Merge branch 'DRTVWR-520-apple-notarization' into DRTVWR-540-maint

15 files changed, 130 insertions, 386 deletions

diff --git a/indra/newview/CMakeLists.txt b/indra/newview/CMakeLists.txt
index fc8d8b805b..b6fb2dccba 100644
--- a/indra/newview/CMakeLists.txt
+++ b/indra/newview/CMakeLists.txt
@@ -1829,28 +1829,27 @@ if (WINDOWS)
       ${CMAKE_CURRENT_SOURCE_DIR}/licenses-win32.txt
       ${CMAKE_CURRENT_SOURCE_DIR}/featuretable.txt
       ${CMAKE_CURRENT_SOURCE_DIR}/featuretable_xp.txt
-      ${ARCH_PREBUILT_DIRS_RELEASE}/libeay32.dll
-      ${ARCH_PREBUILT_DIRS_RELEASE}/ssleay32.dll
-      ${ARCH_PREBUILT_DIRS_DEBUG}/libeay32.dll
-      ${ARCH_PREBUILT_DIRS_DEBUG}/ssleay32.dll
       ${viewer_APPSETTINGS_FILES}
       SLPlugin
       media_plugin_cef
       media_plugin_libvlc
       media_plugin_example
       winmm_shim
-      windows-crash-logger
       )
 
     if (ADDRESS_SIZE EQUAL 64)
         list(APPEND COPY_INPUT_DEPENDENCIES
             ${SHARED_LIB_STAGING_DIR}/${CMAKE_CFG_INTDIR}/vivoxsdk_x64.dll
             ${SHARED_LIB_STAGING_DIR}/${CMAKE_CFG_INTDIR}/ortp_x64.dll
+           ${ARCH_PREBUILT_DIRS_RELEASE}/libcrypto-1_1-x64.dll
+           ${ARCH_PREBUILT_DIRS_RELEASE}/libssl-1_1-x64.dll
             )
     else (ADDRESS_SIZE EQUAL 64)
         list(APPEND COPY_INPUT_DEPENDENCIES
             ${SHARED_LIB_STAGING_DIR}/${CMAKE_CFG_INTDIR}/vivoxsdk.dll
             ${SHARED_LIB_STAGING_DIR}/${CMAKE_CFG_INTDIR}/ortp.dll
+            ${ARCH_PREBUILT_DIRS_RELEASE}/libcrypto-1_1.dll
+            ${ARCH_PREBUILT_DIRS_RELEASE}/libssl-1_1.dll
             )
     endif (ADDRESS_SIZE EQUAL 64)
 
@@ -1906,7 +1905,6 @@ if (WINDOWS)
 
     add_dependencies(${VIEWER_BINARY_NAME}
       SLPlugin
-      windows-crash-logger
     )
 
     # sets the 'working directory' for debugging from visual studio.
@@ -2211,8 +2209,7 @@ if (DARWIN)
       ${CMAKE_CURRENT_SOURCE_DIR}/viewer_manifest.py
     )
 
-  add_dependencies(${VIEWER_BINARY_NAME} SLPlugin media_plugin_libvlc media_plugin_cef mac-crash-logger)
-  add_dependencies(${VIEWER_BINARY_NAME} mac-crash-logger)
+  add_dependencies(${VIEWER_BINARY_NAME} SLPlugin media_plugin_libvlc media_plugin_cef)
 
   if (ENABLE_SIGNING)
       set(SIGNING_SETTING "--signature=${SIGNING_IDENTITY}")
@@ -2255,62 +2252,7 @@ endif (INSTALL)
 
