aboutsummaryrefslogtreecommitdiff
path: root/doc/README_osx.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/README_osx.txt')
-rw-r--r--doc/README_osx.txt23
1 files changed, 15 insertions, 8 deletions
diff --git a/doc/README_osx.txt b/doc/README_osx.txt
index 2be56c1592..d56234f7d9 100644
--- a/doc/README_osx.txt
+++ b/doc/README_osx.txt
@@ -20,14 +20,6 @@ https://github.com/mingwandroid/toolchain4
In order to build a working toolchain, the following source packages are needed
from Apple: cctools, dyld, and ld64.
-Beware. This part is ugly. Very very very ugly. In the future, this should be
-broken out into a new repository and cleaned up. Additionally, the binaries
-only work when built as x86 and not x86_64. This is an especially nasty
-limitation because it must be linked with the toolchain's libLTO.so, meaning
-that the entire toolchain must be x86. Gitian x86_64 should not be used until
-this has been fixed, because it would mean that several native dependencies
-(openssl, libuuid, etc) would need to be built as x86 first.
-
These tools inject timestamps by default, which produce non-deterministic
binaries. The ZERO_AR_DATE environment variable is used to disable that.
@@ -73,3 +65,18 @@ Background images and other features can be added to DMG files by inserting a
.DS_Store before creation. The easiest way to create this file is to build a
DMG without one, move it to a device running OSX, customize the layout, then
grab the .DS_Store file for later use. That is the approach taken here.
+
+As of OSX Mavericks (10.9), using an Apple-blessed key to sign binaries is a
+requirement in order to satisfy the new Gatekeeper requirements. Because this
+private key cannot be shared, we'll have to be a bit creative in order for the
+build process to remain somewhat deterministic. Here's how it works:
+
+- Builders use gitian to create an unsigned release. This outputs an unsigned
+ dmg which users may choose to bless and run. It also outputs an unsigned app
+ structure in the form of a tarball, which also contains all of the tools
+ that have been previously (deterministically) built in order to create a
+ final dmg.
+- The Apple keyholder uses this unsigned app to create a detached signature,
+ using the script that is also included there.
+- Builders feed the unsigned app + detached signature back into gitian. It
+ uses the pre-built tools to recombine the pieces into a deterministic dmg.
generated by cgit v1.2.3 (git 2.26.2) at 2024-07-20 09:47:31 +0000