41f2ebfbaa
The documentation is a bit unclear yet, but I think it is safe to assume that Apple strongly wants sandboxed apps to have what we call ENABLE_MACOSX_MACLIKE_APP_STRUCTURE and to be signed without any special resource rules. Change-Id: I1409ccb6a3f9086d01af6ff318fe28536c1cebef
102 lines
3.9 KiB
Bash
Executable file
102 lines
3.9 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Script to sign dylibs and frameworks in an app bundle plus the
|
|
# bundle itself. Called from
|
|
# installer::simplepackage::create_package() in
|
|
# solenv/bin/modules/installer/simplepackage.pm
|
|
|
|
test `uname` = Darwin || { echo This is for OS X only; exit 1; }
|
|
|
|
test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
|
|
|
|
for V in \
|
|
BUILDDIR \
|
|
MACOSX_BUNDLE_IDENTIFIER \
|
|
MACOSX_CODESIGNING_IDENTITY; do
|
|
if test -z "$(eval echo '$'$V)"; then
|
|
echo No '$'$V "environment variable! This should be run in a build only"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
echo "codesigning using MACSOX_CODESIGNING_IDENTITY=[${MACOSX_CODESIGNING_IDENTITY?}]"
|
|
|
|
APP_BUNDLE="$1"
|
|
|
|
# Sign dylibs
|
|
#
|
|
# Executables get signed right after linking, see
|
|
# solenv/gbuild/platform/macosx.mk. But many of our dylibs are built
|
|
# by ad-hoc or 3rd-party mechanisms, so we can't easily sign them
|
|
# right after linking. So do it here.
|
|
#
|
|
# The dylibs in the Python framework are called *.so. Go figure
|
|
#
|
|
# First sign all files that can use the default identifier in the hope
|
|
# that codesign will contact the timestamp server just once for all
|
|
# mentioned on the command line.
|
|
#
|
|
# On Mavericks also would like to have data files signed...
|
|
# add some where it makes sense. Make a depth-first search to sign the contents
|
|
# of e.g. the spotlight plugin before attempting to sign the plugin itself
|
|
|
|
find -d "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.so' -or -name '*.fodt' \
|
|
-or -name 'schema.strings' -or -name 'schema.xml' -or -name '*.mdimporter' \
|
|
-or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \
|
|
-or -name '*.applescript' \) ! -type l | grep -v "LibreOfficePython\.framework" | \
|
|
while read file; do
|
|
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
|
|
codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file"
|
|
done
|
|
|
|
find $APP_BUNDLE -name '*.dylib.*' ! -type l | \
|
|
while read dylib; do \
|
|
id=`basename "$dylib"`; \
|
|
id=`echo $id | sed -e 's/dylib.*/dylib/'`; \
|
|
codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$dylib"; \
|
|
done
|
|
|
|
# The executables have already been signed by
|
|
# gb_LinkTarget__command_dynamiclink in
|
|
# solenv/gbuild/platform/macosx.mk.
|
|
|
|
# Sign frameworks.
|
|
#
|
|
# Yeah, we don't bundle any other framework than our Python one, and
|
|
# it has just one version, so this generic search is mostly for
|
|
# completeness.
|
|
|
|
for framework in `find $APP_BUNDLE -name '*.framework' -type d`; do \
|
|
fn="$(basename $framework)"
|
|
fn=${fn%.*}
|
|
for version in $framework/Versions/*; do \
|
|
if test ! -L $version -a -d $version; then
|
|
codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn
|
|
codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version
|
|
fi; \
|
|
done; \
|
|
done
|
|
|
|
# Sign the app bundle as a whole which means (re-)signing the
|
|
# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
|
|
# of the Resources tree (which unless you used
|
|
# --enable-canonical-installation-tree-structure is not much, far from
|
|
# all of our non-code "resources").
|
|
#
|
|
# At this stage we also attach the entitlements in the sandboxing case
|
|
#
|
|
# Also omit some files from the Bunlde's seal via the resource-rules
|
|
# (bootstraprc and similar that the user might adjust and image files)
|
|
# See also https://developer.apple.com/library/mac/technotes/tn2206/
|
|
|
|
id=`echo ${MACOSX_APP_NAME} | tr ' ' '-'`
|
|
|
|
if test -n "$ENABLE_MACOSX_SANDBOX"; then
|
|
entitlements="--entitlements $BUILDDIR/lo.xcent"
|
|
else
|
|
resource_rules="--resource-rules $SRCDIR/setup_native/source/mac/CodesignRules.plist"
|
|
fi
|
|
|
|
codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id" $resource_rules --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE
|
|
|
|
exit 0
|