bhearsum · November 30, 2020 20:20
diff --git a/gistfile1.txt b/gistfile1.txt
 diff --git a/iscript/src/iscript/mac.py b/iscript/src/iscript/mac.py
 index 7bbc764..305c7c2 100644
 --- a/iscript/src/iscript/mac.py
 +++ b/iscript/src/iscript/mac.py
 @@ -27,11 +27,8 @@ log = logging.getLogger(__name__)
 
 
 MAC_DESIGNATED_REQUIREMENTS = (
 -    """=designated => ( """
 -    """(anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] ) """
 -    """or (anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] """
 -    """and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate """
 -    """leaf[subject.OU] = "%(subject_ou)s"))"""
 +    """=designated => """
 +    """certificate leaf[subject.OU] = "%(subject_ou)s" """
 )
 
 KNOWN_ARTIFACT_PREFIXES = ("public/", "releng/partner/")
 @@ -206,13 +203,14 @@ async def sign_app(key_config, app_path, entitlements_path):
         IScriptError: on error.
 
     """
 -    SIGN_DIRS = ("MacOS", "Library")
 +    SIGN_DIRS = ("MacOS", "Frameworks")
     parent_dir = os.path.dirname(app_path)
     app_name = os.path.basename(app_path)
     await run_command(["xattr", "-cr", app_name], cwd=parent_dir, exception=IScriptError)
     identity = key_config["identity"]
     keychain = key_config["signing_keychain"]
     sign_command = _get_sign_command(identity, keychain)
 +    log.debug("BHEARUSM: signing %s" % app_name)
 
     if key_config.get("sign_with_entitlements", False):
         sign_command.extend(["-o", "runtime", "--entitlements", entitlements_path])
 @@ -227,7 +225,11 @@ async def sign_app(key_config, app_path, entitlements_path):
                 log.debug("Skipping %s because it's not in SIGN_DIRS.", abs_dir)
                 dirs.remove(dir_)
                 continue
 -            if dir_.endswith(".app"):
 +            log.debug("BHEARUSM DEBUGGING DO NOT RUN IN PRODUCTION")
 +            if dir_.endswith(".app") or dir_.endswith(".appex"):
 +                if dir_ == "MozillaVPNLoginItem.app":
 +                    continue
 +                log.debug("BHEARUSM: signing app %s" % abs_dir)
                 await sign_app(key_config, abs_dir, entitlements_path)
         if top_dir == contents_dir:
             log.debug("Skipping file iteration in %s because it's the root directory.", top_dir)
 @@ -236,7 +238,7 @@ async def sign_app(key_config, app_path, entitlements_path):
         for file_ in files:
             abs_file = os.path.join(top_dir, file_)
             # Deal with inner .app's above, not here.
 -            if top_dir[app_path_len:].count(".app") > 0:
 +            if top_dir[app_path_len:].count(".app") > 0 or top_dir[app_path_len:].count(".app") > 0:
                 log.debug("Skipping %s because it's part of an inner app.", abs_file)
                 continue
             # app_executable gets signed with the outer package.
 @@ -376,7 +378,7 @@ def get_app_dir(parent_dir):
         UnknownAppDir: if there is no single app dir
 
     """
 -    apps = glob("{}/*.app".format(parent_dir)) + glob("{}/*/*.app".format(parent_dir))
 +    apps = glob("{}/*.app*".format(parent_dir)) + glob("{}/*/*.app*".format(parent_dir))
     if len(apps) != 1:
         raise UnknownAppDir("Can't find a single .app in {}: {}".format(parent_dir, apps))
     return apps[0]
 @@ -515,7 +517,7 @@ async def create_one_notarization_zipfile(work_dir, all_paths, path_attrs=("app_
         app.check_required_attrs(required_attrs)
         for path_attr in path_attrs:
             app_paths.append(os.path.relpath(getattr(app, path_attr), work_dir))
 -    await run_command(["zip", "-r", zip_path, *app_paths], cwd=work_dir, exception=IScriptError)
 +    await run_command(["ditto", "-c", "-k", "--sequesterRsrc", "--keepParent", "0", zip_path], cwd=work_dir, exception=IScriptError)
     return zip_path
 
 
 @@ -920,7 +922,7 @@ async def create_pkg_files(config, key_config, all_paths):
     for app in all_paths:
         # call set_app_path_and_name because we may not have called sign_app() earlier
         set_app_path_and_name(app)
 -        app.pkg_path = app.app_path.replace(".app", ".pkg")
 +        app.pkg_path = app.app_path.replace(".app", ".pkg").replace("pkgex", "pkg")
         app.pkg_name = os.path.basename(app.pkg_path)
         pkg_opts = []
         if key_config.get("pkg_cert_id"):
	diff --git a/iscript/src/iscript/mac.py b/iscript/src/iscript/mac.py
	index 7bbc764..305c7c2 100644
	--- a/iscript/src/iscript/mac.py
	+++ b/iscript/src/iscript/mac.py
	@@ -27,11 +27,8 @@ log = logging.getLogger(__name__)


