macOS: update signature for Sparkle

This patch sets up app updates to use EdDSA signature as now
it is required by Sparkle

Change-Id: I68a581e21850f04a819f4fe7ea49a33766031e01

CMakeLists.txt

@@ -449,12 +449,6 @@ else() # APPLE
       HINTS ${sparkle_dir})
     add_definitions(-DENABLE_SPARKLE)
     message("Sparkle is here:" ${SPARKLE_FRAMEWORK})
-    set(PUBLIC_KEY_PATH "${sparkle_dir}/dsa_pub.pem")
-    set_source_files_properties(
-      ${PUBLIC_KEY_PATH}
-      PROPERTIES
-      MACOSX_PACKAGE_LOCATION Resources)
-    set(PUBLIC_KEY ${PUBLIC_KEY_PATH})
   endif()
   if(BETA)
     message(STATUS "Beta config enabled")
@@ -722,7 +716,7 @@ else()
     ${CMAKE_CURRENT_SOURCE_DIR}/resources/images/jami.icns)
   set(libs ${QT_LIBS} ${SYSTEM_CONFIGURATUION} qrencode ${LIBCLIENT_NAME})
   if(ENABLE_SPARKLE)
-    set(resources ${resources} ${PUBLIC_KEY} ${SPARKLE_FRAMEWORK})
+    set(resources ${resources} ${SPARKLE_FRAMEWORK})
     set(libs ${libs} ${SPARKLE_FRAMEWORK})
   endif(ENABLE_SPARKLE)
   target_sources(${PROJECT_NAME} PRIVATE ${resources})
@@ -766,6 +760,7 @@ else()
       else()
           set_target_properties(${PROJECT_NAME} PROPERTIES
                 SPARKLE_URL "${SPARKLE_URL}"
+                SPARKLE_PUBLIC_KEY "${SPARKLE_PUBLIC_KEY}"
                 XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS "${CMAKE_CURRENT_SOURCE_DIR}/resources/entitlements/Jami.entitlements"
                 XCODE_ATTRIBUTE_ENABLE_HARDENED_RUNTIME TRUE)
       endif()

extras/packaging/update/sparkle/dsa_pub.pem

@@ -1,36 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIIGRzCCBDoGByqGSM44BAEwggQtAoICAQCp4+JqCDyIMIMGtvpMvEPsQJ2SLJrt
-y16KsLNmcUXLMMSmHdiC2EEZMhfp4OyuXwLGewA1NXBrBS6+6GidA0hh/IhclMUs
-9kjzplVK4mOdKdSvFwuoJ9fdth+ySAXnhpcyLVFKQeoZ/jP20IhW9p+qZE4EMUlx
-Pmls+MbNcZLu/HKiGI4XMN2K4yCxLSFjlpEPcT4yBYAZb+YRdY0v2HK3e9Jnja1b
-Jfm23NaTRxkWzAu2Cm2S8G7JRo3Uuaw7RUmaAkmVWXFC0ZloGKBSeey6y1EuUtVy
-dju3DRVI3RuvmB4yFJvdfgctTR2U6N26H733aOLFsvsSr6/hNp7q0ryDEfjqyW+R
-SJwKZIRwl0WTsxwUzw+OejQH9CNcgkRaPgWBntnZ4OWSr2gFPkolt+VpLhSvKiSb
-0ef3vZBuTp3KNCDGE20OVfQSeCstUyLZpLeG7tRyJEP/aCni9YTpIhZ5B9XNFe2J
-jfzZE2VefKJWpxI1THfPgb0hto6zBuc8kpcKRPqwTRUHQuNwjAuAUKFV3GM9aoUC
-KISWXPg2p1z8LgkuM8sgGEhn0BYEfpJFP3wc1OtIlv0t8Bqm1QR1y6hD/uxCYqq+
-KR9/0eOsNH7dO/+7ydZjvVcBZ3TeGhvLQB/0Iic4Y895WMvN8bSB7NOZ8ODesO0J
-zg2UkMdxdntiKQIhAKISld6gn3g1WSPXvWqT9mZzBly0hXr4DnGI1UtCeQm3AoIC
-AQCMiu6knB8mbhcb7bOGhm3JEfi42+j3zavBYOga7LxP18Fobbf+5bHP3kMdNx8y
-Paf0q0BkGtRC0WyH0ja05vR0bS9dSUT7qshQXm+/BsA/fnWPC54NcGSfRlj1UqHc
-NN39r68EseO7w+w5x1gYFY7Jx/wJqR7gbYgS2GhgIrUo4+vBurl2bVtx6cAwsNXa
-h0GUPAGQUu6qJaM5cpZL2Fkx+ac73q9i3WAlCECrkLpvOkLBSbYNvRR1rlhGawGr
-Z96zEBEcW5FPJvPsjY2WaOvaRfGF9Y0MK8WXptdxY41jdts7n7kRKuwheUrm0bHm
-aCRkGwhtc6hsMdrSzNFLDDScaSjYMx5erqnAKMyieyoiD8gyYN5mhZUokTBdpT1m
-n7lrpQ0KfJtNKFtNUfNmU406vMEiTPKG4wxX/RxdzUqLSKNV1j0JHN6kx4Sq/vLN
-EzO85ZaA79nBd2/8+ktWRiOuCiLu913Obgw3muNKYNVmH6iJibAYP+n7uUZHCzO4
-MxccO5gy1umgTx/16Sya5ov+xt7CmS7kE4M4GzQ+AwXqzx3Mo8O72OWJP7RoRPxt
-KTNiNZcjFrPkP4MkAogKNDt3McUXmKzfWEa+EvKHtXav7yiKoZ/kmQCawYQyvKFP
-oBloHZ5N2iPnRGfABmFk/exF1Nb2dlhtD1hNYqtD3IWmVAOCAgUAAoICAFSPpbKF
-wWcMAwTP7nEWZUr/8efPftwR2Q3F00dbh3ND+Yv7VRam6br+sPnrrPElWL+pPoFy
-Vg7qJ6qmsOBgB+dDSiJ5w5L+aIj+vtmQHyCbbLTkCqzC5AO4pMaaXhg5hRQJw6JN
-VkLByDsqHmjGG5ZLILzzKLi88X5Tz/Zz5FHWisnwRSGQaoZ5xJOCLfPLTOnASB/Q
-uR5nBpYjImZslsPnDwTXVLqqOFo2TiQ3BXGV3BGpP83jaoDSVMjgc2NJNLw7X++b
-mEFkALkG9uhhO57dTShwI+S3IzJfIBhSFW59bkY/N0f8peKAiUXmi3M/QWCvfh4k
-+WRBaRiq+Ap+wV+IM+PH/INm0uEJ97mP5+7dPMZDNq1iPnJOKhqyXskq6i/Z9eg5
-ZzgBw6Pxj6cNhZeg8OQuTfCGIV0m0FtfOZZVUs6l1JlMGb9bGbx2cDJBoI1DQxpG
-X01TCtyNF4ShHbFmMG4JLuxBm99YuUJud2wPXToD9pxGWbh7naJwHzL7ywQQ/A0+
-gSPE436MLSYPVeGr1RdIxFudZcoGZ2gG6V1aqZfNNlVO++UQ0wNTecFMPhdaC4O/
-mnufQC8fSX9qBdnuWfkQQk8bE0kvqz4WSZ+B9Q7bEr7XeOcWibscCslIM2Rs68DK
-ZnO5P9x/rPIJLCXY4xQYBryQCMu6JC5ibWzP
------END PUBLIC KEY-----