 # Note that the conventional VIEWER_SYMBOL_FILE is set by ../../build.sh
 if (PACKAGE AND (RELEASE_CRASH_REPORTING OR NON_RELEASE_CRASH_REPORTING) AND VIEWER_SYMBOL_FILE)
-  if (NOT BUGSPLAT_DB)
-    # Breakpad symbol-file generation
-    set(SYMBOL_SEARCH_DIRS "")
-    if (WINDOWS)
-      list(APPEND SYMBOL_SEARCH_DIRS "${CMAKE_CURRENT_BINARY_DIR}/${CMAKE_CFG_INTDIR}")
-      # slplugin.exe failing symbols dump - need to debug, might have to do with updated version of google breakpad
-      # set(VIEWER_EXE_GLOBS "${VIEWER_BINARY_NAME}${CMAKE_EXECUTABLE_SUFFIX} slplugin.exe")
-      set(VIEWER_EXE_GLOBS "${VIEWER_BINARY_NAME}${CMAKE_EXECUTABLE_SUFFIX}")
-      set(VIEWER_LIB_GLOB "*${CMAKE_SHARED_MODULE_SUFFIX}")
-      set(VIEWER_COPY_MANIFEST copy_w_viewer_manifest)
-    endif (WINDOWS)
-    if (DARWIN)
-      list(APPEND SYMBOL_SEARCH_DIRS "${CMAKE_CURRENT_BINARY_DIR}/${CMAKE_CFG_INTDIR}")
-      # *TODO: Generate these search dirs in the cmake files related to each binary.
-      list(APPEND SYMBOL_SEARCH_DIRS "${CMAKE_BINARY_DIR}/llplugin/slplugin/${CMAKE_CFG_INTDIR}")
-      list(APPEND SYMBOL_SEARCH_DIRS "${CMAKE_BINARY_DIR}/mac_crash_logger/${CMAKE_CFG_INTDIR}")
-      list(APPEND SYMBOL_SEARCH_DIRS "${CMAKE_BINARY_DIR}/media_plugins/gstreamer010/${CMAKE_CFG_INTDIR}")
-      set(VIEWER_EXE_GLOBS "'${product}' SLPlugin mac-crash-logger")
-      set(VIEWER_EXE_GLOBS "'${product}' mac-crash-logger")
-      set(VIEWER_LIB_GLOB "*.dylib")
-    endif (DARWIN)
-    if (LINUX)
-      list(APPEND SYMBOL_SEARCH_DIRS "${CMAKE_CURRENT_BINARY_DIR}/packaged")
-      set(VIEWER_EXE_GLOBS "do-not-directly-run-secondlife-bin SLPlugin")
-      set(VIEWER_EXE_GLOBS "do-not-directly-run-secondlife-bin")
-      set(VIEWER_LIB_GLOB "*${CMAKE_SHARED_MODULE_SUFFIX}*")
-      set(VIEWER_COPY_MANIFEST copy_l_viewer_manifest)
-    endif (LINUX)
-
-    if(CMAKE_CFG_INTDIR STREQUAL ".")
-        set(LLBUILD_CONFIG ${CMAKE_BUILD_TYPE})
-    else(CMAKE_CFG_INTDIR STREQUAL ".")
-        # set LLBUILD_CONFIG to be a shell variable evaluated at build time
-        # reflecting the configuration we are currently building.
-        set(LLBUILD_CONFIG ${CMAKE_CFG_INTDIR})
-    endif(CMAKE_CFG_INTDIR STREQUAL ".")
-    add_custom_command(OUTPUT "${VIEWER_SYMBOL_FILE}"
-      COMMAND "${PYTHON_EXECUTABLE}"
-      ARGS
-        "${CMAKE_CURRENT_SOURCE_DIR}/generate_breakpad_symbols.py"
-        "${LLBUILD_CONFIG}"
-        "${SYMBOL_SEARCH_DIRS}"
-        "${VIEWER_EXE_GLOBS}"
-        "${VIEWER_LIB_GLOB}"
-        "${AUTOBUILD_INSTALL_DIR}/bin/dump_syms"
-        "${VIEWER_SYMBOL_FILE}"
-      DEPENDS generate_breakpad_symbols.py
-          VERBATIM)
-
-    add_custom_target(generate_symbols DEPENDS "${VIEWER_SYMBOL_FILE}" ${VIEWER_BINARY_NAME} "${VIEWER_COPY_MANIFEST}")
-    add_dependencies(generate_symbols ${VIEWER_BINARY_NAME})
-    if (WINDOWS OR LINUX)
-      add_dependencies(generate_symbols "${VIEWER_COPY_MANIFEST}")
-    endif (WINDOWS OR LINUX)
-
-  else (NOT BUGSPLAT_DB)
+  if (BUGSPLAT_DB)
     # BugSplat symbol-file generation
     if (WINDOWS)
       # Just pack up a tarball containing only the .pdb file for the
@@ -2394,7 +2336,7 @@ if (PACKAGE AND (RELEASE_CRASH_REPORTING OR NON_RELEASE_CRASH_REPORTING) AND VIE
     if (LINUX)
       # TBD
     endif (LINUX)
-  endif (NOT BUGSPLAT_DB)
+  endif (BUGSPLAT_DB)
 
