no-bug: Sign mars after building them (gh-13213)

.github/workflows/build.yml

@@ -505,20 +505,6 @@ jobs:
         run: |
           git clone https://github.com/zen-browser/windows-binaries.git .github/workflows/object --depth 1
 
-      - name: Download signmar-linux-x86_64 from artifacts
-        uses: actions/download-artifact@v4
-        with:
-          name: signmar-linux-x86_64
-
-      - name: Sign MAR files
-        env:
-          SIGNMAR: ${{ github.workspace }}/signmar-linux-x86_64/signmar
-          ZEN_MAR_SIGNING_PASSWORD: ${{ secrets.ZEN_MAR_SIGNING_PASSWORD }}
-          ZEN_SIGNING_CERT_PEM_BASE64: ${{ secrets.ZEN_SIGNING_CERT_PEM_BASE64 }}
-          ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64: ${{ secrets.ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64 }}
-        run: |
-          bash scripts/mar_sign.sh -s
-
       - name: Copy update manifests
         env:
           RELEASE_BRANCH: ${{ inputs.update_branch }}

.github/workflows/linux-release-build.yml

@@ -153,6 +153,15 @@ jobs:
           mv dist/zen-*.tar.xz "zen.linux-${{ matrix.arch }}.tar.xz"
           mv dist/output.mar linux${{ matrix.arch == 'aarch64' && '-aarch64' || '' }}.mar
 
+      - name: Sign MAR
+        env:
+          SIGNMAR: engine/obj-${{ matrix.arch == 'aarch64' && 'aarch64-unknown' || 'x86_64-pc' }}-linux-gnu/dist/bin/signmar
+          ZEN_MAR_SIGNING_PASSWORD: ${{ secrets.ZEN_MAR_SIGNING_PASSWORD }}
+          ZEN_SIGNING_CERT_PEM_BASE64: ${{ secrets.ZEN_SIGNING_CERT_PEM_BASE64 }}
+          ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64: ${{ secrets.ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64 }}
+        run: |
+          bash scripts/mar_sign.sh -s ./linux${{ matrix.arch == 'aarch64' && '-aarch64' || '' }}.mar
+
       - name: Upload build artifact (binary)
         uses: actions/upload-artifact@v4
         with:
@@ -173,11 +182,3 @@ jobs:
           retention-days: 5
           name: linux_update_manifest_${{ matrix.arch }}
           path: ./dist/update
-
-      - name: Upload signmar
-        if: ${{ matrix.arch == 'x86_64' }}
-        uses: actions/upload-artifact@v4
-        with:
-          retention-days: 2
-          name: signmar-linux-x86_64
-          path: engine/obj-x86_64-pc-linux-gnu/dist/bin/signmar

.github/workflows/macos-universal-release-build.yml

@@ -247,6 +247,15 @@ jobs:
           npm run package -- --verbose
           mv ./dist/output.mar ./macos.mar
 
+      - name: Sign MAR
+        env:
+          SIGNMAR: engine/obj-x86_64-apple-darwin/dist/bin/signmar
+          ZEN_MAR_SIGNING_PASSWORD: ${{ secrets.ZEN_MAR_SIGNING_PASSWORD }}
+          ZEN_SIGNING_CERT_PEM_BASE64: ${{ secrets.ZEN_SIGNING_CERT_PEM_BASE64 }}
+          ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64: ${{ secrets.ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64 }}
+        run: |
+          bash scripts/mar_sign.sh -s ./macos.mar
+
       - name: Upload build artifact (.mar)
         uses: actions/upload-artifact@v4
         with:

.github/workflows/windows-release-build.yml

@@ -281,6 +281,16 @@ jobs:
           mv ./dist/output.mar windows${{ matrix.arch == 'aarch64' && '-arm64' || '' }}.mar
           mv ./dist/zen.installer.exe ./zen.installer${{ matrix.arch == 'aarch64' && '-arm64' || '' }}.exe
 
+      - name: Sign MAR
+        if: ${{ !inputs.generate-gpo }}
+        env:
+          SIGNMAR: engine/obj-${{ matrix.arch }}-pc-windows-msvc/dist/bin/signmar
+          ZEN_MAR_SIGNING_PASSWORD: ${{ secrets.ZEN_MAR_SIGNING_PASSWORD }}
+          ZEN_SIGNING_CERT_PEM_BASE64: ${{ secrets.ZEN_SIGNING_CERT_PEM_BASE64 }}
+          ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64: ${{ secrets.ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64 }}
+        run: |
+          bash scripts/mar_sign.sh -s ./windows${{ matrix.arch == 'aarch64' && '-arm64' || '' }}.mar
+
       - name: Upload artifact (PGO)
         uses: actions/upload-artifact@v4
         if: ${{ inputs.generate-gpo && matrix.arch == 'x86_64' }}