	MAC_DESIGNATED_REQUIREMENTS = (
	- """=designated => ( """
	- """(anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] ) """
	- """or (anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] """
	- """and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate """
	- """leaf[subject.OU] = "%(subject_ou)s"))"""
	+ """=designated => """
	+ """certificate leaf[subject.OU] = "%(subject_ou)s" """
	)

	KNOWN_ARTIFACT_PREFIXES = ("public/", "releng/partner/")
	@@ -206,13 +203,14 @@ async def sign_app(key_config, app_path, entitlements_path):
	IScriptError: on error.

	"""
	- SIGN_DIRS = ("MacOS", "Library")
	+ SIGN_DIRS = ("MacOS", "Frameworks")
	parent_dir = os.path.dirname(app_path)
	app_name = os.path.basename(app_path)
	await run_command(["xattr", "-cr", app_name], cwd=parent_dir, exception=IScriptError)
	identity = key_config["identity"]
	keychain = key_config["signing_keychain"]
	sign_command = _get_sign_command(identity, keychain)
	+ log.debug("BHEARUSM: signing %s" % app_name)

	if key_config.get("sign_with_entitlements", False):
	sign_command.extend(["-o", "runtime", "--entitlements", entitlements_path])
	@@ -227,7 +225,11 @@ async def sign_app(key_config, app_path, entitlements_path):
	log.debug("Skipping %s because it's not in SIGN_DIRS.", abs_dir)
	dirs.remove(dir_)
	continue
	- if dir_.endswith(".app"):
	+ log.debug("BHEARUSM DEBUGGING DO NOT RUN IN PRODUCTION")
	+ if dir_.endswith(".app") or dir_.endswith(".appex"):
	+ if dir_ == "MozillaVPNLoginItem.app":
	+ continue
	+ log.debug("BHEARUSM: signing app %s" % abs_dir)
	await sign_app(key_config, abs_dir, entitlements_path)
	if top_dir == contents_dir:
	log.debug("Skipping file iteration in %s because it's the root directory.", top_dir)
	@@ -236,7 +238,7 @@ async def sign_app(key_config, app_path, entitlements_path):
	for file_ in files:
	abs_file = os.path.join(top_dir, file_)
	# Deal with inner .app's above, not here.
	- if top_dir[app_path_len:].count(".app") > 0:
	+ if top_dir[app_path_len:].count(".app") > 0 or top_dir[app_path_len:].count(".app") > 0:
	log.debug("Skipping %s because it's part of an inner app.", abs_file)
	continue
	# app_executable gets signed with the outer package.
	@@ -376,7 +378,7 @@ def get_app_dir(parent_dir):
	UnknownAppDir: if there is no single app dir

	"""
	- apps = glob("{}/.app".format(parent_dir)) + glob("{}//*.app".format(parent_dir))
	+ apps = glob("{}/.app".format(parent_dir)) + glob("{}//.app*".format(parent_dir))
	if len(apps) != 1:
	raise UnknownAppDir("Can't find a single .app in {}: {}".format(parent_dir, apps))
	return apps[0]
	@@ -515,7 +517,7 @@ async def create_one_notarization_zipfile(work_dir, all_paths, path_attrs=("app_
	app.check_required_attrs(required_attrs)
	for path_attr in path_attrs:
	app_paths.append(os.path.relpath(getattr(app, path_attr), work_dir))
	- await run_command(["zip", "-r", zip_path, *app_paths], cwd=work_dir, exception=IScriptError)
	+ await run_command(["ditto", "-c", "-k", "--sequesterRsrc", "--keepParent", "0", zip_path], cwd=work_dir, exception=IScriptError)
	return zip_path


	@@ -920,7 +922,7 @@ async def create_pkg_files(config, key_config, all_paths):
	for app in all_paths:
	# call set_app_path_and_name because we may not have called sign_app() earlier
	set_app_path_and_name(app)
	- app.pkg_path = app.app_path.replace(".app", ".pkg")
	+ app.pkg_path = app.app_path.replace(".app", ".pkg").replace("pkgex", "pkg")
	app.pkg_name = os.path.basename(app.pkg_path)
	pkg_opts = []
	if key_config.get("pkg_cert_id"):