   # for both BUGSPLAT_DB and Breakpad
   add_dependencies(llpackage generate_symbols)
diff --git a/indra/newview/generate_breakpad_symbols.py b/indra/newview/generate_breakpad_symbols.py
deleted file mode 100755
index d351c406bc..0000000000
--- a/indra/newview/generate_breakpad_symbols.py
+++ /dev/null
@@ -1,166 +0,0 @@
-#!/usr/bin/env python
-"""\
-@file generate_breakpad_symbols.py
-@author Brad Kittenbrink <brad@lindenlab.com>
-@brief Simple tool for generating google_breakpad symbol information
-       for the crash reporter.
-
-$LicenseInfo:firstyear=2010&license=viewerlgpl$
-Second Life Viewer Source Code
-Copyright (C) 2010-2011, Linden Research, Inc.
-
-This library is free software; you can redistribute it and/or
-modify it under the terms of the GNU Lesser General Public
-License as published by the Free Software Foundation;
-version 2.1 of the License only.
-
-This library is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-Lesser General Public License for more details.
-
-You should have received a copy of the GNU Lesser General Public
-License along with this library; if not, write to the Free Software
-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-
-Linden Research, Inc., 945 Battery Street, San Francisco, CA  94111  USA
-$/LicenseInfo$
-"""
-
-
-import collections
-import fnmatch
-import itertools
-import os
-import re
-import sys
-import shlex
-import subprocess
-import tarfile
-import StringIO
-import pprint
-
-DEBUG=False
-
-def usage():
-    print >>sys.stderr, "usage: %s search_dirs viewer_exes libs_suffix dump_syms_tool viewer_symbol_file" % sys.argv[0]
-
-class MissingModuleError(Exception):
-    def __init__(self, modules):
-        Exception.__init__(self, "Failed to find required modules: %r" % modules)
-        self.modules = modules
-
-def main(configuration, search_dirs, viewer_exes, libs_suffix, dump_syms_tool, viewer_symbol_file):
-    print "generate_breakpad_symbols run with args: %s" % str((configuration, search_dirs, viewer_exes, libs_suffix, dump_syms_tool, viewer_symbol_file))
-
-    if not re.match("release", configuration, re.IGNORECASE):
-        print "skipping breakpad symbol generation for non-release build."
-        return 0
-
-    # split up list of viewer_exes
-    # "'Second Life' SLPlugin" becomes ['Second Life', 'SLPlugin']
-    viewer_exes = shlex.split(viewer_exes)
-
-    found_required = dict([(module, False) for module in viewer_exes])
-
-    def matches(f):
-        if f in viewer_exes:
-            found_required[f] = True
-            return True
-        return fnmatch.fnmatch(f, libs_suffix)
-
-    search_dirs = search_dirs.split(";")
-
-    def list_files():
-        for search_dir in search_dirs:
-            for (dirname, subdirs, filenames) in os.walk(search_dir):
-                if DEBUG:
-                    print "scanning '%s' for modules..." % dirname
-                for f in itertools.ifilter(matches, filenames):
-                    yield os.path.join(dirname, f)
-
-    def dump_module(m):
-        print "dumping module '%s' with '%s'..." % (m, dump_syms_tool)
-        dsym_full_path = m
-        child = subprocess.Popen([dump_syms_tool, dsym_full_path] , stdout=subprocess.PIPE)
-        out, err = child.communicate()
-        return (m,child.returncode, out, err)
-
-    
-    modules = {}
-        
-    for m in list_files():
-        if DEBUG:
-            print "examining module '%s' ... " % m,
-        filename=os.path.basename(m)
-        if -1 != m.find("DWARF"):
-            # Just use this module; it has the symbols we want.
-            modules[filename] = m
-            if DEBUG:
-                print "found dSYM entry"
-        elif filename not in modules:
-            # Only use this if we don't already have a (possibly better) entry.
-            modules[filename] = m
-            if DEBUG:
-                print "found new entry"
-        elif DEBUG:
-            print "ignoring entry"
-
-
-    print "Found these following modules:"
-    pprint.pprint( modules )
-
-    out = tarfile.open(viewer_symbol_file, 'w:bz2')
-    for (filename,status,symbols,err) in itertools.imap(dump_module, modules.values()):
-        if status == 0:
-            module_line = symbols[:symbols.index('\n')]
-            module_line = module_line.split()
-            hash_id = module_line[3]
-            module = ' '.join(module_line[4:])
-            if sys.platform in ['win32', 'cygwin']:
-                mod_name = module[:module.rindex('.pdb')]
-            else:
-                mod_name = module
-            symbolfile = StringIO.StringIO(symbols)
-            info = tarfile.TarInfo("%(module)s/%(hash_id)s/%(mod_name)s.sym" % dict(module=module, hash_id=hash_id, mod_name=mod_name))
-            info.size = symbolfile.len
-            out.addfile(info, symbolfile)
-        else:
-            print >>sys.stderr, "warning: failed to dump symbols for '%s': %s" % (filename, err)
-
-    out.close()
-
-    missing_modules = [m for (m,_) in
-        itertools.ifilter(lambda (k,v): not v, found_required.iteritems())
-    ]
-    if missing_modules:
-        print >> sys.stderr, "failed to generate %s" % viewer_symbol_file
-        os.remove(viewer_symbol_file)
-        raise MissingModuleError(missing_modules)
-
-    symbols = tarfile.open(viewer_symbol_file, 'r:bz2')
-    tarfile_members = symbols.getnames()
-    symbols.close()
-
-    for required_module in viewer_exes:
-        def match_module_basename(m):
-            return os.path.splitext(required_module)[0].lower() \
-                   == os.path.splitext(os.path.basename(m))[0].lower()
-        # there must be at least one .sym file in tarfile_members that matches
-        # each required module (ignoring file extensions)
-        if not any(itertools.imap(match_module_basename, tarfile_members)):
-            print >> sys.stderr, "failed to find required %s in generated %s" \
-                    % (required_module, viewer_symbol_file)
-            os.remove(viewer_symbol_file)
-            raise MissingModuleError([required_module])
-
-    print "successfully generated %s including required modules '%s'" % (viewer_symbol_file, viewer_exes)
-
-    return 0
-
-if __name__ == "__main__":
-    if len(sys.argv) != 7:
-        usage()
-        sys.exit(1)
-    sys.exit(main(*sys.argv[1:]))
-
diff --git a/indra/newview/installers/darwin/apple-notarize.sh b/indra/newview/installers/darwin/apple-notarize.sh
new file mode 100755
index 0000000000..b953af81af
--- /dev/null
+++ b/indra/newview/installers/darwin/apple-notarize.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+CONFIG_FILE="$build_secrets_checkout/code-signing-osx/notarize_creds.sh"
+if [ -f "$CONFIG_FILE" ]; then
+    source $CONFIG_FILE
+    app_file="$1"
+    zip_file=${app_file/app/zip}
+    ditto -c -k --keepParent "$app_file" "$zip_file"
+    if [ -f "$zip_file" ]; then
+        requestUUID=$(xcrun altool --notarize-app --primary-bundle-id "com.secondlife.viewer" \
+                                --username $USERNAME \
+                                --password $PASSWORD \
+                                --asc-provider $ASC_PROVIDER \
+                                --file "$zip_file" 2>&1 \
+                    | awk '/RequestUUID/ { print $NF; }')
+
+        echo "Apple Notarization RequestUUID: $requestUUID"
+
+        if [[ -n $requestUUID ]]; then
+            status="in progress"
+            while [[ "$status" == "in progress" ]]; do
+                sleep 30
+                status=$(xcrun altool --notarization-info "$requestUUID" \
+                                            --username $USERNAME \
+                                            --password $PASSWORD 2>&1 \
+                                | awk -F ': ' '/Status:/ { print $2; }' )
+                echo "$status"
+            done
+            # log results
+            xcrun altool --notarization-info "$requestUUID" \
+                        --username $USERNAME \
+                        --password $PASSWORD
+
+            #remove temporary file
+            rm "$zip_file"
+
+            if [["$status" == "success"]]; then
+                xcrun stapler staple "$app_file"
+            elif [["$status" == "invalid"]]; then
+                exit 1
+            fi
+        fi
+    fi
+fi
+
diff --git a/indra/newview/llappviewer.cpp b/indra/newview/llappviewer.cpp
index 053c0a5ab7..66a33ed6ae 100644
--- a/indra/newview/llappviewer.cpp
+++ b/indra/newview/llappviewer.cpp
@@ -738,7 +738,7 @@ LLAppViewer::LLAppViewer()
 	std::string logdir = gDirUtilp->getExpandedFilename(LL_PATH_DUMP, "");
 #endif // ! LL_BUGSPLAT
 	mDumpPath = logdir;
-	setMiniDumpDir(logdir);
+
 	setDebugFileNames(logdir);
 }
 
