From 7a9cf80b19f3facabe53bf5a60fd813d7d63a6ff Mon Sep 17 00:00:00 2001 From: Cory Fields Date: Tue, 25 Nov 2014 19:23:18 -0500 Subject: [PATCH] docs: add/update docs for osx dmg signing --- doc/README_osx.txt | 15 +++++++++++++++ doc/release-process.md | 34 +++++++++++++++++++++++++++------- 2 files changed, 42 insertions(+), 7 deletions(-) diff --git a/doc/README_osx.txt b/doc/README_osx.txt index 8831649bd..d56234f7d 100644 --- a/doc/README_osx.txt +++ b/doc/README_osx.txt @@ -65,3 +65,18 @@ Background images and other features can be added to DMG files by inserting a .DS_Store before creation. The easiest way to create this file is to build a DMG without one, move it to a device running OSX, customize the layout, then grab the .DS_Store file for later use. That is the approach taken here. + +As of OSX Mavericks (10.9), using an Apple-blessed key to sign binaries is a +requirement in order to satisfy the new Gatekeeper requirements. Because this +private key cannot be shared, we'll have to be a bit creative in order for the +build process to remain somewhat deterministic. Here's how it works: + +- Builders use gitian to create an unsigned release. This outputs an unsigned + dmg which users may choose to bless and run. It also outputs an unsigned app + structure in the form of a tarball, which also contains all of the tools + that have been previously (deterministically) built in order to create a + final dmg. +- The Apple keyholder uses this unsigned app to create a detached signature, + using the script that is also included there. +- Builders feed the unsigned app + detached signature back into gitian. It + uses the pre-built tools to recombine the pieces into a deterministic dmg. diff --git a/doc/release-process.md b/doc/release-process.md index df27c5829..a16d4ace4 100644 --- a/doc/release-process.md +++ b/doc/release-process.md @@ -59,17 +59,18 @@ Release Process ./bin/gsign --signer $SIGNER --release ${VERSION}-win --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-win.yml mv build/out/bitcoin-*.zip build/out/bitcoin-*.exe ../ ./bin/gbuild --commit bitcoin=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml - ./bin/gsign --signer $SIGNER --release ${VERSION}-osx --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml + ./bin/gsign --signer $SIGNER --release ${VERSION}-osx-unsigned --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml + mv build/out/bitcoin-*-unsigned.tar.gz inputs mv build/out/bitcoin-*.tar.gz build/out/bitcoin-*.dmg ../ popd - +bitcoin-0.9.99-osx-unsigned.tar.gz Build output expected: 1. source tarball (bitcoin-${VERSION}.tar.gz) 2. linux 32-bit and 64-bit binaries dist tarballs (bitcoin-${VERSION}-linux[32|64].tar.gz) 3. windows 32-bit and 64-bit installers and dist zips (bitcoin-${VERSION}-win[32|64]-setup.exe, bitcoin-${VERSION}-win[32|64].zip) - 4. OSX installer (bitcoin-${VERSION}-osx.dmg) - 5. Gitian signatures (in gitian.sigs/${VERSION}-/(your gitian key)/ + 4. OSX unsigned installer (bitcoin-${VERSION}-osx-unsigned.dmg) + 5. Gitian signatures (in gitian.sigs/${VERSION}-/(your gitian key)/ ###Next steps: @@ -78,7 +79,28 @@ Commit your signature to gitian.sigs: pushd gitian.sigs git add ${VERSION}-linux/${SIGNER} git add ${VERSION}-win/${SIGNER} - git add ${VERSION}-osx/${SIGNER} + git add ${VERSION}-osx-unsigned/${SIGNER} + git commit -a + git push # Assuming you can push to the gitian.sigs tree + popd + +Wait for OSX detached signature: + Once the OSX build has 3 matching signatures, Gavin will sign it with the apple App-Store key. + He will then upload a detached signature to be combined with the unsigned app to create a signed binary. + +Create the signed OSX binary: + pushd ./gitian-builder + # Fetch the signature as instructed by Gavin + cp signature.tar.gz inputs/ + ./bin/gbuild -i ../bitcoin/contrib/gitian-descriptors/gitian-osx-signer.yml + ./bin/gsign --signer $SIGNER --release ${VERSION}-osx-signed --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-osx-signer.yml + mv build/out/bitcoin-${VERSION}-osx.dmg ../ + popd + +Commit your signature for the signed OSX binary: + + pushd gitian.sigs + git add ${VERSION}-osx-signed/${SIGNER} git commit -a git push # Assuming you can push to the gitian.sigs tree popd @@ -91,8 +113,6 @@ Commit your signature to gitian.sigs: - Code-sign Windows -setup.exe (in a Windows virtual machine using signtool) - - Code-sign MacOSX .dmg - Note: only Gavin has the code-signing keys currently. - Create `SHA256SUMS.asc` for the builds, and GPG-sign it: