From 654611f1e4e44ddf1370882c15123e36adb1a450 Mon Sep 17 00:00:00 2001
From: Micah Lee <micah@micahflee.com>
Date: Wed, 4 Nov 2020 17:34:00 -0800
Subject: Write macOS package script, to codesign child binaries

---
 RELEASE.md                                         | 29 ++++++++++++++-
 desktop/install/macos_package.sh                   | 25 +++++++++++++
 .../install/macos_sandbox/ChildEntitlements.plist  | 10 +++++
 desktop/install/macos_sandbox/Entitlements.plist   | 43 ++++++++++++++++++++++
 desktop/install/macos_sandbox/child.plist          | 10 -----
 desktop/install/macos_sandbox/parent.plist         | 43 ----------------------
 6 files changed, 105 insertions(+), 55 deletions(-)
 create mode 100755 desktop/install/macos_package.sh
 create mode 100644 desktop/install/macos_sandbox/ChildEntitlements.plist
 create mode 100644 desktop/install/macos_sandbox/Entitlements.plist
 delete mode 100644 desktop/install/macos_sandbox/child.plist
 delete mode 100644 desktop/install/macos_sandbox/parent.plist

diff --git a/RELEASE.md b/RELEASE.md
index 9f75096b..91d4a3ab 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -145,6 +145,31 @@ Make sure the virtual environment is active, and then run `briefcase create`:
 
 ```sh
 . venv/bin/activate
-briefcase create
-briefcase package -i "Developer ID Application: Micah Lee"
+./install/macos_package.sh
 ```
+
+Now, notarize the release. You must have an app-specific Apple ID password saved in the login keychain called `onionshare-notarize`.
+
+- Notarize it: `xcrun altool --notarize-app --primary-bundle-id "com.micahflee.onionshare" -u "micah@micahflee.com" -p "@keychain:onionshare-notarize" --file macOS/OnionShare-$VERSION.dmg`
+- Wait for it to get approved, check status with: `xcrun altool --notarization-history 0 -u "micah@micahflee.com" -p "@keychain:onionshare-notarize"`
+- After it's approved, staple the ticket: `xcrun stapler staple macOS/OnionShare-$VERSION.dmg`
+
+This will create `macOS/OnionShare-$VERSION.dmg`, signed and notarized.
+
+### Source package
+
+TODO: Write documentation for source package
+
+### Publishing the release
+
+To publish the release:
+
+- Create a new release on GitHub, put the changelog in the description of the release, and upload all six files (the macOS installer, the Windows installer, the source package, and their signatures)
+- Upload the six release files to https://onionshare.org/dist/$VERSION/
+- Copy the six release files into the OnionShare team Keybase filesystem
+- Update the [onionshare-website](https://github.com/micahflee/onionshare-website) repo:
+  - Edit `latest-version.txt` to match the latest version
+  - Update the version number and download links
+  - Deploy to https://onionshare.org/
+- Email the [onionshare-dev](https://lists.riseup.net/www/subscribe/onionshare-dev) mailing list announcing the release
+- Make a PR to [homebrew-cask](https://github.com/homebrew/homebrew-cask) to update the macOS version
diff --git a/desktop/install/macos_package.sh b/desktop/install/macos_package.sh
new file mode 100755
index 00000000..44c42ca8
--- /dev/null
+++ b/desktop/install/macos_package.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+export DEVELOPER_ID="Developer ID Application: Micah Lee (N9B95FDWH4)"
+
+# Cleanb up from the last build
+rm -rf macOS
+briefcase create
+
+# Codesign the child binaries
+codesign --sign "$DEVELOPER_ID" \
+    --entitlements install/macos_sandbox/ChildEntitlements.plist \
+    macOS/OnionShare/OnionShare.app/Contents/Resources/app/onionshare/resources/tor/tor \
+    --force --options runtime
+codesign --sign "$DEVELOPER_ID" \
+    --entitlements install/macos_sandbox/ChildEntitlements.plist \
+    macOS/OnionShare/OnionShare.app/Contents/Resources/app/onionshare/resources/tor/libevent-2.1.7.dylib \
+    --force --options runtime
+codesign --sign "$DEVELOPER_ID" \
+    --entitlements install/macos_sandbox/ChildEntitlements.plist \
+    macOS/OnionShare/OnionShare.app/Contents/Resources/app/onionshare/resources/tor/obfs4proxy \
+    --force --options runtime
+
+# Build and codesign the app bundle and dmg
+cp install/macos_sandbox/Entitlements.plist macOS/OnionShare/