diff --git a/indra/newview/llappviewer.h b/indra/newview/llappviewer.h
index 5ceb540784..e9c467bd01 100644
--- a/indra/newview/llappviewer.h
+++ b/indra/newview/llappviewer.h
@@ -108,7 +108,6 @@ public:
 
 	virtual bool restoreErrorTrap() = 0; // Require platform specific override to reset error handling mechanism.
 	                                     // return false if the error trap needed restoration.
-	virtual void initCrashReporting(bool reportFreeze = false) = 0; // What to do with crash report?
 	static void handleViewerCrash(); // Hey! The viewer crashed. Do this, soon.
     void checkForCrash();
     
diff --git a/indra/newview/llappviewermacosx.cpp b/indra/newview/llappviewermacosx.cpp
index 662164af2d..862e2b45df 100644
--- a/indra/newview/llappviewermacosx.cpp
+++ b/indra/newview/llappviewermacosx.cpp
@@ -240,17 +240,7 @@ LLAppViewerMacOSX::~LLAppViewerMacOSX()
 
 bool LLAppViewerMacOSX::init()
 {
-	bool success = LLAppViewer::init();
-    
-#if LL_SEND_CRASH_REPORTS
-    if (success)
-    {
-        LLAppViewer* pApp = LLAppViewer::instance();
-        pApp->initCrashReporting();
-    }
-#endif
-    
-    return success;
+    return LLAppViewer::init();
 }
 
 // MacOSX may add and addition command line arguement for the process serial number.
@@ -367,21 +357,6 @@ bool LLAppViewerMacOSX::restoreErrorTrap()
 	return reset_count == 0;
 }
 
-void LLAppViewerMacOSX::initCrashReporting(bool reportFreeze)
-{
-	std::string command_str = "mac-crash-logger.app";
-    
-    std::stringstream pid_str;
-    pid_str <<  LLApp::getPid();
-    std::string logdir = gDirUtilp->getExpandedFilename(LL_PATH_DUMP, "");
-    std::string appname = gDirUtilp->getExecutableFilename();
-    std::string str[] = { "-pid", pid_str.str(), "-dumpdir", logdir, "-procname", appname.c_str() };
-    std::vector< std::string > args( str, str + ( sizeof ( str ) /  sizeof ( std::string ) ) );
-    LL_WARNS() << "about to launch mac-crash-logger" << pid_str.str()
-               << " " << logdir << " " << appname << LL_ENDL;
-    launchApplication(&command_str, &args);
-}
-
 std::string LLAppViewerMacOSX::generateSerialNumber()
 {
 	char serial_md5[MD5HEX_STR_SIZE];		// Flawfinder: ignore
diff --git a/indra/newview/llappviewermacosx.h b/indra/newview/llappviewermacosx.h
index d5a80864be..b0e325a955 100644
--- a/indra/newview/llappviewermacosx.h
+++ b/indra/newview/llappviewermacosx.h
@@ -44,7 +44,6 @@ public:
 
 protected:
 	virtual bool restoreErrorTrap();
-	virtual void initCrashReporting(bool reportFreeze);
 
 	std::string generateSerialNumber();
 	virtual bool initParseCommandLine(LLCommandLineParser& clp);
diff --git a/indra/newview/llappviewerwin32.cpp b/indra/newview/llappviewerwin32.cpp
index 9b1c0d1f8b..f0bede5321 100644
--- a/indra/newview/llappviewerwin32.cpp
+++ b/indra/newview/llappviewerwin32.cpp
@@ -603,9 +603,6 @@ bool LLAppViewerWin32::init()
 #if ! defined(LL_BUGSPLAT)
 #pragma message("Building without BugSplat")
 
-	LLAppViewer* pApp = LLAppViewer::instance();
-	pApp->initCrashReporting();
-
 #else // LL_BUGSPLAT
 #pragma message("Building with BugSplat")
 
@@ -817,57 +814,6 @@ bool LLAppViewerWin32::restoreErrorTrap()
 	//return LLWinDebug::checkExceptionHandler();
 }
 
