Osx detached sign #5363

pull theuni wants to merge 6 commits into bitcoin:master from theuni:osx-detached-sign changing 10 files +279 −84

theuni commented at 5:02 AM on November 25, 2014: member
As discussed a few times in the past, this introduces the notion of a detached OSX signature for release binaries. This produces a final dmg with a signature spliced in. I believe this is as close to determinism as we can get while still signing with a protected key. It also removes almost all margin for error in the build process, since the only variable (the signature) is obviously verifiable.

From the updated readme: As of OSX Mavericks (10.9), using an Apple-blessed key to sign binaries is a requirement in order to satisfy the new Gatekeeper requirements. Because this private key cannot be shared, we'll have to be a bit creative in order for the build process to remain somewhat deterministic. Here's how it works:
- Builders use gitian to create an unsigned release. This outputs an unsigned dmg which users may choose to bless and run. It also outputs an unsigned app structure in the form of a tarball, which also contains all of the tools that have been previously (deterministically) built in order to create a final dmg.
- The Apple keyholder uses this unsigned app to create a detached signature, using the script that is also included there.
- Builders feed the unsigned app + detached signature back into gitian. It uses the pre-built tools to recombine the pieces into a deterministic dmg. @gavinandresen has tested and verified that the output dmg's have valid signatures, and run on OSX 10.0.1.
The process to create the key is easy to follow, as is the auditing of the reattachment. It relies on the tools "pagestuff" and "codesign_allocate" which are built from source as part of our standard build process. These tools pad and update the binary as necessary in preparation for the signature. Then, a dumb "dd" is invoked to patch it in.

I've changed the release-process to reflect a possible workflow using this detached signature. I suspect we'll probably have to run a real (beta) release to see where the kinks are and what could be improved.
gitian: update descriptors to use a sane uniform output 52bb7a7e1b

release: update docs to reflect new layout

- Split linux32/linux64 releases
- Split win32/win64 zips
- Post-processing should no longer be required. The deterministic outputs are
  ready for consumption.

dfef929bf7

build: add the deploydir target for gitian

This is a helper target that stops just before the creation of the dmg.

2f327a3c87

build: Clean up the dmg layout d69ed2b291
theuni force-pushed on Nov 26, 2014
build: add a deterministic dmg signer 914868a05d
theuni commented at 6:00 AM on November 26, 2014: member

rebased on top of #5371. Both depend on #5370.
docs: add/update docs for osx dmg signing 7a9cf80b19
laanwj commented at 10:29 AM on November 26, 2014: member

ACK, great to see this
laanwj merged this on Nov 26, 2014
laanwj closed this on Nov 26, 2014
laanwj referenced this in commit 686fa79cae on Nov 26, 2014
Michagogo commented at 3:23 PM on November 26, 2014: contributor

Sounds great to have. Now it has me wondering, though, if the same is possible for Windows signing?
theuni commented at 8:19 PM on December 8, 2014: member

@Michagogo I'm not sure, as I haven't researched win32 signed binaries. This was especially easy for osx, since (nearly) the only change to the binary is a small sig insertion near the end. If win32 is the same, it's likely doable there as well. There may even be existing tools we could use. Worth looking into.
MarcoFalke locked this on Sep 8, 2021

Contributors

theuni

laanwj

Michagogo

Linked (view graph)

#5370 build: disable static lib stripping during osx make install-strip