diff options
| author | Christian Lohmaier <lohmaier+LibreOffice@googlemail.com> | 2014-01-17 07:06:04 +0100 |
|---|---|---|
| committer | Norbert Thiebaud <nthiebaud@gmail.com> | 2014-01-18 10:41:09 +0000 |
| commit | dad46670ccd3f2a79ad61812ea5a48120e82058d (patch) | |
| tree | 6ef7dae88fba09f9a304abf225d39420b1794d6b | |
| parent | 9c569b326c9d2d71132e722a1783e7e201c1bf3c (diff) | |
allow to codesign on Mac OS X Mavericks
codesign on Mavericks wants much more stuff to be signed apart from the
actual Mach libraries and executables. However the signature for those
data-style files are stored as extended files attributes, so one needs
to take special care on how to package the dmg to not break the seal.
Also explicitly remove some files from the signing, to allow adjusting
user-config path or similar or for gallery.
Change-Id: Ic4c4f7718df1bca7ffa2fecd3fb1d616146d7b14
Reviewed-on: https://gerrit.libreoffice.org/7490
Reviewed-by: Norbert Thiebaud <nthiebaud@gmail.com>
Tested-by: Norbert Thiebaud <nthiebaud@gmail.com>
| -rw-r--r-- | setup_native/source/mac/CodesignRules.plist | 19 | ||||
| -rwxr-xr-x | solenv/bin/macosx-codesign-app-bundle | 22 | ||||
| -rw-r--r-- | solenv/bin/modules/installer/simplepackage.pm | 8 |
3 files changed, 40 insertions, 9 deletions
diff --git a/setup_native/source/mac/CodesignRules.plist b/setup_native/source/mac/CodesignRules.plist new file mode 100644 index 000000000000..e638f9298631 --- /dev/null +++ b/setup_native/source/mac/CodesignRules.plist @@ -0,0 +1,19 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>rules</key> + <dict> + <key>^MacOS/(bootstraprc|fundamentalrc|setuprc|sofficerc|unorc|versionrc)$</key> + <false/> + <key>^MacOS/pythonloader.unorc$</key> + <false/> + <key>^MacOS/postgresql-sdbc.ini$</key> + <false/> + <key>^MacOS/(senddoc|python|gengal|unoinfo)$</key> + <false/> + <key>.*\.(png|svg|py|res|rdb)$</key> + <false/> + </dict> +</dict> +</plist> diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle index 07a4996c7c80..e51c903a3199 100755 --- a/solenv/bin/macosx-codesign-app-bundle +++ b/solenv/bin/macosx-codesign-app-bundle @@ -35,8 +35,15 @@ APP_BUNDLE="$1" # First sign all files that can use the default identifier in the hope # that codesign will contact the timestamp server just once for all # mentioned on the command line. - -find $APP_BUNDLE \( -name '*.dylib' -or -name '*.so' \) ! -type l | grep -v "LibreOfficePython\.framework" | \ +# +# On Mavericks also would like to have data files signed... +# add some where it makes sense. Make a depth-first search to sign the contents +# of e.g. the spotlight plugin before attempting to sign the plugin itself + +find -d $APP_BUNDLE \( -name '*.dylib' -or -name '*.so' -or -name '*.fodt' \ + -or -name 'schema.strings' -or -name 'schema.xml' -or -name '*.mdimporter' \ + -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \ + -or -name '*.applescript' \) ! -type l | grep -v "LibreOfficePython\.framework" | \ xargs codesign --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" find $APP_BUNDLE -name '*.dylib.*' ! -type l | \ @@ -60,7 +67,10 @@ for framework in `find $APP_BUNDLE -name '*.framework' -type d`; do \ fn="$(basename $framework)" fn=${fn%.*} for version in $framework/Versions/*; do \ - if test ! -L $version -a -d $version; then codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn; fi; \ + if test ! -L $version -a -d $version; then + codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn + codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version + fi; \ done; \ done @@ -71,11 +81,15 @@ done # all of our non-code "resources"). # # At this stage we also attach the entitlements in the sandboxing case +# +# Also omit some files from the Bunlde's seal via the resource-rules +# (bootstraprc and similar that the user might adjust and image files) +# See also https://developer.apple.com/library/mac/technotes/tn2206/ if test "$ENABLE_MACOSX_SANDBOX" = "TRUE"; then entitlements="--entitlements $BUILDDIR/lo.xcent" fi -codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$(basename ${APP_BUNDLE})" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE +codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$(basename ${APP_BUNDLE})" --resource-rules "$SRCDIR/setup_native/source/mac/CodesignRules.plist" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE exit 0 diff --git a/solenv/bin/modules/installer/simplepackage.pm b/solenv/bin/modules/installer/simplepackage.pm index 2281a8d505e7..9c61d66d4cd3 100644 --- a/solenv/bin/modules/installer/simplepackage.pm +++ b/solenv/bin/modules/installer/simplepackage.pm @@ -433,11 +433,9 @@ sub create_package } } - $systemcall = "cd $localtempdir && hdiutil makehybrid -hfs -hfs-openfolder $folder $folder -hfs-volume-name \"$volume_name\" -ov -o $installdir/tmp && hdiutil convert -ov -format UDBZ $installdir/tmp.dmg -o $archive && "; - if (( $ref ne "" ) && ( $$ref ne "" )) { - $systemcall .= "hdiutil unflatten $archive && Rez -a $$ref -o $archive && hdiutil flatten $archive &&"; - } - $systemcall .= "rm -f $installdir/tmp.dmg"; + # makehybrid doesn't preserve extended attributes (needed when codesigning data files like .jar) + # unfortunately this method is slower than makehybrid followed by convert + $systemcall = "cd $localtempdir && hdiutil create -srcfolder $folder -volname \"$volume_name\" -ov -format UDBZ $archive"; } else { |