        futures.append(
+            asyncio.ensure_future(
+                retry_async(
+                    download_file,
+                    retry_exceptions=(DownloadError, TimeoutError),
+                    args=(url, dest),
+                    attempts=5,
+                )
+            )
+        )
+    await raise_future_exceptions(futures)
+    return url_map
+
+
+EntitlementEntry = namedtuple(
+    "EntitlementEntry",
+     ["file", "entitlement", "runtime"],
+)
+
+def _get_entitlements_args(hardened_sign_config, path, entitlements_map):
+    """Builds the list of entitlements based on files in path
+
+    Args:
+        hardened_sign_config (list): hardened signing configuration
+        path (str): path to app
+    """
+    entries = []
+
+    for config in hardened_sign_config:
+        entitlement_path = entitlements_map.get(config.get("entitlements"))
+        for path_glob in config["globs"]:
+            separator = ""
+            if not path_glob.startswith("/"):
+                separator = "/"
+            # Join incoming glob with root of app path
+            full_path_glob = path + separator + path_glob
+            for binary_path in glob(full_path_glob, recursive=True):
+                # Get relative path
+                relative_path = os.path.relpath(binary_path, path)
+                # Append "<binary path>:<entitlement>" to list of args
+                entries.append(
+                    EntitlementEntry(
+                        file=relative_path,
+                        entitlement=entitlement_path,
+                        runtime=config.get("runtime"),
+                    )
+                )
+
+    return entries
+
+
+async def rcodesign_sign(workdir, path, creds_path, creds_pass_path, hardened_sign_config=[]):
+    """Signs a given app
+    Args:
+        workdir (str): Path to work directory
+        path (str): Path to be signed
+        creds_path (str): Path to credentials file
+        creds_pass_path (str): Path to credentials password file
+        hardened_sign_config (list): Hardened signing configuration
+
+    Returns:
+        (Tuple) exit code, log lines
+    """
+    # TODO: Validate and sanitize input
+    command = [
+        "rcodesign",
+        "sign",
+        "--code-signature-flags=runtime",
+        f"--p12-file={creds_path}",
+        f"--p12-password-file={creds_pass_path}",
+    ]
+
+    entitlements_map = await _download_entitlements(hardened_sign_config, workdir)
+    file_entitlements = _get_entitlements_args(hardened_sign_config, path, entitlements_map)
+
+    for entry in file_entitlements:
+        if entry.runtime:
+            flags_arg = f"--code-signature-flags=runtime:{entry.file}"
+            command.append(flags_arg)
+        entitlement_arg = f"--entitlements-xml-path={entry.file}:{entry.entitlement}"
+        command.append(entitlement_arg)
+
+    command.append(path)
+    await _execute_command(command)

signingscript/src/signingscript/script.py

@@ -9,7 +9,7 @@
 from dataclasses import asdict
 
 from signingscript.task import build_filelist_dict, sign, task_signing_formats, task_cert_type
-from signingscript.utils import copy_to_dir, load_apple_notarization_configs, load_autograph_configs
+from signingscript.utils import copy_to_dir, load_apple_notarization_configs, load_apple_signing_configs, load_autograph_configs, unlink
 from signingscript.exceptions import SigningScriptError
 
 log = logging.getLogger(__name__)
@@ -40,6 +40,11 @@ async def async_main(context):
                 raise Exception("Apple notarization is enabled but apple_notarization_configs is not defined")
             setup_apple_notarization_credentials(context)
 
+        if "apple_hardened_signing" in all_signing_formats:
+            if not context.config.get("apple_signing_configs", False):
+                raise Exception("Apple signing is enabled but apple_signing_configs is not defined")
+            setup_apple_signing_credentials(context)
+
         context.session = session
         context.autograph_configs = load_autograph_configs(context.config["autograph_configs"])
 
@@ -101,17 +106,54 @@ def setup_apple_notarization_credentials(context):
 
     context.apple_credentials_path = os.path.join(
         os.path.dirname(context.config["apple_notarization_configs"]),
-        'apple_api_key.json',
+        "apple_api_key.json",
     )
     if os.path.exists(context.apple_credentials_path):
         # TODO: If we have different api keys for each product, this needs to overwrite every task:
         return
     # Convert dataclass to dict so json module can read it
     credential = asdict(scope_credentials[0])
-    with open(context.apple_credentials_path, 'wb') as credfile:
+    with open(context.apple_credentials_path, "wb") as credfile:
         credfile.write(json.dumps(credential).encode("ascii"))
 
 
+def setup_apple_signing_credentials(context):
+    """Writes the signing p12 file and password to a file
+
+    Adds properties to context: apple_credentials_path + apple_credentials_pass_path
+
+    Args:
+        context: Running task Context
+    """
+    cert_type = task_cert_type(context)
+
+    apple_signing_configs = load_apple_signing_configs(context.config["apple_signing_configs"])
+    if cert_type not in apple_signing_configs:
+        raise SigningScriptError("Credentials not found for scope: %s" % cert_type)
+    scope_credentials = apple_signing_configs.get(cert_type)
+    if len(scope_credentials) != 1:
+        raise SigningScriptError("There should only be 1 scope credential, %s found." % len(scope_credentials))
+
+    context.apple_signing_creds_path = os.path.join(
+        os.path.dirname(context.config["apple_signing_configs"]),
+        "apple_signing_creds.p12",
+    )
+    unlink(context.apple_signing_creds_path)
+    context.apple_signing_creds_pass_path = os.path.join(
+        os.path.dirname(context.config["apple_signing_configs"]),
+        "apple_signing_creds_pass.passwd",
+    )
+    unlink(context.apple_signing_creds_pass_path)
+
+    # Convert dataclass to dict so json module can read it
+    creds_config = asdict(scope_credentials[0])
+    with open(context.apple_credentials_path, "wb") as credfile:
+        credfile.write(json.dumps(creds_config["credentials"]).encode("ascii"))
+
+    with open(context.apple_signing_creds_pass_path, "wb") as passfile:
+        passfile.write(json.dumps(creds_config["password"]).encode("ascii"))
+
+
 def main():
     """Start signing script."""
     mohawk_log = logging.getLogger("mohawk")