-void LLAppViewerWin32::initCrashReporting(bool reportFreeze)
-{
-	if (isSecondInstance()) return; //BUG-5707 do not start another crash reporter for second instance.
-
-	const char* logger_name = "win_crash_logger.exe";
-	std::string exe_path = gDirUtilp->getExecutableDir();
-	exe_path += gDirUtilp->getDirDelimiter();
-	exe_path += logger_name;
-
-    std::string logdir = gDirUtilp->getExpandedFilename(LL_PATH_DUMP, "");
-    std::string appname = gDirUtilp->getExecutableFilename();
-
-	S32 slen = logdir.length() -1;
-	S32 end = slen;
-	while (logdir.at(end) == '/' || logdir.at(end) == '\\') end--;
-	
-	if (slen !=end)
-	{
-		logdir = logdir.substr(0,end+1);
-	}
-	//std::string arg_str = "\"" + exe_path + "\" -dumpdir \"" + logdir + "\" -procname \"" + appname + "\" -pid " + stringize(LLApp::getPid());
-	//_spawnl(_P_NOWAIT, exe_path.c_str(), arg_str.c_str(), NULL);
-	std::string arg_str =  "\"" + exe_path + "\" -dumpdir \"" + logdir + "\" -procname \"" + appname + "\" -pid " + stringize(LLApp::getPid()); 
-
-	STARTUPINFO startInfo={sizeof(startInfo)};
-	PROCESS_INFORMATION processInfo;
-
-	std::wstring exe_wstr;
-	exe_wstr = utf8str_to_utf16str(exe_path);
-
-	std::wstring arg_wstr;
-	arg_wstr = utf8str_to_utf16str(arg_str);
-
-	LL_INFOS("CrashReport") << "Creating crash reporter process " << exe_path << " with params: " << arg_str << LL_ENDL;
-    if(CreateProcess(exe_wstr.c_str(),     
-                     &arg_wstr[0],                 // Application arguments
-                     0,
-                     0,
-                     FALSE,
-                     CREATE_DEFAULT_ERROR_MODE,
-                     0,
-                     0,                              // Working directory
-                     &startInfo,
-                     &processInfo) == FALSE)
-      // Could not start application -> call 'GetLastError()'
-	{
-        LL_WARNS("CrashReport") << "CreateProcess failed " << GetLastError() << LL_ENDL;
-        return;
-    }
-}
-
 //virtual
 bool LLAppViewerWin32::sendURLToOtherInstance(const std::string& url)
 {
diff --git a/indra/newview/llappviewerwin32.h b/indra/newview/llappviewerwin32.h
index c5fae6a3a3..2699224e58 100644
--- a/indra/newview/llappviewerwin32.h
+++ b/indra/newview/llappviewerwin32.h
@@ -51,7 +51,6 @@ protected:
 
 	virtual bool beingDebugged();
 	virtual bool restoreErrorTrap();
-	virtual void initCrashReporting(bool reportFreeze); 
 
 	virtual bool sendURLToOtherInstance(const std::string& url);
 
diff --git a/indra/newview/llsecapi.h b/indra/newview/llsecapi.h
index 14059f828a..1e6f2154bc 100644
--- a/indra/newview/llsecapi.h
+++ b/indra/newview/llsecapi.h
@@ -452,7 +452,7 @@ public:
 	virtual LLPointer<LLCertificate> getCertificate(X509* openssl_cert)=0;
 	
 	// instantiate a chain from an X509_STORE_CTX
-	virtual LLPointer<LLCertificateChain> getCertificateChain(const X509_STORE_CTX* chain)=0;
+	virtual LLPointer<LLCertificateChain> getCertificateChain(X509_STORE_CTX* chain)=0;
 	
 	// instantiate a cert store given it's id.  if a persisted version
 	// exists, it'll be loaded.  If not, one will be created (but not
diff --git a/indra/newview/llsechandler_basic.cpp b/indra/newview/llsechandler_basic.cpp
index 737ef30ada..94331fddfa 100644
--- a/indra/newview/llsechandler_basic.cpp
+++ b/indra/newview/llsechandler_basic.cpp
@@ -95,7 +95,7 @@ LLBasicCertificate::LLBasicCertificate(const std::string& pem_cert,
 LLBasicCertificate::LLBasicCertificate(X509* pCert,
                                        const LLSD* validation_params) 
 {
-	if (!pCert || !pCert->cert_info)
+	if (!pCert)
 	{
 		LLTHROW(LLInvalidCertificate(LLSD::emptyMap()));
 	}	
@@ -355,8 +355,8 @@ LLSD cert_name_from_X509_NAME(X509_NAME* name)
 		char buffer[32];
 		X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, entry_index);
 		
-		std::string name_value = std::string((const char*)M_ASN1_STRING_data(X509_NAME_ENTRY_get_data(entry)), 
-											 M_ASN1_STRING_length(X509_NAME_ENTRY_get_data(entry)));
+		std::string name_value = std::string((const char*)ASN1_STRING_data(X509_NAME_ENTRY_get_data(entry)), 
+											 ASN1_STRING_length(X509_NAME_ENTRY_get_data(entry)));
 
 		ASN1_OBJECT* name_obj = X509_NAME_ENTRY_get_object(entry);		
 		OBJ_obj2txt(buffer, sizeof(buffer), name_obj, 0);
@@ -683,29 +683,29 @@ std::string LLBasicCertificateStore::storeId() const
 // LLBasicCertificateChain
 // This class represents a chain of certs, each cert being signed by the next cert
 // in the chain.  Certs must be properly signed by the parent
-LLBasicCertificateChain::LLBasicCertificateChain(const X509_STORE_CTX* store)
+LLBasicCertificateChain::LLBasicCertificateChain(X509_STORE_CTX* store)
 {
 
 	// we're passed in a context, which contains a cert, and a blob of untrusted
 	// certificates which compose the chain.
-	if((store == NULL) || (store->cert == NULL))
+	if((store == NULL) || X509_STORE_CTX_get0_cert(store) == NULL)
 	{
 		LL_WARNS("SECAPI") << "An invalid store context was passed in when trying to create a certificate chain" << LL_ENDL;
 		return;
 	}
 	// grab the child cert
-	LLPointer<LLCertificate> current = new LLBasicCertificate(store->cert);
+	LLPointer<LLCertificate> current = new LLBasicCertificate(X509_STORE_CTX_get0_cert(store));
 
 	add(current);
-	if(store->untrusted != NULL)
+	if(X509_STORE_CTX_get0_untrusted(store) != NULL)
 	{
 		// if there are other certs in the chain, we build up a vector
 		// of untrusted certs so we can search for the parents of each
 		// consecutive cert.
 		LLBasicCertificateVector untrusted_certs;
-		for(int i = 0; i < sk_X509_num(store->untrusted); i++)
+		for(int i = 0; i < sk_X509_num(X509_STORE_CTX_get0_untrusted(store)); i++)
 		{
-			LLPointer<LLCertificate> cert = new LLBasicCertificate(sk_X509_value(store->untrusted, i));
+			LLPointer<LLCertificate> cert = new LLBasicCertificate(sk_X509_value(X509_STORE_CTX_get0_untrusted(store), i));
 			untrusted_certs.add(cert);
 
