Fix signing and notarizing in GHA.

BrowserWorks · Sep 5, 2024 · 147fc89 · 147fc89
1 parent 5117fd4
commit 147fc89
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -650,7 +650,7 @@ jobs:
           chmod +x ./sign/sign.sh
           ./sign/sign.sh -k "$PWD"/sign/1 -p ${{ secrets.ONE_PEM }} -c "$PWD"/sign/2 -i "$PWD"/obj-${{ env.ARCH-X64 }}/dist/waterfox/Waterfox.app -t macos
           rm -rf ./sign/
-          python3 ./security/mac/hardenedruntime/codesign.py -v -m ./security/mac/hardenedruntime/codesign-map.json -r ./obj-${{ env.ARCH-X64 }}/dist/waterfox/Waterfox.app -d ./security/mac/hardenedruntime -s '${{ secrets.MACOS_CERTIFICATE_NAME }}'
+          ./mach macos-sign -a /obj-${{ env.ARCH-X64 }}/dist/waterfox/Waterfox.app -s ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
           echo "Creating temp notarization archive"
           ditto -c -k --keepParent "./obj-${{ env.ARCH-X64 }}/dist/waterfox/Waterfox.app" "notarization.zip"
           echo "Notarize app"

diff --git a/taskcluster/config.yml b/taskcluster/config.yml
@@ -1013,7 +1013,7 @@ mac-signing:
                       - "/Contents/MacOS/crashreporter.app"
                       - "/Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework"
                       - "/Contents/MacOS/updater.app"
-                      - "/Contents/Library/LaunchServices/org.mozilla.updater"
+                      - "/Contents/Library/LaunchServices/net.waterfox.updater"
                       - "/Contents/MacOS/XUL"
                       - "/Contents/MacOS/pingsender"
                       - "/Contents/MacOS/minidump-analyzer"
@@ -1058,7 +1058,7 @@ mac-signing:
                       - "/Contents/MacOS/crashreporter.app"
                       - "/Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework"
                       - "/Contents/MacOS/updater.app"
-                      - "/Contents/Library/LaunchServices/org.mozilla.updater"
+                      - "/Contents/Library/LaunchServices/net.waterfox.updater"
                       - "/Contents/MacOS/pingsender"
                       - "/Contents/MacOS/minidump-analyzer"
                       - "/Contents/MacOS/nmhproxy"

diff --git a/tools/signing/macos/mach_commands.py b/tools/signing/macos/mach_commands.py
@@ -37,7 +37,7 @@
     "Release channel entitlements, but the configuration used will be the "
     "Release configuration as defined in the repo working directory, not the "
     "configuration from the revision of the earlier 120 build.",
-    conditions=[conditions.is_firefox],
+#    conditions=[conditions.is_firefox],
 )
 @CommandArgument(
     "-v",
@@ -378,10 +378,10 @@ def auto_detect_channel(ctx, app):
     # The bundle IDs for different channels. We use these strings to
     # auto-detect the channel being signed. Different channels use
     # different entitlement files.
-    NIGHTLY_BUNDLEID = "org.mozilla.nightly"
+    NIGHTLY_BUNDLEID = "net.mozilla.nightly"
     DEVEDITION_BUNDLEID = "org.mozilla.firefoxdeveloperedition"
     # BETA uses the same bundle ID as Release
-    RELEASE_BUNDLEID = "org.mozilla.firefox"
+    RELEASE_BUNDLEID = "net.waterfox.waterfox"
 
     info_plist = os.path.join(app, "Contents/Info.plist")