From b355f4e88998cc953b135933f554d773964badc2 Mon Sep 17 00:00:00 2001
From: Patrick Luby <patrick.luby@collabora.com>
Date: Wed, 8 Mar 2023 14:59:59 -0500
Subject: [PATCH] Improve scripts that codesign and create a .dmg from a
 Universal bundle

This change adds the following:
- The solenv/bin/macosx-codesign-app-bundle script now uses
  "--timestamp" wherever "--options runtime" is used in order to
  pass Apple's notarization process.
- A second, required argument has been added to the
  bin/create-dmg-from-merged-app-bundle script that specifies one
  of the following types: "release", "dev", or "collabora". Only
  the .DS_Store is different for each as no product set a volume
  icon currently.
- Upon success, the bin/create-dmg-from-merged-app-bundle script
  will print a warning that the .dmg is not notarized as well as
  the commands to use to manually notarize the .dmg.

Change-Id: I7c3f2d60dbb16b25bd6088b7e0af8c82284702d9
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/148490
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Patrick Luby <plubius@neooffice.org>
Reviewed-by: Andras Timar <andras.timar@collabora.com>
(cherry picked from commit 86e612db56be2d1934275de021b3213875e9301d)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/148508
Tested-by: Jenkins
---
 bin/create-dmg-from-merged-app-bundle | 77 +++++++++++++++++++++++++--
 solenv/bin/macosx-codesign-app-bundle | 10 ++--
 2 files changed, 79 insertions(+), 8 deletions(-)

diff --git a/bin/create-dmg-from-merged-app-bundle b/bin/create-dmg-from-merged-app-bundle
index 8f32e4d24b3e..483b1298d7c9 100755
--- a/bin/create-dmg-from-merged-app-bundle
+++ b/bin/create-dmg-from-merged-app-bundle
@@ -20,8 +20,9 @@ if [ `uname` != Darwin ]; then
     exit 1
 fi
 
-if [ $# != 1 ]; then
-    echo Usage: $0 signed-app-bundle
+if [ $# != 2 ]; then
+    echo Usage: $0 signed-app-bundle type
+    echo "  where type is 'release', 'dev', or 'collabora'"
     exit 1
 fi
 
@@ -35,12 +36,29 @@ if [[ "$1" != *.app ]]; then
     exit 1
 fi
 
+DSSTOREFILE=
+VOLUMEICON=
+if [ "$2" = "release" ];then
+    DSSTOREFILE=DS_Store
+elif [ "$2" = "dev" ];then
+    DSSTOREFILE=DS_Store_Dev
+elif [ "$2" = "collabora" ];then
+    DSSTOREFILE=DS_Store
+    # Collabora is not currently using a volume icon
+    #VOLUMEICON=main.icns
+else
+    echo "type argument $2 is not equal to 'release', 'dev', or 'collabora'" >&2
+    exit 1
+fi
+
 IN=$(cd "$1" && /bin/pwd)
 INAPP=$(basename "$IN")
 INDIR=$(dirname "$IN")
 OUTVOLUME=$(basename "$IN" .app)
+OUTVOLUMEMOUNT=/Volumes/"$OUTVOLUME"
 OUTTMPDIR=$(dirname "$IN")/"$OUTVOLUME"
 OUTFILE="$OUTTMPDIR".dmg
+OUTFILETMP="$OUTTMPDIR".tmp.dmg
 SRCDIR=$(cd `dirname "$0"`/.. && /bin/pwd)
 
 # Create $OUTTMPDIR directory in the same directory as the output .dmg and
@@ -56,6 +74,16 @@ if [ -d "$OUTFILE" ]; then
     exit 1
 fi
 
+if [ -f "$OUTFILETMP" ]; then
+    echo The file $OUTFILETMP exists already >&2
+    exit 1
+fi
+
+if [ -d "$OUTFILETMP" ]; then
+    echo $OUTFILETMP exists and is a directory >&2
+    exit 1
+fi
+
 if [ -d "$OUTTMPDIR" ]; then
     echo The directory $OUTTMPDIR exists already >&2
     exit 1
@@ -66,16 +94,59 @@ if [ -f "$OUTTMPDIR" ]; then
     exit 1
 fi
 
