c2ebc77e63
Starting in one of the Xcode versions 15.2 or earlier, setting the entitlements without a certificate started failing on Mac Silicon. The hacky solution is to make a copy of the application's executable, set the entitlements on that binary only, and then move the copied binary back. Change-Id: I25c32cbe6f9aa87e2d6c2c554a8a9cf48d79e75d Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163468 Tested-by: Jenkins Reviewed-by: Patrick Luby <guibomacdev@gmail.com>
164 lines
7.2 KiB
Bash
Executable file
164 lines
7.2 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
|
|
# Use of unset variable is an error
|
|
set -u
|
|
# If any part of a pipeline of commands fails, the whole pipeline fails
|
|
set -o pipefail
|
|
|
|
# Script to sign executables, dylibs and frameworks in an app bundle plus the bundle itself. Called
|
|
# from installer::simplepackage::create_package() in solenv/bin/modules/installer/simplepackage.pm
|
|
# and the test-install target in Makefile.in.
|
|
|
|
test `uname` = Darwin || { echo This is for macOS only; exit 1; }
|
|
|
|
test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
|
|
|
|
for V in \
|
|
BUILDDIR \
|
|
MACOSX_BUNDLE_IDENTIFIER; do
|
|
if test -z "$(eval echo '$'$V)"; then
|
|
echo No '$'$V "environment variable! This should be run in a build only"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
APP_BUNDLE="$1"
|
|
entitlements=
|
|
entitlements_helper=
|
|
application_identifier=
|
|
if test -n "$ENABLE_MACOSX_SANDBOX"; then
|
|
# In a sandboxed build executables need the entitlements
|
|
entitlements="--entitlements $BUILDDIR/lo.xcent"
|
|
# helper utilities must be signed with only the sandbox and inherit entitlements
|
|
entitlements_helper="--entitlements $SRCDIR/sysui/desktop/macosx/sandbox_inherit.entitlements"
|
|
application_identifier=`/usr/libexec/PlistBuddy -c "print com.apple.application-identifier" $BUILDDIR/lo.xcent`
|
|
# remove the key from the entitlement - only use it when signing the whole bundle in the final step
|
|
/usr/libexec/PlistBuddy -c "delete com.apple.application-identifier" $BUILDDIR/lo.xcent
|
|
# All data files are in Resources and included in the app bundle signature
|
|
other_files=''
|
|
# HACK: remove donate menu entries, need to support apple-pay and be verified
|
|
# as non profit as a bare minimum to allow asking....
|
|
sed -I "" -e '\#<menu:menuitem menu:id=".uno:Donation"/>#d' $APP_BUNDLE/Contents/Resources/config/soffice.cfg/modules/*/menubar/menubar.xml
|
|
else
|
|
# We then want to sign data files, too, hmm.
|
|
entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent"
|
|
entitlements_helper=$entitlements
|
|
other_files="\
|
|
-or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
|
|
-or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
|
|
-or -name '*.applescript' -or -name '*.odt'"
|
|
fi
|
|
|
|
if test -z "$MACOSX_CODESIGNING_IDENTITY"; then
|
|
if test -n "$ENABLE_RELEASE_BUILD"; then
|
|
echo "This is a release build! This should be run in a non-release build only"
|
|
exit 1
|
|
fi
|
|
|
|
# Skip codesigning for non-release builds if there is no identity set but
|
|
# set entitlements to allow Xcode's Instruments application to connect to
|
|
# the application. Note: the following command fails on some Mac Intel
|
|
# machines, and since this not a release build, ignore any failures.
|
|
# Related: tdf#159529 fix increasing failures when setting entitlements
|
|
# Starting in one of the Xcode versions 15.2 or earlier, setting the
|
|
# entitlements without a certificate started failing on Mac Silicon.
|
|
# The hacky solution is to make a copy of the application's executable,
|
|
# set the entitlements on that binary only, and then move the copied
|
|
# binary back.
|
|
rm -f "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements"
|
|
cp "$APP_BUNDLE/Contents/MacOS/soffice" "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements"
|
|
if codesign --force --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign - $entitlements "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements"; then
|
|
mv "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements" "$APP_BUNDLE/Contents/MacOS/soffice"
|
|
else
|
|
rm "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements"
|
|
fi
|
|
exit 0
|
|
fi
|
|
|
|
# Sign jnilibs first as workaround for signing issue on old baseline
|
|
# order matters/screws things up otherwise
|
|
find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l |
|
|
while read file; do
|
|
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
|
|
codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
|
|
done
|
|
|
|
# Sign dylibs
|
|
#
|
|
# The dylibs in the Python framework are called *.so. Go figure
|
|
#
|
|
# On Mavericks also would like to have data files signed...
|
|
# add some where it makes sense. Make a depth-first search to sign the contents
|
|
# of e.g. the spotlight plugin before attempting to sign the plugin itself
|
|
|
|
find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \
|
|
$other_files \) ! -type l |
|
|
while read file; do
|
|
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
|
|
codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
|
|
done
|
|
|
|
# Sign included bundles. First .app ones (i.e. the Python.app inside
|
|
# the LibreOfficePython.framework. Be generic for kicks...)
|
|
|
|
find "$APP_BUNDLE"/Contents -name '*.app' -type d |
|
|
while read app; do
|
|
# Assume the app has a XML (and not binary) Info.plist
|
|
id=`grep -A 1 '<key>CFBundleIdentifier</key>' "$app/Contents/Info.plist" | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
|
|
codesign --timestamp --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" || exit 1
|
|
done
|
|
|
|
# Then .framework ones. Again, be generic just for kicks.
|
|
|
|
find "$APP_BUNDLE" -name '*.framework' -type d |
|
|
while read framework; do
|
|
for version in "$framework"/Versions/*; do
|
|
if test ! -L "$version" -a -d "$version"; then
|
|
# Assume the framework has a XML (and not binary) Info.plist
|
|
id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
|
|
if test -d $version/bin; then
|
|
# files in bin are not covered by signing the framework...
|
|
for scriptorexecutable in $(find $version/bin/ -type f); do
|
|
codesign --timestamp --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" || exit 1
|
|
done
|
|
fi
|
|
codesign --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" || exit 1
|
|
fi
|
|
done
|
|
done
|
|
|
|
# Then mdimporters
|
|
|
|
find "$APP_BUNDLE" -name '*.mdimporter' -type d |
|
|
while read bundle; do
|
|
codesign --force --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle" || exit 1
|
|
done
|
|
|
|
# Sign executables
|
|
|
|
find "$APP_BUNDLE/Contents/MacOS" -type f |
|
|
while read file; do
|
|
case "$file" in
|
|
*/soffice)
|
|
;;
|
|
*)
|
|
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
|
|
codesign --force --timestamp --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements_helper "$file" || exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
# Sign the app bundle as a whole which means (re-)signing the
|
|
# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
|
|
# of the Resources tree.
|
|
#
|
|
# See also https://developer.apple.com/library/mac/technotes/tn2206/
|
|
|
|
if test -n "$ENABLE_MACOSX_SANDBOX" && test -n "$application_identifier"; then
|
|
# add back the application-identifier to the entitlements
|
|
# testflight/beta-testing won't work if that key is used when signing the other executables
|
|
/usr/libexec/PlistBuddy -c "add com.apple.application-identifier string $application_identifier" $BUILDDIR/lo.xcent
|
|
fi
|
|
codesign --force --timestamp --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" || exit 1
|
|
|
|
exit 0
|