diff options
Diffstat (limited to 'solenv/bin/macosx-codesign-app-bundle')
-rwxr-xr-x | solenv/bin/macosx-codesign-app-bundle | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle new file mode 100755 index 000000000..e569aef24 --- /dev/null +++ b/solenv/bin/macosx-codesign-app-bundle @@ -0,0 +1,135 @@ +#!/usr/bin/env bash + +# Use of unset variable is an error +set -u +# If any part of a pipeline of commands fails, the whole pipeline fails +set -o pipefail + +# Script to sign executables, dylibs and frameworks in an app bundle plus the bundle itself. Called +# from installer::simplepackage::create_package() in solenv/bin/modules/installer/simplepackage.pm +# and the test-install target in Makefile.in. + +test `uname` = Darwin || { echo This is for macOS only; exit 1; } + +test $# = 1 || { echo Usage: $0 app-bundle; exit 1; } + +for V in \ + BUILDDIR \ + MACOSX_BUNDLE_IDENTIFIER \ + MACOSX_CODESIGNING_IDENTITY; do + if test -z "$(eval echo '$'$V)"; then + echo No '$'$V "environment variable! This should be run in a build only" + exit 1 + fi +done + +APP_BUNDLE="$1" +entitlements= +application_identifier= +if test -n "$ENABLE_MACOSX_SANDBOX"; then + # In a sandboxed build executables need the entitlements + entitlements="--entitlements $BUILDDIR/lo.xcent" + application_identifier=`/usr/libexec/PlistBuddy -c "print com.apple.application-identifier" $BUILDDIR/lo.xcent` + # remove the key from the entitlement - only use it when signing the whole bundle in the final step + /usr/libexec/PlistBuddy -c "delete com.apple.application-identifier" $BUILDDIR/lo.xcent + # All data files are in Resources and included in the app bundle signature + other_files='' + # HACK: remove donate menu entries, need to support apple-pay and be verified + # as non profit as a bare minimum to allow asking.... + sed -I "" -e '\#<menu:menuitem menu:id=".uno:Donation"/>#d' $APP_BUNDLE/Contents/Resources/config/soffice.cfg/modules/*/menubar/menubar.xml +else + # We then want to sign data files, too, hmm. + entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent" + other_files="\ + -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \ + -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \ + -or -name '*.applescript' -or -name '*.odt'" +fi + +# Sign jnilibs first as workaround for signing issue on old baseline +# order matters/screws things up otherwise +find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l | + while read file; do + id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` + codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1 +done + +# Sign dylibs +# +# The dylibs in the Python framework are called *.so. Go figure +# +# On Mavericks also would like to have data files signed... +# add some where it makes sense. Make a depth-first search to sign the contents +# of e.g. the spotlight plugin before attempting to sign the plugin itself + +find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \ + $other_files \) ! -type l | +while read file; do + id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` + codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1 +done + +# Sign included bundles. First .app ones (i.e. the Python.app inside +# the LibreOfficePython.framework. Be generic for kicks...) + +find "$APP_BUNDLE"/Contents -name '*.app' -type d | +while read app; do + # Assume the app has a XML (and not binary) Info.plist + id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'` + codesign --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" || exit 1 +done + +# Then .framework ones. Again, be generic just for kicks. + +find "$APP_BUNDLE" -name '*.framework' -type d | +while read framework; do + for version in "$framework"/Versions/*; do + if test ! -L "$version" -a -d "$version"; then + # Assume the framework has a XML (and not binary) Info.plist + id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'` + if test -d $version/bin; then + # files in bin are not covered by signing the framework... + for scriptorexecutable in $(find $version/bin/ -type f); do + codesign --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" || exit 1 + done + fi + codesign --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" || exit 1 + fi + done +done + +# Then mdimporters + +find "$APP_BUNDLE" -name '*.mdimporter' -type d | +while read bundle; do + codesign --force --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle" || exit 1 +done + +# Sign executables + +find "$APP_BUNDLE/Contents/MacOS" -type f | +while read file; do + case "$file" in + */soffice) + ;; + *) + id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` + codesign --force --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" || exit 1 + ;; + esac +done + +# Sign the app bundle as a whole which means (re-)signing the +# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents +# of the Resources tree. +# +# See also https://developer.apple.com/library/mac/technotes/tn2206/ + +if test -n "$ENABLE_MACOSX_SANDBOX" && test -n "$application_identifier"; then + # add back the application-identifier to the entitlements + # testflight/beta-testing won't work if that key is used when signing the other executables + /usr/libexec/PlistBuddy -c "add com.apple.application-identifier string $application_identifier" $BUILDDIR/lo.xcent +fi +codesign --force --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" || exit 1 + +exit 0 |