e2fcbac505
There were a couple of weird things in this script. Firstly, the script redirected stdout and stderr from each invocation of codesign separately into a log file. (Several differently named log files.) But those log files were never displayed. Secondly, the script did "set -e" at the start. Thus, if a codesign invocation returned non-zero (error) exit status, any code to check the exit status and possibly display the log file would not be executed anyway. Simplify thusly: Don't pass --verbose to codesign. Then if nothing goes wrong, it is silent. That is The Unix Philosophy, right? Don't redirect codesign stdout and stderr to a log file (that would be removed if codesign didn't fail). Just let any error message of warning from codesign go to the script's stderr or stdout. If codesign fails, just exit. Error messages will have been written to stderr already. No log files to display or remove. Don't use set -e. Instead if a codesign invocation fails, just exit. The intent is that in the normal case, this script will be totally silent. Change-Id: Ic6081c418e4c564be768e30bf52b8196ee59f061 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/109696 Tested-by: Tor Lillqvist <tml@collabora.com> Reviewed-by: Tor Lillqvist <tml@collabora.com>
130 lines
4.9 KiB
Bash
Executable file
130 lines
4.9 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Use of unset variable is an error
|
|
set -u
|
|
# If any part of a pipeline of commands fails, the whole pipeline fails
|
|
set -o pipefail
|
|
|
|
# Script to sign executables, dylibs and frameworks in an app bundle plus the bundle itself. Called
|
|
# from installer::simplepackage::create_package() in solenv/bin/modules/installer/simplepackage.pm
|
|
# and the test-install target in Makefile.in.
|
|
|
|
test `uname` = Darwin || { echo This is for macOS only; exit 1; }
|
|
|
|
test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
|
|
|
|
for V in \
|
|
BUILDDIR \
|
|
MACOSX_BUNDLE_IDENTIFIER \
|
|
MACOSX_CODESIGNING_IDENTITY; do
|
|
if test -z "$(eval echo '$'$V)"; then
|
|
echo No '$'$V "environment variable! This should be run in a build only"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
APP_BUNDLE="$1"
|
|
entitlements=
|
|
if test -n "$ENABLE_MACOSX_SANDBOX"; then
|
|
# In a sandboxed build executables need the entitlements
|
|
entitlements="--entitlements $BUILDDIR/lo.xcent"
|
|
# All data files are in Resources and included in the app bundle signature
|
|
# through that. I think.
|
|
other_files=''
|
|
else
|
|
# We then want to sign data files, too, hmm.
|
|
entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent"
|
|
other_files="\
|
|
-or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
|
|
-or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
|
|
-or -name '*.applescript' -or -name '*.odt'"
|
|
fi
|
|
|
|
# Sign jnilibs first as workaround for signing issue on old baseline
|
|
# order matters/screws things up otherwise
|
|
find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l |
|
|
while read file; do
|
|
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
|
|
codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
|
|
done
|
|
|
|
# Sign dylibs
|
|
#
|
|
# The dylibs in the Python framework are called *.so. Go figure
|
|
#
|
|
# On Mavericks also would like to have data files signed...
|
|
# add some where it makes sense. Make a depth-first search to sign the contents
|
|
# of e.g. the spotlight plugin before attempting to sign the plugin itself
|
|
|
|
find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \
|
|
$other_files \) ! -type l |
|
|
while read file; do
|
|
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
|
|
codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
|
|
done
|
|
|
|
# Sign included bundles. First .app ones (i.e. the Python.app inside
|
|
# the LibreOfficePython.framework. Be generic for kicks...)
|
|
|
|
find "$APP_BUNDLE"/Contents -name '*.app' -type d |
|
|
while read app; do
|
|
# Assume the app has a XML (and not binary) Info.plist
|
|
id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
|
|
codesign --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" || exit 1
|
|
done
|
|
|
|
# Then .framework ones. Again, be generic just for kicks.
|
|
|
|
find "$APP_BUNDLE" -name '*.framework' -type d |
|
|
while read framework; do
|
|
for version in "$framework"/Versions/*; do
|
|
if test ! -L "$version" -a -d "$version"; then
|
|
# Assume the framework has a XML (and not binary) Info.plist
|
|
id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
|
|
if test -d $version/bin; then
|
|
# files in bin are not covered by signing the framework...
|
|
for scriptorexecutable in $(find $version/bin/ -type f); do
|
|
codesign --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" || exit 1
|
|
done
|
|
fi
|
|
codesign --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" || exit 1
|
|
fi
|
|
done
|
|
done
|
|
|
|
# Then mdimporters
|
|
|
|
find "$APP_BUNDLE" -name '*.mdimporter' -type d |
|
|
while read bundle; do
|
|
codesign --force --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle" || exit 1
|
|
done
|
|
|
|
# Sign executables
|
|
|
|
find "$APP_BUNDLE/Contents/MacOS" -type f |
|
|
while read file; do
|
|
case "$file" in
|
|
*/soffice)
|
|
;;
|
|
*)
|
|
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
|
|
codesign --force --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" || exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
# Sign the app bundle as a whole which means (re-)signing the
|
|
# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
|
|
# of the Resources tree.
|
|
#
|
|
# At this stage we also attach the entitlements in the sandboxing case
|
|
#
|
|
# Also omit some files from the Bundle's seal via the resource-rules
|
|
# (bootstraprc and similar that the user might adjust and image files)
|
|
# See also https://developer.apple.com/library/mac/technotes/tn2206/
|
|
|
|
id=`echo ${PRODUCTNAME} | tr ' ' '-'`
|
|
|
|
codesign --force --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" || exit 1
|
|
|
|
exit 0
|