+if [ -d "$OUTVOLUMEMOUNT" ]; then
+    echo The directory $OUTVOLUMEMOUNT exists already >&2
+    exit 1
+fi
+
+if [ -f "$OUTVOLUMEMOUNT" ]; then
+    echo $OUTVOLUMEMOUNT exists and is a file >&2
+    exit 1
+fi
+
 mkdir "$OUTTMPDIR"
 mkdir "$OUTTMPDIR"/.background
 tar cf - "$INAPP" -C "$INDIR" | tar xvpf - -C "$OUTTMPDIR"
 ln -s /Applications "$OUTTMPDIR"/Applications
 cp "$SRCDIR"/setup_native/source/packinfo/DS_Store "$OUTTMPDIR"/.DS_Store
-cp "$SRCDIR"/setup_native/source/packinfo/VolumeIcon.icns "$OUTTMPDIR"/.VolumeIcon.icns
+if [ ! -z "$VOLUMEICON" ]; then
+    cp "$SRCDIR"/sysui/desktop/icons/"$VOLUMEICON" "$OUTTMPDIR"/.VolumeIcon.icns
+fi
 cp "$SRCDIR"/setup_native/source/packinfo/osxdndinstall.png "$OUTTMPDIR"/.background/background.png
 
 # Create and mount empty .dmg
 
+sync
+
+if [ -z "$VOLUMEICON" ]; then
 # Copied and adapted to bash from solenv/bin/modules/installer/simplepackage.pm
 # tdf#151341 Use lzfse compression instead of bzip2
 hdiutil create -srcfolder "$OUTTMPDIR" "$OUTFILE" -ov -fs HFS+ -volname "$OUTVOLUME" -format ULFO
+else
+# To set a volume icon, we need to create a writable .dmg, mount it, set the
+# volume icon, unmount it, and then convert it to a read-only .dmg
+hdiutil create -srcfolder "$OUTTMPDIR" "$OUTFILETMP" -ov -fs HFS+ -volname "$OUTVOLUME" -format UDRW
+sync
+hdiutil attach "$OUTFILETMP"
+if [ -f "$OUTVOLUMEMOUNT"/.VolumeIcon.icns ]; then
+    # TODO: SetFile is deprecated so we will eventually need to find another
+    # way to set the volume icon or stop trying to set the volume icon
+    SetFile -a C "$OUTVOLUMEMOUNT"
+fi
+hdiutil detach "$OUTVOLUMEMOUNT"
+sync
+hdiutil convert "$OUTFILETMP" -format ULFO -o "$OUTFILE"
+fi
+
+sync
+
+# Print warning about notarization
+echo "Successfully created '$OUTFILE'"
+echo
+echo "Warning: the .dmg is NOT notarized!"
+echo
+echo "You can manually notarize the .dmg using the following commands:"
+echo "  xcrun notarytool submit '$OUTFILE' ... [--wait]"
+echo "  xcrun stapler staple '$OUTFILE'"
+echo "  xcrun stapler validate '$OUTFILE'"
+exit 0
diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle
index e569aef24333..b1b17dbf7393 100755
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -75,8 +75,8 @@ done
 find "$APP_BUNDLE"/Contents -name '*.app' -type d |
 while read app; do
     # Assume the app has a XML (and not binary) Info.plist
-    id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
-    codesign --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" || exit 1
+    id=`grep -A 1 '<key>CFBundleIdentifier</key>' "$app/Contents/Info.plist" | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
+    codesign --timestamp --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" || exit 1
 done
 
 # Then .framework ones. Again, be generic just for kicks.
@@ -90,7 +90,7 @@ while read framework; do
 	    if test -d $version/bin; then
 		# files in bin are not covered by signing the framework...
 		for scriptorexecutable in $(find $version/bin/ -type f); do
-		    codesign --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" || exit 1
+		    codesign --timestamp --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" || exit 1
 		done
 	    fi
             codesign --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" || exit 1
@@ -114,7 +114,7 @@ while read file; do
 	    ;;
 	*)
 	    id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
-	    codesign --force --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" || exit 1
+	    codesign --force --timestamp --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" || exit 1
 	    ;;
     esac
 done
@@ -130,6 +130,6 @@ if test -n "$ENABLE_MACOSX_SANDBOX" && test -n "$application_identifier"; then
     # testflight/beta-testing won't work if that key is used when signing the other executables
     /usr/libexec/PlistBuddy -c "add com.apple.application-identifier string $application_identifier"  $BUILDDIR/lo.xcent
 fi
-codesign --force --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" || exit 1
+codesign --force --timestamp --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" || exit 1
 
 exit 0