mozilla-vpn-client icon indicating copy to clipboard operation
mozilla-vpn-client copied to clipboard

Published 20 hours ago verified publisher icon mozilla-mobile

Taskcluster - Check Entitlements

Open strseb opened this issue 2 years ago • 2 comments

It seems there is a problem with the mac signed entitlements. I got those by running codesign -d --entitlements :- /Applications/Mozilla\ VPN.app/

This is release/2.9 - github-ci unsigned:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>keychain-access-groups</key>
		<array> 
			<string>7W87BT2W9M.*</string>
		</array>
		<key>com.apple.developer.team-identifier</key>
		<string>7W87BT2W9M</string>
		<key>com.apple.application-identifier</key>
		<string>7W87BT2W9M.baku.mozilla.macos.FirefoxVPN</string>
	</dict>
</plist>

This is the 2.7 from archive:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>com.apple.application-identifier</key>
		<string>43AQ936H96.org.mozilla.macos.FirefoxVPN</string>
		<key>com.apple.developer.team-identifier</key>
		<string>43AQ936H96</string>
		<key>com.apple.security.application-groups</key>
		<array>
			<string>43AQ936H96.group.org.mozilla.macos.Guardian</string>
		</array>
		<key>com.apple.security.network.client</key>
		<true/>
		<key>com.apple.security.network.server</key>
		<true/>
		<key>keychain-access-groups</key>
		<array>
			<string>43AQ936H96.mozillavpn</string>
		</array>
	</dict>
</plist>

However the release/2.9 taskcluster-signed app seems to have only

<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
	<dict>
		<key>com.apple.security.app-sandbox</key>
		<true/>
	</dict>
</plist>

I am pretty sure we need at least those 2 (see #3785, #3775) for the client to function, i am not sure about the other ones.

<key>com.apple.security.network.client</key>
		<true/>
		<key>com.apple.security.network.server</key>
		<true/>

cc @ahal @hneiva - Totally not an expert on mac entitlements :D Maybe you know more what should be in there?

┆Issue is synchronized with this Jira Task

strseb avatar Jun 20 '22 15:06 strseb

Previously we were using this entitlements file: https://gist.githubusercontent.com/bhearsum/5dac6f523a828675bbc00e8165e29946/raw/6b5a395c476679bcc5ecb07eafdc8e5adefc7470/gistfile1.txt

Now we are using one checked into the repo: https://github.com/mozilla-mobile/mozilla-vpn-client/blob/main/taskcluster/scripts/signing/entitlements.xml

I'm not sure why those entitlements got removed (maybe just because it seemed to work?), but we probably just need to copy them into the new file.

ahal avatar Jun 20 '22 16:06 ahal

Oh, I see what happened.. We accidentally switched the entitlements around. So the contents loginItems-entitlements.xml accidentally got switched with the contents of entitlements.xml. So we should swap those two files around.

ahal avatar Jun 20 '22 16:06 ahal

➤ Andrea Marchesini commented:

I think we can close this. We released the first macos build via taskcluster without entitlements issues.

data-sync-user avatar Oct 31 '22 14:10 data-sync-user