Merge pull request #4456 from brave/issue_7731_v2

Add Sparkle hardened runtime support
brave · Feb 1, 2020 · 01f3ecc · 01f3ecc
1 parent 589f084
commit 01f3ecc
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 4 deletions.
diff --git a/DEPS b/DEPS
@@ -10,7 +10,7 @@ deps = {
   "vendor/boto": "https://github.com/boto/boto@f7574aa6cc2c819430c1f05e9a1a1a666ef8169b",
   "vendor/python-patch": "https://github.com/brave/python-patch@d8880110be6554686bc08261766538c2926d4e82",
   "vendor/omaha":  "https://github.com/brave/omaha.git@de118d8511e4754a673d44a9f1e92d80442069e7",
-  "vendor/sparkle": "https://github.com/brave/Sparkle.git@c0759cce415d7c0feae45005c8a013b1898711f0",
+  "vendor/sparkle": "https://github.com/brave/Sparkle.git@577eee9cbf955b4dd39746b4f03a1944fcd323fd",
   "vendor/bat-native-rapidjson": "https://github.com/brave-intl/bat-native-rapidjson.git@86aafe2ef89835ae71c9ed7c2527e3bb3000930e",
   "vendor/bip39wally-core-native": "https://github.com/brave-intl/bip39wally-core-native.git@13bb40a215248cfbdd87d0a6b425c8397402e9e6",
   "vendor/bat-native-anonize": "https://github.com/brave-intl/bat-native-anonize.git@e3742ba3e8942eea9e4755d91532491871bd3116",

diff --git a/patches/chrome-installer-mac-signing-signing.py.patch b/patches/chrome-installer-mac-signing-signing.py.patch
@@ -1,5 +1,5 @@
 diff --git a/chrome/installer/mac/signing/signing.py b/chrome/installer/mac/signing/signing.py
-index 18a73509f528e67c29c7ef896eee338e0970b4fa..117f2b88a4322448a4c0bdda797dd7f5d110a35d 100644
+index cd93959385debe65d04c0a4664f638173da54b75..0324d4f534f4cec4a3b70c0577284151110d1b14 100644
 --- a/chrome/installer/mac/signing/signing.py
 +++ b/chrome/installer/mac/signing/signing.py
 @@ -11,6 +11,7 @@ import os.path
@@ -14,7 +14,7 @@ index 18a73509f528e67c29c7ef896eee338e0970b4fa..117f2b88a4322448a4c0bdda797dd7f5
              library_basename.replace('.dylib', ''),
              verify_options=VerifyOptions.DEEP)
 
-+    AddBravePartsForSigning(parts, config)
++    parts = AddBravePartsForSigning(parts, config)
      return parts
 
 
@@ -27,7 +27,7 @@ index 18a73509f528e67c29c7ef896eee338e0970b4fa..117f2b88a4322448a4c0bdda797dd7f5
      if config.notary_user:
          # Assume if the config has notary authentication information that the
          # products will be notarized, which requires a secure timestamp.
-@@ -270,6 +272,7 @@ def sign_chrome(paths, config, sign_framework=False):
+@@ -272,6 +274,7 @@ def sign_chrome(paths, config, sign_framework=False):
                  continue
              sign_part(paths, config, part)
 

diff --git a/script/signing_helper.py b/script/signing_helper.py
@@ -5,6 +5,7 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this file,
 # You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+import collections
 import os
 import subprocess
 import sys
@@ -63,10 +64,15 @@ def GenerateBraveWidevineSigFile(paths, config, part):
 
 
 def AddBravePartsForSigning(parts, config):
+    parts = collections.OrderedDict(parts)
     from signing.model import CodeSignedProduct, VerifyOptions, CodeSignOptions
 
     development = True if config.provisioning_profile_basename is None else False
 
+    full_hardened_runtime_options = (
+        CodeSignOptions.HARDENED_RUNTIME + CodeSignOptions.RESTRICT +
+        CodeSignOptions.LIBRARY_VALIDATION + CodeSignOptions.KILL)
+
     # Add libs
     brave_dylibs = (
         'libchallenge_bypass_ristretto.dylib',
@@ -82,15 +88,33 @@ def AddBravePartsForSigning(parts, config):
 
     # Add Sparkle
     if not development:
+        # Add Sparkle binaries
+        parts['sparkle-framework-fileop'] = CodeSignedProduct(
+            '{.framework_dir}/Versions/{.version}/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop'  # noqa: E501
+            .format(config, config),
+            'fileop',
+            verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT)
+        parts['sparkle-framework-fileop'].options = full_hardened_runtime_options
+
+        parts['sparkle-framework-autoupdate'] = CodeSignedProduct(
+            '{.framework_dir}/Versions/{.version}/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate'  # noqa: E501
+            .format(config, config),
+            'org.sparkle-project.Sparkle.Autoupdate',
+            verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT)
+        parts['sparkle-framework-autoupdate'].options = full_hardened_runtime_options
+
         parts['sparkle-framework'] = CodeSignedProduct(
             '{.framework_dir}/Frameworks/Sparkle.framework'.format(config),
             'org.sparkle-project.Sparkle',
             verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT)
+        parts['sparkle-framework'].options = full_hardened_runtime_options
 
     # Overwrite to avoid TeamID mismatch with widevine dylib.
     parts['helper-app'].entitlements = 'helper-entitlements.plist'
     parts['helper-app'].options = CodeSignOptions.RESTRICT + CodeSignOptions.KILL + CodeSignOptions.HARDENED_RUNTIME
 
+    return parts
+
 
 def GetBraveSigningConfig(config_class, development, mac_provisioning_profile=None):
     if development: