c98b1f1cd4
hardened runtime is prerequisite for notarizing apps, which in turn is required for new developer IDs with 10.14.5 already and will be required for all software to run in future versions of macOS https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution Change-Id: Ifdf73fb5901be5dd0b62e1a51dee6e57c9816e5f Reviewed-on: https://gerrit.libreoffice.org/73246 Tested-by: Jenkins Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
164 lines
6.2 KiB
Bash
Executable file
164 lines
6.2 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Exit on errors
|
|
set -e
|
|
# Use of unset variable is an error
|
|
set -u
|
|
# If any part of a pipeline of commands fails, the whole pipeline fails
|
|
set -o pipefail
|
|
|
|
# Script to sign executables, dylibs and frameworks in an app bundle plus the bundle itself. Called
|
|
# from installer::simplepackage::create_package() in solenv/bin/modules/installer/simplepackage.pm
|
|
# and the test-install target in Makefile.in.
|
|
|
|
test `uname` = Darwin || { echo This is for macOS only; exit 1; }
|
|
|
|
test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
|
|
|
|
for V in \
|
|
BUILDDIR \
|
|
MACOSX_BUNDLE_IDENTIFIER \
|
|
MACOSX_CODESIGNING_IDENTITY; do
|
|
if test -z "$(eval echo '$'$V)"; then
|
|
echo No '$'$V "environment variable! This should be run in a build only"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
APP_BUNDLE="$1"
|
|
entitlements=
|
|
if test -n "$ENABLE_MACOSX_SANDBOX"; then
|
|
# In a sandboxed build executables need the entitlements
|
|
entitlements="--entitlements $BUILDDIR/lo.xcent"
|
|
# We use --enable-canonical-installation-tree-structure so all
|
|
# data files in Resources are included in the app bundle signature
|
|
# through that. I think.
|
|
other_files=''
|
|
else
|
|
# We then want to sign data files, too, hmm.
|
|
entitlements="--entitlements $SRCDIR/hardened_runtime.xcent"
|
|
other_files="\
|
|
-or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
|
|
-or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
|
|
-or -name '*.applescript' -or -name '*.odt'"
|
|
fi
|
|
|
|
# Sign jnilibs first as workaround for signing issue on old baseline
|
|
# order matters/screws things up otherwise
|
|
find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l |
|
|
while read file; do
|
|
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
|
|
codesign --verbose --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" > "/tmp/codesign_$(basename "$file").log" 2>&1
|
|
if [ "$?" != "0" ] ; then
|
|
exit 1
|
|
fi
|
|
rm "/tmp/codesign_$(basename "$file").log"
|
|
done
|
|
|
|
# Sign dylibs
|
|
#
|
|
# The dylibs in the Python framework are called *.so. Go figure
|
|
#
|
|
# On Mavericks also would like to have data files signed...
|
|
# add some where it makes sense. Make a depth-first search to sign the contents
|
|
# of e.g. the spotlight plugin before attempting to sign the plugin itself
|
|
|
|
find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \
|
|
$other_files \) ! -type l |
|
|
while read file; do
|
|
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
|
|
codesign --verbose --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" > "/tmp/codesign_$(basename "$file").log" 2>&1
|
|
if [ "$?" != "0" ] ; then
|
|
exit 1
|
|
fi
|
|
rm "/tmp/codesign_$(basename "$file").log"
|
|
done
|
|
|
|
# Sign included bundles. First .app ones (i.e. the Python.app inside
|
|
# the LibreOfficePython.framework. Be generic for kicks...)
|
|
|
|
find "$APP_BUNDLE"/Contents -name '*.app' -type d |
|
|
while read app; do
|
|
fn=`basename "$app"`
|
|
fn=${fn%.*}
|
|
# Assume the app has a XML (and not binary) Info.plist
|
|
id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
|
|
codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1
|
|
if [ "$?" != "0" ] ; then
|
|
exit 1
|
|
fi
|
|
rm "/tmp/codesign_${fn}.log"
|
|
done
|
|
|
|
# Then .framework ones. Again, be generic just for kicks.
|
|
|
|
find "$APP_BUNDLE" -name '*.framework' -type d |
|
|
while read framework; do
|
|
fn=`basename "$framework"`
|
|
fn=${fn%.*}
|
|
for version in "$framework"/Versions/*; do
|
|
if test ! -L "$version" -a -d "$version"; then
|
|
# Assume the framework has a XML (and not binary) Info.plist
|
|
id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
|
|
# files in bin are not covered by signing the framework...
|
|
for scriptorexecutable in $(find $version/bin/ -type f); do
|
|
codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" >> "/tmp/codesign_${fn}.log" 2>&1
|
|
done
|
|
codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" >> "/tmp/codesign_${fn}.log" 2>&1
|
|
if [ "$?" != "0" ] ; then
|
|
exit 1
|
|
fi
|
|
rm "/tmp/codesign_${fn}.log"
|
|
fi
|
|
done
|
|
done
|
|
|
|
# Then mdimporters
|
|
|
|
find "$APP_BUNDLE" -name '*.mdimporter' -type d |
|
|
while read bundle; do
|
|
codesign --verbose --force --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle" > "/tmp/codesign_$(basename "${bundle}").log" 2>&1
|
|
if [ "$?" != "0" ] ; then
|
|
exit 1
|
|
fi
|
|
rm "/tmp/codesign_$(basename "${bundle}").log"
|
|
done
|
|
|
|
# Sign executables
|
|
|
|
find "$APP_BUNDLE/Contents/MacOS" -type f |
|
|
while read file; do
|
|
case "$file" in
|
|
*/soffice)
|
|
;;
|
|
*)
|
|
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
|
|
codesign --force --verbose --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1
|
|
if [ "$?" != "0" ] ; then
|
|
exit 1
|
|
fi
|
|
rm "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log"
|
|
;;
|
|
esac
|
|
done
|
|
|
|
# Sign the app bundle as a whole which means (re-)signing the
|
|
# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
|
|
# of the Resources tree (which unless you used
|
|
# --enable-canonical-installation-tree-structure is not much, far from
|
|
# all of our non-code "resources").
|
|
#
|
|
# At this stage we also attach the entitlements in the sandboxing case
|
|
#
|
|
# Also omit some files from the Bundle's seal via the resource-rules
|
|
# (bootstraprc and similar that the user might adjust and image files)
|
|
# See also https://developer.apple.com/library/mac/technotes/tn2206/
|
|
|
|
id=`echo ${PRODUCTNAME} | tr ' ' '-'`
|
|
|
|
codesign --force --verbose --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1
|
|
if [ "$?" != "0" ] ; then
|
|
exit 1
|
|
fi
|
|
rm "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log"
|
|
exit 0
|