fix: update macOS build to use Waterfox identifiers

2025-08-04 19:05:55 +01:00
parent 0dcefccb1a
commit 09be2c9e91
5 changed files with 16 additions and 16 deletions
--- a/build/moz.configure/update-programs.configure
+++ b/build/moz.configure/update-programs.configure
@@ -73,7 +73,7 @@ def mac_prod_requirements_string(identifier):
        f'identifier "{identifier}" and anchor apple generic and '
        "certificate 1[field.1.2.840.113635.100.6.2.6] and "
        "certificate leaf[field.1.2.840.113635.100.6.1.13] and "
-        'certificate leaf[subject.OU] = "43AQ936H96"'
+        'certificate leaf[subject.OU] = "PZWYM7N4GF"'
    )


@@ -95,7 +95,7 @@ set_config("MOZ_SMAUTHORIZEDCLIENTS_REQUIREMENTS", smauthorizedclients_requireme

@depends("--enable-mac-elevated-updates-with-generic-certs", when=target_is_osx)
 def smprivilegedexec_requirements(enabled):
-    updater_id = "org.mozilla.updater"
+    updater_id = "net.waterfox.updater"
    if enabled:
        return mac_relaxed_requirements_string(updater_id)
    else:
--- a/security/mac/hardenedruntime/production/firefox.browser.xml
+++ b/security/mac/hardenedruntime/production/firefox.browser.xml
@@ -2,23 +2,23 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <!--
     Entitlements to apply to the main browser process executable during
-     codesigning of production channel builds.
+     codesigning of production channel builds for Waterfox.
 -->
 <plist version="1.0">
  <dict>
    <!-- Allow loading third party libraries to support pkcs11 modules -->
    <key>com.apple.security.cs.disable-library-validation</key><true/>

-    <!-- Firefox needs to create executable pages with MAP_JIT on aarch64 -->
+    <!-- Waterfox needs to create executable pages with MAP_JIT on aarch64 -->
    <key>com.apple.security.cs.allow-jit</key><true/>

-    <!-- Firefox needs to access the microphone on sites the user allows -->
+    <!-- Waterfox needs to access the microphone on sites the user allows -->
    <key>com.apple.security.device.audio-input</key><true/>

-    <!-- Firefox needs to access the camera on sites the user allows -->
+    <!-- Waterfox needs to access the camera on sites the user allows -->
    <key>com.apple.security.device.camera</key><true/>

-    <!-- Firefox needs to access the location on sites the user allows -->
+    <!-- Waterfox needs to access the location on sites the user allows -->
    <key>com.apple.security.personal-information.location</key><true/>

    <!-- For SmartCardServices(7) -->
@@ -26,7 +26,7 @@

    <!-- Required for com.apple.developer.web-browser.public-key-credential -->
    <key>com.apple.application-identifier</key>
-    <string>43AQ936H96.org.mozilla.firefox</string>
+    <string>PZWYM7N4GF.net.waterfox.waterfox</string>

    <!-- For platform passkey (webauthn) support -->
    <key>com.apple.developer.web-browser.public-key-credential</key><true/>
--- a/taskcluster/config.yml
+++ b/taskcluster/config.yml
@@ -1017,7 +1017,7 @@ mac-signing:
                      - "/Contents/MacOS/crashreporter.app"
                      - "/Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework"
                      - "/Contents/MacOS/updater.app"
-                      - "/Contents/Library/LaunchServices/org.mozilla.updater"
+                      - "/Contents/Library/LaunchServices/net.waterfox.updater"
                      - "/Contents/MacOS/XUL"
                      - "/Contents/MacOS/pingsender"
                      - "/Contents/MacOS/nmhproxy"
@@ -1062,7 +1062,7 @@ mac-signing:
                      - "/Contents/MacOS/crashreporter.app"
                      - "/Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework"
                      - "/Contents/MacOS/updater.app"
-                      - "/Contents/Library/LaunchServices/org.mozilla.updater"
+                      - "/Contents/Library/LaunchServices/net.waterfox.updater"
                      - "/Contents/MacOS/pingsender"
                      - "/Contents/MacOS/nmhproxy"
                      - "/Contents/Frameworks/ChannelPrefs.framework"
--- a/toolkit/xre/nsCommandLineServiceMac.mm
+++ b/toolkit/xre/nsCommandLineServiceMac.mm
@@ -61,7 +61,7 @@ void SetupMacCommandLine(int& argc, char**& argv, bool forRestart) {
    // Essentially, we are using the updater as a relauncher process.
    NSString* updaterPath = [[path stringByDeletingLastPathComponent]
        stringByAppendingPathComponent:
-            @"updater.app/Contents/MacOS/org.mozilla.updater"];
+            @"updater.app/Contents/MacOS/net.waterfox.updater"];
    AddToCommandLine(updaterPath.UTF8String);
    AddToCommandLine("--openAppBundle");
  }
@@ -76,7 +76,7 @@ void SetupMacCommandLine(int& argc, char**& argv, bool forRestart) {
  // versions of macOS and we may be able to switch to the NSWorkspace API once
  // we no longer support the older versions of macOS where these errors occur.
  // See bug 1911178.
-  if (![path hasSuffix:@"org.mozilla.updater"] && ![path hasSuffix:@".app"]) {
+  if (![path hasSuffix:@"net.waterfox.updater"] && ![path hasSuffix:@".app"]) {
    // Ensure that the path in the first argument points to the .app bundle.
    // This strips three last path components, for example:
    //
@@ -85,7 +85,7 @@ void SetupMacCommandLine(int& argc, char**& argv, bool forRestart) {
    path = [[[path stringByDeletingLastPathComponent]
        stringByDeletingLastPathComponent] stringByDeletingLastPathComponent];
  }
-  if (![path hasSuffix:@"org.mozilla.updater"] && ![path hasSuffix:@".app"]) {
+  if (![path hasSuffix:@"net.waterfox.updater"] && ![path hasSuffix:@".app"]) {
    // We were unable to obtain the path to the .app bundle and are unable to
    // build a valid command line.
    return;
--- a/tools/signing/macos/mach_commands.py
+++ b/tools/signing/macos/mach_commands.py
@@ -37,7 +37,7 @@ from mozbuild.base import MachCommandConditions as conditions
    "Release channel entitlements, but the configuration used will be the "
    "Release configuration as defined in the repo working directory, not the "
    "configuration from the revision of the earlier 120 build.",
-    conditions=[conditions.is_firefox],
+#    conditions=[conditions.is_firefox],
 )
@CommandArgument(
    "-v",
@@ -378,10 +378,10 @@ def auto_detect_channel(ctx, app):
    # The bundle IDs for different channels. We use these strings to
    # auto-detect the channel being signed. Different channels use
    # different entitlement files.
-    NIGHTLY_BUNDLEID = "org.mozilla.nightly"
+    NIGHTLY_BUNDLEID = "net.mozilla.nightly"
    DEVEDITION_BUNDLEID = "org.mozilla.firefoxdeveloperedition"
    # BETA uses the same bundle ID as Release
-    RELEASE_BUNDLEID = "org.mozilla.firefox"
+    RELEASE_BUNDLEID = "net.waterfox.waterfox"

    info_plist = os.path.join(app, "Contents/Info.plist")