summaryrefslogtreecommitdiffstats
path: root/solenv/bin/macosx-codesign-app-bundle
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xsolenv/bin/macosx-codesign-app-bundle135
1 files changed, 135 insertions, 0 deletions
diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle
new file mode 100755
index 000000000..e569aef24
--- /dev/null
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -0,0 +1,135 @@
+#!/usr/bin/env bash
+
+# Use of unset variable is an error
+set -u
+# If any part of a pipeline of commands fails, the whole pipeline fails
+set -o pipefail
+
+# Script to sign executables, dylibs and frameworks in an app bundle plus the bundle itself. Called
+# from installer::simplepackage::create_package() in solenv/bin/modules/installer/simplepackage.pm
+# and the test-install target in Makefile.in.
+
+test `uname` = Darwin || { echo This is for macOS only; exit 1; }
+
+test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
+
+for V in \
+ BUILDDIR \
+ MACOSX_BUNDLE_IDENTIFIER \
+ MACOSX_CODESIGNING_IDENTITY; do
+ if test -z "$(eval echo '$'$V)"; then
+ echo No '$'$V "environment variable! This should be run in a build only"
+ exit 1
+ fi
+done
+
+APP_BUNDLE="$1"
+entitlements=
+application_identifier=
+if test -n "$ENABLE_MACOSX_SANDBOX"; then
+ # In a sandboxed build executables need the entitlements
+ entitlements="--entitlements $BUILDDIR/lo.xcent"
+ application_identifier=`/usr/libexec/PlistBuddy -c "print com.apple.application-identifier" $BUILDDIR/lo.xcent`
+ # remove the key from the entitlement - only use it when signing the whole bundle in the final step
+ /usr/libexec/PlistBuddy -c "delete com.apple.application-identifier" $BUILDDIR/lo.xcent
+ # All data files are in Resources and included in the app bundle signature
+ other_files=''
+ # HACK: remove donate menu entries, need to support apple-pay and be verified
+ # as non profit as a bare minimum to allow asking....
+ sed -I "" -e '\#<menu:menuitem menu:id=".uno:Donation"/>#d' $APP_BUNDLE/Contents/Resources/config/soffice.cfg/modules/*/menubar/menubar.xml
+else
+ # We then want to sign data files, too, hmm.
+ entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent"
+ other_files="\
+ -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
+ -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
+ -or -name '*.applescript' -or -name '*.odt'"
+fi
+
+# Sign jnilibs first as workaround for signing issue on old baseline
+# order matters/screws things up otherwise
+find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l |
+ while read file; do
+ id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
+ codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
+done
+
+# Sign dylibs
+#
+# The dylibs in the Python framework are called *.so. Go figure
+#
+# On Mavericks also would like to have data files signed...
+# add some where it makes sense. Make a depth-first search to sign the contents
+# of e.g. the spotlight plugin before attempting to sign the plugin itself
+
+find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \
+ $other_files \) ! -type l |
+while read file; do
+ id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
+ codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
+done
+
+# Sign included bundles. First .app ones (i.e. the Python.app inside
+# the LibreOfficePython.framework. Be generic for kicks...)
+
+find "$APP_BUNDLE"/Contents -name '*.app' -type d |
+while read app; do
+ # Assume the app has a XML (and not binary) Info.plist
+ id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
+ codesign --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" || exit 1
+done
+
+# Then .framework ones. Again, be generic just for kicks.
+
+find "$APP_BUNDLE" -name '*.framework' -type d |
+while read framework; do
+ for version in "$framework"/Versions/*; do
+ if test ! -L "$version" -a -d "$version"; then
+ # Assume the framework has a XML (and not binary) Info.plist
+ id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
+ if test -d $version/bin; then
+ # files in bin are not covered by signing the framework...
+ for scriptorexecutable in $(find $version/bin/ -type f); do
+ codesign --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" || exit 1
+ done
+ fi
+ codesign --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" || exit 1
+ fi
+ done
+done
+
+# Then mdimporters
+
+find "$APP_BUNDLE" -name '*.mdimporter' -type d |
+while read bundle; do
+ codesign --force --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle" || exit 1
+done
+
+# Sign executables
+
+find "$APP_BUNDLE/Contents/MacOS" -type f |
+while read file; do
+ case "$file" in
+ */soffice)
+ ;;
+ *)
+ id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
+ codesign --force --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" || exit 1
+ ;;
+ esac
+done
+
+# Sign the app bundle as a whole which means (re-)signing the
+# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
+# of the Resources tree.
+#
+# See also https://developer.apple.com/library/mac/technotes/tn2206/
+
+if test -n "$ENABLE_MACOSX_SANDBOX" && test -n "$application_identifier"; then
+ # add back the application-identifier to the entitlements
+ # testflight/beta-testing won't work if that key is used when signing the other executables
+ /usr/libexec/PlistBuddy -c "add com.apple.application-identifier string $application_identifier" $BUILDDIR/lo.xcent
+fi
+codesign --force --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" || exit 1
+
+exit 0