 		}		
@@ -1340,9 +1340,10 @@ void LLSecAPIBasicHandler::_readProtectedData()
 		
 
 		// read in the rest of the file.
-		EVP_CIPHER_CTX ctx;
-		EVP_CIPHER_CTX_init(&ctx);
-		EVP_DecryptInit(&ctx, EVP_rc4(), salt, NULL);
+		EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
+        // todo: ctx error handling
+
+		EVP_DecryptInit(ctx, EVP_rc4(), salt, NULL);
 		// allocate memory:
 		std::string decrypted_data;	
 		
@@ -1350,14 +1351,14 @@ void LLSecAPIBasicHandler::_readProtectedData()
 			// read data as a block:
 			protected_data_stream.read((char *)buffer, BUFFER_READ_SIZE);
 			
-			EVP_DecryptUpdate(&ctx, decrypted_buffer, &decrypted_length, 
+			EVP_DecryptUpdate(ctx, decrypted_buffer, &decrypted_length, 
 							  buffer, protected_data_stream.gcount());
 			decrypted_data.append((const char *)decrypted_buffer, protected_data_stream.gcount());
 		}
 		
 		// RC4 is a stream cipher, so we don't bother to EVP_DecryptFinal, as there is
 		// no block padding.
-		EVP_CIPHER_CTX_cleanup(&ctx);
+        EVP_CIPHER_CTX_free(ctx);
 		std::istringstream parse_stream(decrypted_data);
 		if (parser->parse(parse_stream, mProtectedDataMap, 
 						  LLSDSerialize::SIZE_UNLIMITED) == LLSDParser::PARSE_FAILURE)
@@ -1393,12 +1394,14 @@ void LLSecAPIBasicHandler::_writeProtectedData()
 	
 	llofstream protected_data_stream(tmp_filename.c_str(), 
                                      std::ios_base::binary);
+    EVP_CIPHER_CTX *ctx = NULL;
 	try
 	{
 		
-		EVP_CIPHER_CTX ctx;
-		EVP_CIPHER_CTX_init(&ctx);
-		EVP_EncryptInit(&ctx, EVP_rc4(), salt, NULL);
+		ctx = EVP_CIPHER_CTX_new();
+        // todo: ctx error handling
+
+		EVP_EncryptInit(ctx, EVP_rc4(), salt, NULL);
 		unsigned char unique_id[MAC_ADDRESS_BYTES];
         LLMachineID::getUniqueID(unique_id, sizeof(unique_id));
 		LLXORCipher cipher(unique_id, sizeof(unique_id));
@@ -1413,13 +1416,13 @@ void LLSecAPIBasicHandler::_writeProtectedData()
 				break;
 			}
 			int encrypted_length;
-			EVP_EncryptUpdate(&ctx, encrypted_buffer, &encrypted_length, 
+			EVP_EncryptUpdate(ctx, encrypted_buffer, &encrypted_length, 
 						  buffer, formatted_data_istream.gcount());
 			protected_data_stream.write((const char *)encrypted_buffer, encrypted_length);
 		}
 		
 		// no EVP_EncrypteFinal, as this is a stream cipher
-		EVP_CIPHER_CTX_cleanup(&ctx);
+        EVP_CIPHER_CTX_free(ctx);
 
 		protected_data_stream.close();
 	}
@@ -1431,6 +1434,11 @@ void LLSecAPIBasicHandler::_writeProtectedData()
 		// it may be, however.
 		LLFile::remove(tmp_filename);
 
+        if (ctx)
+        {
+            EVP_CIPHER_CTX_free(ctx);
+        }
+
 		// EXP-1825 crash in LLSecAPIBasicHandler::_writeProtectedData()
 		// Decided throwing an exception here was overkill until we figure out why this happens
 		//LLTHROW(LLProtectedDataException("Error writing Protected Data Store"));
@@ -1483,7 +1491,7 @@ LLPointer<LLCertificate> LLSecAPIBasicHandler::getCertificate(X509* openssl_cert
 }
 		
 // instantiate a chain from an X509_STORE_CTX
-LLPointer<LLCertificateChain> LLSecAPIBasicHandler::getCertificateChain(const X509_STORE_CTX* chain)
+LLPointer<LLCertificateChain> LLSecAPIBasicHandler::getCertificateChain(X509_STORE_CTX* chain)
 {
 	LLPointer<LLCertificateChain> result = new LLBasicCertificateChain(chain);
 	return result;
diff --git a/indra/newview/llsechandler_basic.h b/indra/newview/llsechandler_basic.h
index 0bc7f5230f..82670f9083 100644
--- a/indra/newview/llsechandler_basic.h
+++ b/indra/newview/llsechandler_basic.h
@@ -197,7 +197,7 @@ class LLBasicCertificateChain : virtual public LLBasicCertificateVector, public
 {
 	
 public:
-	LLBasicCertificateChain(const X509_STORE_CTX * store);
+	LLBasicCertificateChain(X509_STORE_CTX * store);
 	
 	virtual ~LLBasicCertificateChain() {}
 	
@@ -241,7 +241,7 @@ public:
 	virtual LLPointer<LLCertificate> getCertificate(X509* openssl_cert);
 	
 	// instantiate a chain from an X509_STORE_CTX
-	virtual LLPointer<LLCertificateChain> getCertificateChain(const X509_STORE_CTX* chain);
+	virtual LLPointer<LLCertificateChain> getCertificateChain(X509_STORE_CTX* chain);
 	
