office-gobmx/solenv/bin/macosx-codesign-app-bundle
Tor Lillqvist e2fcbac505 Simplify error handling
There were a couple of weird things in this script. Firstly, the
script redirected stdout and stderr from each invocation of codesign
separately into a log file. (Several differently named log files.) But
those log files were never displayed.

Secondly, the script did "set -e" at the start. Thus, if a codesign
invocation returned non-zero (error) exit status, any code to check
the exit status and possibly display the log file would not be
executed anyway.

Simplify thusly:

Don't pass --verbose to codesign. Then if nothing goes wrong, it is
silent. That is The Unix Philosophy, right?

Don't redirect codesign stdout and stderr to a log file (that would be
removed if codesign didn't fail). Just let any error message of
warning from codesign go to the script's stderr or stdout.

If codesign fails, just exit. Error messages will have been written to
stderr already. No log files to display or remove.

Don't use set -e. Instead if a codesign invocation fails, just exit.

The intent is that in the normal case, this script will be totally
silent.

Change-Id: Ic6081c418e4c564be768e30bf52b8196ee59f061
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/109696
Tested-by: Tor Lillqvist <tml@collabora.com>
Reviewed-by: Tor Lillqvist <tml@collabora.com>
2021-01-20 17:28:32 +01:00

130 lines
4.9 KiB
Bash
Executable file

#!/bin/bash
# Use of unset variable is an error
set -u
# If any part of a pipeline of commands fails, the whole pipeline fails
set -o pipefail
# Script to sign executables, dylibs and frameworks in an app bundle plus the bundle itself. Called
# from installer::simplepackage::create_package() in solenv/bin/modules/installer/simplepackage.pm
# and the test-install target in Makefile.in.
test `uname` = Darwin || { echo This is for macOS only; exit 1; }
test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
for V in \
BUILDDIR \
MACOSX_BUNDLE_IDENTIFIER \
MACOSX_CODESIGNING_IDENTITY; do
if test -z "$(eval echo '$'$V)"; then
echo No '$'$V "environment variable! This should be run in a build only"
exit 1
fi
done
APP_BUNDLE="$1"
entitlements=
if test -n "$ENABLE_MACOSX_SANDBOX"; then
# In a sandboxed build executables need the entitlements
entitlements="--entitlements $BUILDDIR/lo.xcent"
# All data files are in Resources and included in the app bundle signature
# through that. I think.
other_files=''
else
# We then want to sign data files, too, hmm.
entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent"
other_files="\
-or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
-or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
-or -name '*.applescript' -or -name '*.odt'"
fi
# Sign jnilibs first as workaround for signing issue on old baseline
# order matters/screws things up otherwise
find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l |
while read file; do
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
done
# Sign dylibs
#
# The dylibs in the Python framework are called *.so. Go figure
#
# On Mavericks also would like to have data files signed...
# add some where it makes sense. Make a depth-first search to sign the contents
# of e.g. the spotlight plugin before attempting to sign the plugin itself
find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \
$other_files \) ! -type l |
while read file; do
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
done
# Sign included bundles. First .app ones (i.e. the Python.app inside
# the LibreOfficePython.framework. Be generic for kicks...)
find "$APP_BUNDLE"/Contents -name '*.app' -type d |
while read app; do
# Assume the app has a XML (and not binary) Info.plist
id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
codesign --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" || exit 1
done
# Then .framework ones. Again, be generic just for kicks.
find "$APP_BUNDLE" -name '*.framework' -type d |
while read framework; do
for version in "$framework"/Versions/*; do
if test ! -L "$version" -a -d "$version"; then
# Assume the framework has a XML (and not binary) Info.plist
id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
if test -d $version/bin; then
# files in bin are not covered by signing the framework...
for scriptorexecutable in $(find $version/bin/ -type f); do
codesign --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" || exit 1
done
fi
codesign --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" || exit 1
fi
done
done
# Then mdimporters
find "$APP_BUNDLE" -name '*.mdimporter' -type d |
while read bundle; do
codesign --force --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle" || exit 1
done
# Sign executables
find "$APP_BUNDLE/Contents/MacOS" -type f |
while read file; do
case "$file" in
*/soffice)
;;
*)
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
codesign --force --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" || exit 1
;;
esac
done
# Sign the app bundle as a whole which means (re-)signing the
# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
# of the Resources tree.
#
# At this stage we also attach the entitlements in the sandboxing case
#
# Also omit some files from the Bundle's seal via the resource-rules
# (bootstraprc and similar that the user might adjust and image files)
# See also https://developer.apple.com/library/mac/technotes/tn2206/
id=`echo ${PRODUCTNAME} | tr ' ' '-'`
codesign --force --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" || exit 1
exit 0