extras/packaging/update/sparkle/sign_update.sh

@@ -1,11 +0,0 @@
-#!/bin/bash
-set -e
-set -o pipefail
-if [ "$#" -ne 2 ]; then
-  echo "Usage: $0 update_archive private_key"
-  exit 1
-fi
-
-openssl=/usr/bin/openssl
-$openssl dgst -sha1 -binary < "$1" | $openssl dgst -dss1 -sign "$2" | base64 $BASE64_OPTS
-

extras/packaging/update/sparkle/sparkle-xml-updater.sh

@@ -6,13 +6,12 @@ REPO_FOLDER=$1
 SPARKLE_FILE=$2
 REPO_URL=$3
 PACKAGE=$4
-DSA_KEY=$5
-CHANNEL_NAME=$6
-VERSION=$7
-BUILD=$8
+CHANNEL_NAME=$5
+VERSION=$6
+BUILD=$7
 
-if [ ! -f ${PACKAGE} -o ! -f ${DSA_KEY} ]; then
-    echo "Can't find package or dsa key, aborting..."
+if [ ! -f ${PACKAGE} ]; then
+    echo "Can't find package, aborting..."
     exit 1
 fi
 
@@ -20,7 +19,6 @@ if [ -f ${REPO_FOLDER}/${SPARKLE_FILE} ]; then
     ITEMS=$(sed -n "/<item>/,/<\/item>/p" ${REPO_FOLDER}/${SPARKLE_FILE})
 fi
 
-PACKAGE_SIZE=`stat -f%z ${PACKAGE}`
 DATE_RFC2822=`date "+%a, %d %b %Y %T %z"`
 
 cat << EOFILE > ${REPO_FOLDER}/${SPARKLE_FILE}
@@ -37,7 +35,7 @@ cat << EOFILE > ${REPO_FOLDER}/${SPARKLE_FILE}
             <sparkle:version>${BUILD}</sparkle:version>
             <sparkle:shortVersionString>${VERSION}</sparkle:shortVersionString>
             <sparkle:minimumSystemVersion>10.15.0</sparkle:minimumSystemVersion>
-            <enclosure url="${REPO_URL}/$(basename ${PACKAGE})" length="$PACKAGE_SIZE" type="application/octet-stream" sparkle:dsaSignature="$(./sign_update.sh ${PACKAGE} ${DSA_KEY})" />
+            <enclosure url="${REPO_URL}/$(basename ${PACKAGE})" type="application/octet-stream" $(./sign_update ${PACKAGE}) />
         </item>
 $(echo -e "${ITEMS}")
     </channel>

resources/Info.plist

@@ -24,8 +24,8 @@
 	<string>public.app-category.social-networking</string>
 	<key>NSHumanReadableCopyright</key>
 	<string>${MACOSX_BUNDLE_COPYRIGHT}</string>
-	<key>SUPublicDSAKeyFile</key>
-	<string>dsa_pub.pem</string>
+	<key>SUPublicEDKey</key>
+	<string>${SPARKLE_PUBLIC_KEY}</string>
 	<key>SUFeedURL</key>
 	<string>${SPARKLE_URL}</string>
 	<key>NSPrincipalClass</key>