mac build: attempt at "reproducible" codesigned builds

- added notes about reproducibility requirements - adapted build scripts from Bitcoin Core that can - extract signatures from a signed .app - apply previously extracted signatures to an unsigned .app
2021-07-19 06:28:27 +02:00
parent 71b02df832
commit f50882d8df
4 changed files with 211 additions and 27 deletions
--- a/contrib/osx/compare_dmg
+++ b/contrib/osx/compare_dmg
@@ -1,28 +1,60 @@
 #!/usr/bin/env bash                                                                                                                                                                                               
 set -e

-src_dir=$(dirname "$0")
-cd "$src_dir/../.."
-
-rm -rf dmg1
-hdiutil attach $1
-cp -r /Volumes/Electrum/Electrum.app/ dmg1
-hdiutil detach /Volumes/Electrum
-
-rm -rf dmg2
-hdiutil attach $2
-cp -r /Volumes/Electrum/Electrum.app/ dmg2
-hdiutil detach /Volumes/Electrum
-
-# remove signatures
-for i in $(find dmg1/ ); do codesign --remove-signature $i || true; done;
-for i in $(find dmg2/ ); do codesign --remove-signature $i || true; done;
-
-diff=$(diff -qr dmg1 dmg2)
-echo $diff
-if [ "$diff" ]
-then
-    echo "failure"
-else
-    echo "success"
+if [ $(uname) != "Darwin" ]; then
+    echo "This script needs to be run on macOS."
+    exit 1
+fi
+
+UNSIGNED_DMG="$1"
+RELEASE_DMG="$2"
+CONTRIB_OSX="$(dirname "$(grealpath "$0")")"
+PROJECT_ROOT="$CONTRIB_OSX/../.."
+WORKSPACE="/tmp/electrum_compare_dmg"
+
+if [ -z "$UNSIGNED_DMG" ]; then
+    echo "usage: $0 <unsigned dmg> <release dmg>"
+    exit 1
+fi
+
+if [ -z "$RELEASE_DMG" ]; then
+    echo "usage: $0 <unsigned dmg> <release dmg>"
+    exit 1
+fi
+
+UNSIGNED_DMG=$(grealpath "$UNSIGNED_DMG")
+RELEASE_DMG=$(grealpath "$RELEASE_DMG")
+
+cd "$PROJECT_ROOT"
+rm -rf "$WORKSPACE" && mkdir -p "$WORKSPACE"
+
+DMG_UNSIGNED_UNPACKED="$WORKSPACE/dmg1"
+DMG_RELEASE_UNPACKED="$WORKSPACE/dmg2"
+
+hdiutil attach "$UNSIGNED_DMG"
+cp -r /Volumes/Electrum "$DMG_UNSIGNED_UNPACKED"
+hdiutil detach /Volumes/Electrum
+
+hdiutil attach "$RELEASE_DMG"
+cp -r /Volumes/Electrum "$DMG_RELEASE_UNPACKED"
+hdiutil detach /Volumes/Electrum
+
+# copy signatures from RELEASE_DMG to UNSIGNED_DMG
+echo "Extracting signatures from release app..."
+QUIET="1" "$CONTRIB_OSX/extract_sigs.sh" "$DMG_RELEASE_UNPACKED"/Electrum.app
+echo "Applying extracted signatures to unsigned app..."
+QUIET="1" "$CONTRIB_OSX/apply_sigs.sh" "$DMG_UNSIGNED_UNPACKED"/Electrum.app mac_extracted_sigs.tar.gz
+
+rm mac_extracted_sigs.tar.gz
+
+diff=$(diff -qr "$WORKSPACE/signed_app" "$DMG_RELEASE_UNPACKED") || true
+echo $diff
+if [ "$diff" ]; then
+    echo "DMGs do *not* match."
+    echo "failure"
+    exit 1
+else
+    echo "DMGs match."
+    echo "success"
+    exit 0
 fi