+briefcase package -i "$DEVELOPER_ID"
diff --git a/desktop/install/macos_sandbox/ChildEntitlements.plist b/desktop/install/macos_sandbox/ChildEntitlements.plist
new file mode 100644
index 00000000..06d88f66
--- /dev/null
+++ b/desktop/install/macos_sandbox/ChildEntitlements.plist
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.inherit</key>
+  <true/>
+</dict>
+</plist>
diff --git a/desktop/install/macos_sandbox/Entitlements.plist b/desktop/install/macos_sandbox/Entitlements.plist
new file mode 100644
index 00000000..8b9ac949
--- /dev/null
+++ b/desktop/install/macos_sandbox/Entitlements.plist
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<!-- Enable app sandbox -->
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+
+	<!-- Required for running PyInstaller python code with hardened runtime -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+
+	<!-- Both OnionShare and Tor need network server and client -->
+	<key>com.apple.security.network.server</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+
+	<!-- In share mode, users need to be able to select files, and in receive mode,
+       users need to be able to choose a folder to save files to -->
+	<key>com.apple.security.files.user-selected.read-write</key>
+	<true/>
+
+	<!-- Flask needs to read this mime.types file when starting an HTTP server -->
+	<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
+	<array>
+		<string>/private/etc/apache2/mime.types</string>
+	</array>
+
+	<!-- For OnionShare to be able to connect to Tor Browser's tor control port,
+	     it needs to read it's control_auth_cookie file -->
+	<key>com.apple.security.temporary-exception.files.home-relative-path.read-only</key>
+	<array>
+		<string>/Library/Application Support/TorBrowser-Data/Tor/control_auth_cookie</string>
+	</array>
+
+	<!-- In receive mode, OnionShare needs to be able to write to ~/OnionShare -->
+	<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
+	<array>
+		<string>/OnionShare/</string>
+	</array>
+</dict>
+</plist>
diff --git a/desktop/install/macos_sandbox/child.plist b/desktop/install/macos_sandbox/child.plist
deleted file mode 100644
index 06d88f66..00000000
--- a/desktop/install/macos_sandbox/child.plist
+++ /dev/null
@@ -1,10 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>com.apple.security.app-sandbox</key>
-	<true/>
-	<key>com.apple.security.inherit</key>
-  <true/>
-</dict>
-</plist>
diff --git a/desktop/install/macos_sandbox/parent.plist b/desktop/install/macos_sandbox/parent.plist
deleted file mode 100644
index 8b9ac949..00000000
--- a/desktop/install/macos_sandbox/parent.plist
+++ /dev/null
@@ -1,43 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<!-- Enable app sandbox -->
-	<key>com.apple.security.app-sandbox</key>
-	<true/>
-
-	<!-- Required for running PyInstaller python code with hardened runtime -->
-    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-    <true/>
-
-	<!-- Both OnionShare and Tor need network server and client -->
-	<key>com.apple.security.network.server</key>
-	<true/>
-	<key>com.apple.security.network.client</key>
-	<true/>
-
-	<!-- In share mode, users need to be able to select files, and in receive mode,
-       users need to be able to choose a folder to save files to -->
-	<key>com.apple.security.files.user-selected.read-write</key>
-	<true/>
-
-	<!-- Flask needs to read this mime.types file when starting an HTTP server -->
-	<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
-	<array>
-		<string>/private/etc/apache2/mime.types</string>
-	</array>
-
-	<!-- For OnionShare to be able to connect to Tor Browser's tor control port,
-	     it needs to read it's control_auth_cookie file -->
-	<key>com.apple.security.temporary-exception.files.home-relative-path.read-only</key>
-	<array>
-		<string>/Library/Application Support/TorBrowser-Data/Tor/control_auth_cookie</string>
-	</array>
-
-	<!-- In receive mode, OnionShare needs to be able to write to ~/OnionShare -->
-	<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
-	<array>
-		<string>/OnionShare/</string>
-	</array>
-</dict>
-</plist>
-- 
cgit v1.2.3-54-g00ecf