No Issue - Updates to Mac packaging for notarization. Add Mac entitlements.

Switch to using "create" instead of "makehybrid" when creating the disk image.
This fixes bogus extended attributes which interfere with the code signature.
Finally add any -bin or dylibs in the Resources folder since --deep skips that folder.

1 files changed, 19 insertions, 9 deletions

diff --git a/python/mozbuild/mozpack/dmg.py b/python/mozbuild/mozpack/dmg.py
index ade25aeac3..b231f731b8 100644
--- a/python/mozbuild/mozpack/dmg.py
+++ b/python/mozbuild/mozpack/dmg.py
@@ -5,6 +5,7 @@
 import errno
 import mozfile
 import os
+import fnmatch
 import platform
 import shutil
 import subprocess
@@ -46,11 +47,11 @@ def create_dmg_from_staged(stagedir, output_dmg, tmpdir, volume_name):
     if not is_linux:
         # Running on OS X
         hybrid = os.path.join(tmpdir, 'hybrid.dmg')
-        subprocess.check_call(['hdiutil', 'makehybrid', '-hfs',
-                               '-hfs-volume-name', volume_name,
-                               '-hfs-openfolder', stagedir,
-                               '-ov', stagedir,
-                               '-o', hybrid])
+        subprocess.check_call(['hdiutil', 'create',
+                               '-fs', 'HFS+',
+                               '-volname', volume_name,
+                               '-srcfolder', stagedir,
+                               '-ov', hybrid])
         subprocess.check_call(['hdiutil', 'convert', '-format', 'UDBZ',
                                '-imagekey', 'bzip2-level=9',
                                '-ov', hybrid, '-o', output_dmg])
@@ -70,8 +71,8 @@ def create_dmg_from_staged(stagedir, output_dmg, tmpdir, volume_name):
             uncompressed,
             output_dmg
         ],
-                              # dmg is seriously chatty
-                              stdout=open(os.devnull, 'wb'))
+        # dmg is seriously chatty
+        stdout=open(os.devnull, 'wb'))
 
 def check_tools(*tools):
     '''
@@ -87,7 +88,6 @@ def check_tools(*tools):
         if not os.access(path, os.X_OK):
             raise Exception('Required tool "%s" at path "%s" is not executable' % (tool, path))
 
-
 def create_dmg(source_directory, output_dmg, volume_name, extra_files):
     '''
     Create a DMG disk image at the path output_dmg from source_directory.
@@ -122,6 +122,16 @@ def create_dmg(source_directory, output_dmg, volume_name, extra_files):
         if not is_linux:
             identity = buildconfig.substs['MOZ_MACBUNDLE_IDENTITY']
             if identity != '':
+                dylibs = []
                 appbundle = os.path.join(stagedir, buildconfig.substs['MOZ_MACBUNDLE_NAME'])
-                subprocess.check_call(['codesign', '--deep', '-s', identity, appbundle])
+                # If the -bin file is in Resources add it to the dylibs as well
+                resourcebin = os.path.join(appbundle, 'Contents/Resources/' + buildconfig.substs['MOZ_APP_NAME'] + '-bin')
+                if os.path.isfile(resourcebin):
+                    dylibs.append(resourcebin)
+                # Create a list of dylibs in Contents/Resources that won't get signed by --deep
+                for root, dirnames, filenames in os.walk('Contents/Resources/'):
+                    for filename in fnmatch.filter(filenames, '*.dylib'):
+                        dylibs.append(os.path.join(root, filename))
+                entitlement = os.path.abspath(os.path.join(os.getcwd(), '../../platform/security/mac/production.entitlements.xml'))
+                subprocess.check_call(['codesign', '--deep', '--timestamp', '--options', 'runtime', '--entitlements', entitlement, '-s', identity] + dylibs + [appbundle])
         create_dmg_from_staged(stagedir, output_dmg, tmpdir, volume_name)