Added comment block to code signing portion of viewer-manifest.py describing potential gotchas in the future and how to obviate them

author: callum_linden <none@none> 2017-08-08 15:12:26 -0700
committer: callum_linden <none@none> 2017-08-08 15:12:26 -0700
commit: e6e088d5ab3f477634c98474ad66e58e6f8dff41 (patch)
tree: 9bda2e3e8cc7234f1c285287ea9d48876619aabe /indra/newview
parent: b46697fcc155d026b5a951256d53581e7af20036 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/indra/newview/viewer_manifest.py b/indra/newview/viewer_manifest.py
index 2d88fe7dce..d734106a9d 100755
--- a/indra/newview/viewer_manifest.py
+++ b/indra/newview/viewer_manifest.py
@@ -1192,6 +1192,18 @@ class DarwinManifest(ViewerManifest):
                     keychain_pwd_path = os.path.join(build_secrets_checkout,'code-signing-osx','password.txt')
                     keychain_pwd = open(keychain_pwd_path).read().rstrip()
 
+                    # Note: As of macOS Sierra, keychains are created with names postfixed with '-db' so for example, the
+                    #       SL Viewer keychain would by default be found in ~/Library/Keychains/viewer.keychain-db instead of
+                    #       just ~/Library/Keychains/viewer.keychain in earlier versions.
+                    #
+                    #       Because we have old OS files from previous versions of macOS on the build hosts, the configurations
+                    #       are different on each host. Some have viewer.keychain, some have viewer.keychain-db and some have both.
+                    #       As you can see in the line below, this script expects the Linden Developer cert/keys to be in viewer.keychain.
+                    #
+                    #       To correctly sign builds you need to make sure ~/Library/Keychains/viewer.keychain exists on the host
+                    #       and that it contains the correct cert/key. If a build host is set up with a clean version of macOS Sierra (or later)
+                    #       then you will need to change this line (and the one for 'codesign' command below) to point to right place or else
+                    #       pull in the cert/key into the default viewer keychain 'viewer.keychain-db' and export it to 'viewer.keychain'
                     self.run_command('security unlock-keychain -p "%s" "%s/Library/Keychains/viewer.keychain"' % ( keychain_pwd, home_path ) )
                     signed=False
                     sign_attempts=3
@@ -1200,6 +1212,7 @@ class DarwinManifest(ViewerManifest):
                         try:
                             sign_attempts-=1;
                             self.run_command(
+                                # Note: See blurb above about names of keychains
                                'codesign --verbose --deep --force --keychain "%(home_path)s/Library/Keychains/viewer.keychain" --sign %(identity)r %(bundle)r' % {
                                    'home_path' : home_path,
                                    'identity': identity,
author	callum_linden <none@none>	2017-08-08 15:12:26 -0700
committer	callum_linden <none@none>	2017-08-08 15:12:26 -0700
commit	e6e088d5ab3f477634c98474ad66e58e6f8dff41 (patch)
tree	9bda2e3e8cc7234f1c285287ea9d48876619aabe /indra/newview
parent	b46697fcc155d026b5a951256d53581e7af20036 (diff)