OS X codesign

Change-Id: I71d49b20a7ce96bbbbe3d130a8e8230c7afc0351

OS X codesign
Change-Id: I71d49b20a7ce96bbbbe3d130a8e8230c7afc0351
58fca586 · Andras Timar · 8ae0c053 · 58fca586
Kaydet (Commit) 58fca586 authored Eki 27, 2015 tarafından Andras Timar
Hide whitespace changes
Inline Side-by-side

Showing with 65 additions and 59 deletions

macosx-codesign-app-bundle solenv/bin/macosx-codesign-app-bundle +65 -59

No files found.
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
 #!/bin/bash
-# Script to sign dylibs and frameworks in an app bundle plus the
+# Script to sign executables, dylibs and frameworks in an app bundle
-# bundle itself. Called from
+# plus the bundle itself. Called from
-# installer::simplepackage::create_package() in
+# the test-install target in Makefile.in
-# solenv/bin/modules/installer/simplepackage.pm
 test `uname` = Darwin || { echo This is for OS X only; exit 1; }
@@ -19,90 +18,97 @@ for V in \
    fi
 done
-echo "codesigning using MACSOX_CODESIGNING_IDENTITY=[${MACOSX_CODESIGNING_IDENTITY?}]"
 APP_BUNDLE="$1"
+if test -n "$ENABLE_MACOSX_SANDBOX"; then
+    # In a sandboxed build executables need the entitlements
+    entitlements="--entitlements $BUILDDIR/lo.xcent"
+    # We use --enable-canonical-installation-tree-structure so all
+    # data files in Resources are included in the app bundle signature
+    # through that. I think.
+    other_files=''
+else
+    # In a non-sandboxed build (distributed outside the App Store)
+    # we traditionally have use --resource-rules. Let's not touch that?
+    resource_rules="--resource-rules $SRCDIR/setup_native/source/mac/CodesignRules.plist"
+    # And there we then want to sign data files, too, hmm.
+    other_files="\
+ -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
+ -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \
+ -or -name '*.applescript' -or -name '*.odt'"
+fi
 # Sign dylibs
 #
-# Executables get signed right after linking, see
-# solenv/gbuild/platform/macosx.mk. But many of our dylibs are built
-# by ad-hoc or 3rd-party mechanisms, so we can't easily sign them
-# right after linking. So do it here.
-#
 # The dylibs in the Python framework are called *.so. Go figure
 #
 # On Mavericks also would like to have data files signed...
 # add some where it makes sense. Make a depth-first search to sign the contents
 # of e.g. the spotlight plugin before attempting to sign the plugin itself
-find -d "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.so' -or -name '*.fodt' \
+find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \
-        -or -name 'schema.strings' -or -name 'schema.xml' -or -name '*.mdimporter' \
+        $other_files \) ! -type l |
-        -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \
-        -or -name '*.applescript' \) ! -type l | grep -v "LibreOfficePython\.framework" | \
 while read file; do
    id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
-    codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
+    codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file"
 done
-find $APP_BUNDLE -name '*.dylib.*' ! -type l | \
+# Sign executables
-while read dylib; do \
-    id=`basename "$dylib"`; \
+find "$APP_BUNDLE/Contents/MacOS" -type f |
-    id=`echo $id | sed -e 's/dylib.*/dylib/'`; \
+while read file; do
-    codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$dylib" || exit 1
+    id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
+    codesign --force --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file"
 done
-# The executables have already been signed by
+# Sign included bundles. First .app ones (i.e. the Python.app inside
-# gb_LinkTarget__command_dynamiclink in
+# the LibreOfficePython.framework. Be generic for kicks...)
-# solenv/gbuild/platform/macosx.mk, but sign the handful of scripts remaining
-# in MacOS
+find "$APP_BUNDLE" -name '*.app' -type d |
-# (<https://developer.apple.com/library/mac/technotes/tn2206/_index.html> "OS X
+while read app; do
-# Code Signing In Depth" suggests we should get rid of them rather sooner than
+    fn=`basename "$app"`
-# later, but they appear to be OK for now):
+    fn=${fn%.*}
+    # Assume the app has a XML (and not binary) Info.plist
-for i in gengal python senddoc unoinfo
+    id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
-do
+    codesign --verbose --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app"
-    if [ -f "$APP_BUNDLE/Contents/MacOS/$i" ]
-    then
-        codesign --verbose --identifier="$MACOSX_BUNDLE_IDENTIFIER.$i" \
-            --sign "$MACOSX_CODESIGNING_IDENTITY" "$APP_BUNDLE/Contents/MacOS/$i" \
-        || exit 1
-    fi
 done
-# Sign frameworks.
+# Then .framework ones. Again, be generic just for kicks.
-#
-# Yeah, we don't bundle any other framework than our Python one, and
-# it has just one version, so this generic search is mostly for
-# completeness.
-for framework in `find $APP_BUNDLE -name '*.framework' -type d`; do \
+find "$APP_BUNDLE" -name '*.framework' -type d |
-    fn="$(basename $framework)"
+while read framework; do
+    fn=`basename "$framework"`
    fn=${fn%.*}
-    for version in $framework/Versions/*; do \
+    for version in "$framework"/Versions/*; do
-        if test ! -L $version -a -d $version; then
+        if test ! -L "$version" -a -d "$version"; then
-            codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn || exit 1
+	    # Assume the framework has a XML (and not binary) Info.plist
-            codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version || exit 1
+	    id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
-        fi; \
+            codesign --verbose --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version"
-    done; \
+        fi
+    done
+done
+# Then mdimporters
+find "$APP_BUNDLE" -name '*.mdimporter' -type d |
+while read bundle; do
+    codesign --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle"
 done
-# Sign the app bundle as a whole which means finally signing the
+# Sign the app bundle as a whole which means (re-)signing the
-# CFBundleExecutable from Info.plist, i.e. soffice (which is exempted from the
+# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
-# on-the-go executable signing in gb_LinkTarget__command_dynamiclink in
-# solenv/gbuild/platform/macosx.mk), plus the contents
 # of the Resources tree (which unless you used
 # --enable-canonical-installation-tree-structure is not much, far from
 # all of our non-code "resources").
 #
 # At this stage we also attach the entitlements in the sandboxing case
+#
+# Also omit some files from the Bundle's seal via the resource-rules
+# (bootstraprc and similar that the user might adjust and image files)
+# See also https://developer.apple.com/library/mac/technotes/tn2206/
 id=`echo ${MACOSX_APP_NAME} | tr ' ' '-'`
-if test -n "$ENABLE_MACOSX_SANDBOX"; then
+codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}" $resource_rules --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE"
-    entitlements="--entitlements $BUILDDIR/lo.xcent"
-fi
-codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE || exit 1
 exit 0