prefs/zen/split-view.yaml

@@ -15,7 +15,7 @@
   value: true
 
 - name: zen.splitView.drag-over-split-delayMC
-  value: 1000
+  value: 350
 
 - name: zen.splitView.drag-over-split-threshold
-  value: 40
+  value: 25

prefs/zen/workspaces.yaml

@@ -33,7 +33,7 @@
   value: true
 
 - name: zen.workspaces.dnd-switch-padding
-  value: 5
+  value: 20
 
 - name: zen.workspaces.debug
   value: "@cond"

prefs/zen/zen.yaml

@@ -27,7 +27,7 @@
   value: 20 # Percentage of folder height to trigger dragover
 
 - name: zen.tabs.dnd-switch-space-delay
-  value: 800 # milliseconds
+  value: 500 # milliseconds
 
 - name: zen.ctrlTab.show-pending-tabs
   value: false

scripts/mar_sign.sh

@@ -84,7 +84,7 @@ create_nss_config_dir() {
   openssl pkcs12 -export \
       -inkey "$CERT_PATH_DIR/private_key.pem" \
       -in    "$CERT_PATH_DIR/cert.pem" \
-      -name  "private_key" \
+      -name  "mar_cert" \
       -passout pass:"$ZEN_MAR_SIGNING_PASSWORD" \
       -out   "$CERT_PATH_DIR/private_key.p12"
 
@@ -105,7 +105,19 @@ cleanup_certs() {
   rm -f "$CERT_PATH_DIR/cert.pem"
 }
 
-sign_mars() {
+sign_mar() {
+  local mar_file="$1"
+
+  if [ -z "$mar_file" ]; then
+    echo "Error: .mar file path is required. Usage: $0 -s <mar_file>" >&2
+    exit 1
+  fi
+
+  if [ ! -f "$mar_file" ]; then
+    echo "Error: .mar file not found at $mar_file" >&2
+    exit 1
+  fi
+
   if [ ! -f "$SIGNMAR" ]; then
     echo "Error: signmar not found at $SIGNMAR. Build the engine first." >&2
     exit 1
@@ -115,34 +127,14 @@ sign_mars() {
 
   create_nss_config_dir
 
-  folders=(
-    linux.mar
-    linux-aarch64.mar
-    windows.mar
-    windows-arm64
-    macos.mar
-  )
-  # each folder will contain the .mar files for that platform, and the signature will be written in-place
-  for folder in "${folders[@]}"; do
-    if [ -d "$folder" ]; then
-      for mar_file in "$folder"/*.mar; do
-        if [ -f "$mar_file" ]; then
-          echo ""
-          echo "Signing $mar_file..."
-          # mar [-C workingDir] -d NSSConfigDir -n certname -s archive.mar out_signed_archive.mar
-          "$SIGNMAR" -d "$NSS_CONFIG_DIR" -n "private_key" -s "$mar_file" "$mar_file".signed
-          echo "Signed $mar_file. Verifying signature..."
-          "$SIGNMAR" -d "$NSS_CONFIG_DIR" -n "private_key" -v "$mar_file".signed
-          mv "$mar_file".signed "$mar_file"
-          echo "Successfully signed $mar_file"
-        else
-          echo "No .mar files found in $folder, skipping."
-        fi
-      done
-    else
-      echo "Directory $folder not found, skipping."
-    fi
-  done
+  echo ""
+  echo "Signing $mar_file..."
+  # mar [-C workingDir] -d NSSConfigDir -n certname -s archive.mar out_signed_archive.mar
+  "$SIGNMAR" -d "$NSS_CONFIG_DIR" -n "mar_cert" -s "$mar_file" "$mar_file".signed
+  echo "Signed $mar_file. Verifying signature..."
+  "$SIGNMAR" -d "$NSS_CONFIG_DIR" -n "mar_cert" -v "$mar_file".signed
+  mv "$mar_file".signed "$mar_file"
+  echo "Successfully signed $mar_file"
 
   cleanup_certs
 }
@@ -155,13 +147,13 @@ case "$1" in
     import_cert
     ;;
   -s)
-    sign_mars
+    sign_mar "$2"
     ;;
   *)
-    echo "Usage: $0 [-g] [-i] [-s]" >&2
-    echo "  -g    Generate MAR signing certificates" >&2
-    echo "  -i    Import the certificate into the updater (release_primary.der)" >&2
-    echo "  -s    Sign *.mar files in the current directory in-place" >&2
+    echo "Usage: $0 [-g] [-i] [-s <mar_file>]" >&2
+    echo "  -g              Generate MAR signing certificates" >&2
+    echo "  -i              Import the certificate into the updater (release_primary.der)" >&2
+    echo "  -s <mar_file>   Sign the given .mar file in-place" >&2
     exit 1
     ;;
 esac