 	// instantiate a cert store given it's id.  if a persisted version
 	// exists, it'll be loaded.  If not, one will be created (but not
diff --git a/indra/newview/tests/llsecapi_test.cpp b/indra/newview/tests/llsecapi_test.cpp
index caa3016d2e..37fbbb449b 100644
--- a/indra/newview/tests/llsecapi_test.cpp
+++ b/indra/newview/tests/llsecapi_test.cpp
@@ -57,7 +57,7 @@ void LLSecAPIBasicHandler::init() {}
 LLSecAPIBasicHandler::~LLSecAPIBasicHandler() {}
 LLPointer<LLCertificate> LLSecAPIBasicHandler::getCertificate(const std::string& pem_cert) { return NULL; }
 LLPointer<LLCertificate> LLSecAPIBasicHandler::getCertificate(X509* openssl_cert) { return NULL; }
-LLPointer<LLCertificateChain> LLSecAPIBasicHandler::getCertificateChain(const X509_STORE_CTX* chain) { return NULL; }
+LLPointer<LLCertificateChain> LLSecAPIBasicHandler::getCertificateChain(X509_STORE_CTX* chain) { return NULL; }
 LLPointer<LLCertificateStore> LLSecAPIBasicHandler::getCertificateStore(const std::string& store_id) { return NULL; }
 void LLSecAPIBasicHandler::setProtectedData(const std::string& data_type, const std::string& data_id, const LLSD& data) {}
 void LLSecAPIBasicHandler::addToProtectedMap(const std::string& data_type, const std::string& data_id, const std::string& map_elem, const LLSD& data) {}
diff --git a/indra/newview/tests/llsechandler_basic_test.cpp b/indra/newview/tests/llsechandler_basic_test.cpp
index e5d226a2a4..4c8d6c51b0 100644
--- a/indra/newview/tests/llsechandler_basic_test.cpp
+++ b/indra/newview/tests/llsechandler_basic_test.cpp
@@ -1217,8 +1217,8 @@ namespace tut
 
 		// Single cert in the chain.
 		X509_STORE_CTX *test_store = X509_STORE_CTX_new();
-		test_store->cert = mX509ChildCert;		
-		test_store->untrusted = NULL;
+        X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
+        X509_STORE_CTX_set0_untrusted(test_store, NULL);
 		test_chain = new LLBasicCertificateChain(test_store);
 		X509_STORE_CTX_free(test_store);
 		ensure_equals("two elements in store", test_chain->size(), 1);		
@@ -1229,9 +1229,9 @@ namespace tut
 		// cert + CA
 		
 		test_store = X509_STORE_CTX_new();
-		test_store->cert = mX509ChildCert;
-		test_store->untrusted = sk_X509_new_null();
-		sk_X509_push(test_store->untrusted, mX509IntermediateCert);
+        X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
+        X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null());
+		sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert);
 		test_chain = new LLBasicCertificateChain(test_store);
 		X509_STORE_CTX_free(test_store);
 		ensure_equals("two elements in store", test_chain->size(), 2);	
@@ -1245,9 +1245,9 @@ namespace tut
 		// cert + nonrelated
 		
 		test_store = X509_STORE_CTX_new();
-		test_store->cert = mX509ChildCert;
-		test_store->untrusted = sk_X509_new_null();
-		sk_X509_push(test_store->untrusted, mX509TestCert);
+        X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
+        X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null());
+		sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509TestCert);
 		test_chain = new LLBasicCertificateChain(test_store);
 		X509_STORE_CTX_free(test_store);
 		ensure_equals("two elements in store", test_chain->size(), 1);	
@@ -1257,10 +1257,10 @@ namespace tut
 		
 		// cert + CA + nonrelated
 		test_store = X509_STORE_CTX_new();
-		test_store->cert = mX509ChildCert;
-		test_store->untrusted = sk_X509_new_null();
-		sk_X509_push(test_store->untrusted, mX509IntermediateCert);
-		sk_X509_push(test_store->untrusted, mX509TestCert);
+        X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
+        X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null());
+		sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert);
+		sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509TestCert);
 		test_chain = new LLBasicCertificateChain(test_store);
 		X509_STORE_CTX_free(test_store);
 		ensure_equals("two elements in store", test_chain->size(), 2);	
@@ -1273,10 +1273,10 @@ namespace tut
 
 		// cert + intermediate + CA 
 		test_store = X509_STORE_CTX_new();
-		test_store->cert = mX509ChildCert;
-		test_store->untrusted = sk_X509_new_null();
-		sk_X509_push(test_store->untrusted, mX509IntermediateCert);
-		sk_X509_push(test_store->untrusted, mX509RootCert);
+        X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
+        X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null());
+		sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert);
+		sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509RootCert);
 		test_chain = new LLBasicCertificateChain(test_store);
 		X509_STORE_CTX_free(test_store);
 		ensure_equals("three elements in store", test_chain->size(), 3);	
diff --git a/indra/newview/viewer_manifest.py b/indra/newview/viewer_manifest.py
index adac7af712..c0a0a7ec46 100755
--- a/indra/newview/viewer_manifest.py
+++ b/indra/newview/viewer_manifest.py
@@ -553,9 +553,13 @@ class WindowsManifest(ViewerManifest):
                 self.path("vivoxsdk.dll")
                 self.path("ortp.dll")
             
-            # Security
-            self.path("ssleay32.dll")
-            self.path("libeay32.dll")
+            # OpenSSL
+            if (self.address_size == 64):
+                self.path("libcrypto-1_1-x64.dll")
+                self.path("libssl-1_1-x64.dll")
+            else:
+                self.path("libcrypto-1_1.dll")
+                self.path("libssl-1_1.dll")
 
