diff options
Diffstat (limited to 'solenv/bin/macosx-codesign-app-bundle')
| -rwxr-xr-x | solenv/bin/macosx-codesign-app-bundle | 161 |
1 files changed, 161 insertions, 0 deletions
diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle new file mode 100755 index 000000000..2353032e3 --- /dev/null +++ b/solenv/bin/macosx-codesign-app-bundle @@ -0,0 +1,161 @@ +#!/bin/bash + +# Exit on errors +set -e +# Use of unset variable is an error +set -u +# If any part of a pipeline of commands fails, the whole pipeline fails +set -o pipefail + +# Script to sign executables, dylibs and frameworks in an app bundle plus the bundle itself. Called +# from installer::simplepackage::create_package() in solenv/bin/modules/installer/simplepackage.pm +# and the test-install target in Makefile.in. + +test `uname` = Darwin || { echo This is for macOS only; exit 1; } + +test $# = 1 || { echo Usage: $0 app-bundle; exit 1; } + +for V in \ + BUILDDIR \ + MACOSX_BUNDLE_IDENTIFIER \ + MACOSX_CODESIGNING_IDENTITY; do + if test -z "$(eval echo '$'$V)"; then + echo No '$'$V "environment variable! This should be run in a build only" + exit 1 + fi +done + +APP_BUNDLE="$1" +entitlements= +if test -n "$ENABLE_MACOSX_SANDBOX"; then + # In a sandboxed build executables need the entitlements + entitlements="--entitlements $BUILDDIR/lo.xcent" + # All data files are in Resources and included in the app bundle signature + # through that. I think. + other_files='' +else + # We then want to sign data files, too, hmm. + entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent" + other_files="\ + -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \ + -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \ + -or -name '*.applescript' -or -name '*.odt'" +fi + +# Sign jnilibs first as workaround for signing issue on old baseline +# order matters/screws things up otherwise +find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l | + while read file; do + id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` + codesign --verbose --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" > "/tmp/codesign_$(basename "$file").log" 2>&1 + if [ "$?" != "0" ] ; then + exit 1 + fi + rm "/tmp/codesign_$(basename "$file").log" +done + +# Sign dylibs +# +# The dylibs in the Python framework are called *.so. Go figure +# +# On Mavericks also would like to have data files signed... +# add some where it makes sense. Make a depth-first search to sign the contents +# of e.g. the spotlight plugin before attempting to sign the plugin itself + +find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \ + $other_files \) ! -type l | +while read file; do + id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` + codesign --verbose --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" > "/tmp/codesign_$(basename "$file").log" 2>&1 + if [ "$?" != "0" ] ; then + exit 1 + fi + rm "/tmp/codesign_$(basename "$file").log" +done + +# Sign included bundles. First .app ones (i.e. the Python.app inside +# the LibreOfficePython.framework. Be generic for kicks...) + +find "$APP_BUNDLE"/Contents -name '*.app' -type d | +while read app; do + fn=`basename "$app"` + fn=${fn%.*} + # Assume the app has a XML (and not binary) Info.plist + id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'` + codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1 + if [ "$?" != "0" ] ; then + exit 1 + fi + rm "/tmp/codesign_${fn}.log" +done + +# Then .framework ones. Again, be generic just for kicks. + +find "$APP_BUNDLE" -name '*.framework' -type d | +while read framework; do + fn=`basename "$framework"` + fn=${fn%.*} + for version in "$framework"/Versions/*; do + if test ! -L "$version" -a -d "$version"; then + # Assume the framework has a XML (and not binary) Info.plist + id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'` + # files in bin are not covered by signing the framework... + for scriptorexecutable in $(find $version/bin/ -type f); do + codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" >> "/tmp/codesign_${fn}.log" 2>&1 + done + codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" >> "/tmp/codesign_${fn}.log" 2>&1 + if [ "$?" != "0" ] ; then + exit 1 + fi + rm "/tmp/codesign_${fn}.log" + fi + done +done + +# Then mdimporters + +find "$APP_BUNDLE" -name '*.mdimporter' -type d | +while read bundle; do + codesign --verbose --force --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle" > "/tmp/codesign_$(basename "${bundle}").log" 2>&1 + if [ "$?" != "0" ] ; then + exit 1 + fi + rm "/tmp/codesign_$(basename "${bundle}").log" +done + +# Sign executables + +find "$APP_BUNDLE/Contents/MacOS" -type f | +while read file; do + case "$file" in + */soffice) + ;; + *) + id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` + codesign --force --verbose --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1 + if [ "$?" != "0" ] ; then + exit 1 + fi + rm "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" + ;; + esac +done + +# Sign the app bundle as a whole which means (re-)signing the +# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents +# of the Resources tree. +# +# At this stage we also attach the entitlements in the sandboxing case +# +# Also omit some files from the Bundle's seal via the resource-rules +# (bootstraprc and similar that the user might adjust and image files) +# See also https://developer.apple.com/library/mac/technotes/tn2206/ + +id=`echo ${PRODUCTNAME} | tr ' ' '-'` + +codesign --force --verbose --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1 +if [ "$?" != "0" ] ; then + exit 1 +fi +rm "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" +exit 0 |