docs: add/update docs for osx dmg signing
This commit is contained in:
parent
914868a05d
commit
7a9cf80b19
2 changed files with 42 additions and 7 deletions
|
@ -65,3 +65,18 @@ Background images and other features can be added to DMG files by inserting a
|
||||||
.DS_Store before creation. The easiest way to create this file is to build a
|
.DS_Store before creation. The easiest way to create this file is to build a
|
||||||
DMG without one, move it to a device running OSX, customize the layout, then
|
DMG without one, move it to a device running OSX, customize the layout, then
|
||||||
grab the .DS_Store file for later use. That is the approach taken here.
|
grab the .DS_Store file for later use. That is the approach taken here.
|
||||||
|
|
||||||
|
As of OSX Mavericks (10.9), using an Apple-blessed key to sign binaries is a
|
||||||
|
requirement in order to satisfy the new Gatekeeper requirements. Because this
|
||||||
|
private key cannot be shared, we'll have to be a bit creative in order for the
|
||||||
|
build process to remain somewhat deterministic. Here's how it works:
|
||||||
|
|
||||||
|
- Builders use gitian to create an unsigned release. This outputs an unsigned
|
||||||
|
dmg which users may choose to bless and run. It also outputs an unsigned app
|
||||||
|
structure in the form of a tarball, which also contains all of the tools
|
||||||
|
that have been previously (deterministically) built in order to create a
|
||||||
|
final dmg.
|
||||||
|
- The Apple keyholder uses this unsigned app to create a detached signature,
|
||||||
|
using the script that is also included there.
|
||||||
|
- Builders feed the unsigned app + detached signature back into gitian. It
|
||||||
|
uses the pre-built tools to recombine the pieces into a deterministic dmg.
|
||||||
|
|
|
@ -59,17 +59,18 @@ Release Process
|
||||||
./bin/gsign --signer $SIGNER --release ${VERSION}-win --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-win.yml
|
./bin/gsign --signer $SIGNER --release ${VERSION}-win --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-win.yml
|
||||||
mv build/out/bitcoin-*.zip build/out/bitcoin-*.exe ../
|
mv build/out/bitcoin-*.zip build/out/bitcoin-*.exe ../
|
||||||
./bin/gbuild --commit bitcoin=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml
|
./bin/gbuild --commit bitcoin=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml
|
||||||
./bin/gsign --signer $SIGNER --release ${VERSION}-osx --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml
|
./bin/gsign --signer $SIGNER --release ${VERSION}-osx-unsigned --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml
|
||||||
|
mv build/out/bitcoin-*-unsigned.tar.gz inputs
|
||||||
mv build/out/bitcoin-*.tar.gz build/out/bitcoin-*.dmg ../
|
mv build/out/bitcoin-*.tar.gz build/out/bitcoin-*.dmg ../
|
||||||
popd
|
popd
|
||||||
|
bitcoin-0.9.99-osx-unsigned.tar.gz
|
||||||
Build output expected:
|
Build output expected:
|
||||||
|
|
||||||
1. source tarball (bitcoin-${VERSION}.tar.gz)
|
1. source tarball (bitcoin-${VERSION}.tar.gz)
|
||||||
2. linux 32-bit and 64-bit binaries dist tarballs (bitcoin-${VERSION}-linux[32|64].tar.gz)
|
2. linux 32-bit and 64-bit binaries dist tarballs (bitcoin-${VERSION}-linux[32|64].tar.gz)
|
||||||
3. windows 32-bit and 64-bit installers and dist zips (bitcoin-${VERSION}-win[32|64]-setup.exe, bitcoin-${VERSION}-win[32|64].zip)
|
3. windows 32-bit and 64-bit installers and dist zips (bitcoin-${VERSION}-win[32|64]-setup.exe, bitcoin-${VERSION}-win[32|64].zip)
|
||||||
4. OSX installer (bitcoin-${VERSION}-osx.dmg)
|
4. OSX unsigned installer (bitcoin-${VERSION}-osx-unsigned.dmg)
|
||||||
5. Gitian signatures (in gitian.sigs/${VERSION}-<linux|win|osx>/(your gitian key)/
|
5. Gitian signatures (in gitian.sigs/${VERSION}-<linux|win|osx-unsigned>/(your gitian key)/
|
||||||
|
|
||||||
###Next steps:
|
###Next steps:
|
||||||
|
|
||||||
|
@ -78,7 +79,28 @@ Commit your signature to gitian.sigs:
|
||||||
pushd gitian.sigs
|
pushd gitian.sigs
|
||||||
git add ${VERSION}-linux/${SIGNER}
|
git add ${VERSION}-linux/${SIGNER}
|
||||||
git add ${VERSION}-win/${SIGNER}
|
git add ${VERSION}-win/${SIGNER}
|
||||||
git add ${VERSION}-osx/${SIGNER}
|
git add ${VERSION}-osx-unsigned/${SIGNER}
|
||||||
|
git commit -a
|
||||||
|
git push # Assuming you can push to the gitian.sigs tree
|
||||||
|
popd
|
||||||
|
|
||||||
|
Wait for OSX detached signature:
|
||||||
|
Once the OSX build has 3 matching signatures, Gavin will sign it with the apple App-Store key.
|
||||||
|
He will then upload a detached signature to be combined with the unsigned app to create a signed binary.
|
||||||
|
|
||||||
|
Create the signed OSX binary:
|
||||||
|
pushd ./gitian-builder
|
||||||
|
# Fetch the signature as instructed by Gavin
|
||||||
|
cp signature.tar.gz inputs/
|
||||||
|
./bin/gbuild -i ../bitcoin/contrib/gitian-descriptors/gitian-osx-signer.yml
|
||||||
|
./bin/gsign --signer $SIGNER --release ${VERSION}-osx-signed --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-osx-signer.yml
|
||||||
|
mv build/out/bitcoin-${VERSION}-osx.dmg ../
|
||||||
|
popd
|
||||||
|
|
||||||
|
Commit your signature for the signed OSX binary:
|
||||||
|
|
||||||
|
pushd gitian.sigs
|
||||||
|
git add ${VERSION}-osx-signed/${SIGNER}
|
||||||
git commit -a
|
git commit -a
|
||||||
git push # Assuming you can push to the gitian.sigs tree
|
git push # Assuming you can push to the gitian.sigs tree
|
||||||
popd
|
popd
|
||||||
|
@ -91,8 +113,6 @@ Commit your signature to gitian.sigs:
|
||||||
|
|
||||||
- Code-sign Windows -setup.exe (in a Windows virtual machine using signtool)
|
- Code-sign Windows -setup.exe (in a Windows virtual machine using signtool)
|
||||||
|
|
||||||
- Code-sign MacOSX .dmg
|
|
||||||
|
|
||||||
Note: only Gavin has the code-signing keys currently.
|
Note: only Gavin has the code-signing keys currently.
|
||||||
|
|
||||||
- Create `SHA256SUMS.asc` for the builds, and GPG-sign it:
|
- Create `SHA256SUMS.asc` for the builds, and GPG-sign it:
|
||||||
|
|
Loading…
Add table
Reference in a new issue