             # HTTP/2
             self.path("nghttp2.dll")
@@ -683,11 +687,6 @@ class WindowsManifest(ViewerManifest):
                 self.path("libvlccore.dll")
                 self.path("plugins/")
 
-        # pull in the crash logger from other projects
-        # tag:"crash-logger" here as a cue to the exporter
-        self.path(src='../win_crash_logger/%s/windows-crash-logger.exe' % self.args['configuration'],
-                  dst="win_crash_logger.exe")
-
         if not self.is_packaging_viewer():
             self.package_file = "copied_deps"    
 
@@ -1032,7 +1031,6 @@ class DarwinManifest(ViewerManifest):
                                 "libapr-1.0.dylib",
                                 "libaprutil-1.0.dylib",
                                 "libexpat.1.dylib",
-                                "libexception_handler.dylib",
                                 "libGLOD.dylib",
                                 # libnghttp2.dylib is a symlink to
                                 # libnghttp2.major.dylib, which is a symlink to
@@ -1068,21 +1066,15 @@ class DarwinManifest(ViewerManifest):
 
                 # our apps
                 executable_path = {}
-                for app_bld_dir, app in (("mac_crash_logger", "mac-crash-logger.app"),
-                                         # plugin launcher
-                                         (os.path.join("llplugin", "slplugin"), "SLPlugin.app"),
-                                         ):
-                    self.path2basename(os.path.join(os.pardir,
-                                                    app_bld_dir, self.args['configuration']),
-                                       app)
-                    executable_path[app] = \
-                        self.dst_path_of(os.path.join(app, "Contents", "MacOS"))
-
-                    # our apps dependencies on shared libs
-                    # for each app, for each dylib we collected in dylibs,
-                    # create a symlink to the real copy of the dylib.
-                    with self.prefix(dst=os.path.join(app, "Contents", "Resources")):
-                        for libfile in dylibs:
+                self.path2basename(os.path.join(os.pardir, os.path.join("llplugin", "slplugin"), self.args['configuration']), "SLPlugin.app")
+                executable_path["SLPlugin.app"] = \
+                    self.dst_path_of(os.path.join("SLPlugin.app", "Contents", "MacOS"))
+
+                # our apps dependencies on shared libs
+                # for each app, for each dylib we collected in dylibs,
+                # create a symlink to the real copy of the dylib.
+                with self.prefix(dst=os.path.join("SLPlugin.app", "Contents", "Resources")):
+                    for libfile in dylibs:
                             self.relsymlinkf(os.path.join(libfile_parent, libfile))
 
                 # Dullahan helper apps go inside SLPlugin.app
@@ -1303,14 +1295,19 @@ class DarwinManifest(ViewerManifest):
                     signed=False
                     sign_attempts=3
                     sign_retry_wait=15
+                    libvlc_path = app_in_dmg + "/Contents/Resources/llplugin/media_plugin_libvlc.dylib"
+                    cef_path = app_in_dmg + "/Contents/Resources/llplugin/media_plugin_cef.dylib"
+                    slplugin_path = app_in_dmg + "/Contents/Resources/SLPlugin.app/Contents/MacOS/SLPlugin"
+                    greenlet_path = app_in_dmg + "/Contents/Resources/updater/greenlet/_greenlet.so"
                     while (not signed) and (sign_attempts > 0):
                         try:
-                            sign_attempts-=1;
-                            self.run_command(
-                                # Note: See blurb above about names of keychains
-                               ['codesign', '--verbose', '--deep', '--force',
-                                '--keychain', viewer_keychain, '--sign', identity,
-                                app_in_dmg])
+                            sign_attempts-=1
+                            # Note: See blurb above about names of keychains
+                            self.run_command(['codesign', '--force', '--timestamp','--keychain', viewer_keychain, '--sign', identity, libvlc_path])
+                            self.run_command(['codesign', '--force', '--timestamp', '--keychain', viewer_keychain, '--sign', identity, cef_path])
+                            self.run_command(['codesign', '--force', '--timestamp', '--keychain', viewer_keychain, '--sign', identity, greenlet_path])
+                            self.run_command(['codesign', '--verbose', '--deep', '--force', '--options', 'runtime', '--keychain', viewer_keychain, '--sign', identity, slplugin_path])
+                            self.run_command(['codesign', '--verbose', '--deep', '--force', '--options', 'runtime', '--keychain', viewer_keychain, '--sign', identity, app_in_dmg])
                             signed=True # if no exception was raised, the codesign worked
                         except ManifestError as err:
                             if sign_attempts:
@@ -1321,6 +1318,7 @@ class DarwinManifest(ViewerManifest):
                                 print >> sys.stderr, "Maximum codesign attempts exceeded; giving up"
                                 raise
                     self.run_command(['spctl', '-a', '-texec', '-vvvv', app_in_dmg])
+                    self.run_command([self.src_path_of("installers/darwin/apple-notarize.sh"), app_in_dmg])
 
         finally:
             # Unmount the image even if exceptions from any of the above 
@@ -1373,7 +1371,7 @@ class LinuxManifest(ViewerManifest):
         with self.prefix(dst="bin"):
             self.path("secondlife-bin","do-not-directly-run-secondlife-bin")
             self.path("../linux_crash_logger/linux-crash-logger","linux-crash-logger.bin")
-            self.path2basename("../llplugin/slplugin", "SLPlugin") 
+            self.path2basename("../llplugin/slplugin", "SLPlugin")
             #this copies over the python wrapper script, associated utilities and required libraries, see SL-321, SL-322 and SL-323
             with self.prefix(src="../viewer_components/manager", dst=""):
                 self.path("*.py")