diff options
| author | Stephan Bergmann <sbergman@redhat.com> | 2015-02-10 10:47:39 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2015-02-17 13:22:03 +0000 |
| commit | 0b4f01840cde3606681595c1b6d623d75a37ee64 (patch) | |
| tree | 0fc23a8e786d79c7f3b4f31f456380a411072d10 | |
| parent | 06975a6e3a253ed8d4817fac96f6d175800b5d09 (diff) | |
Attempt at fixing Mac OS X code signing
...so that LibreOffice.app dmgs built with --enable-macosx-code-signing with an
appstore-enabled identity will hopefully no longer be rejected on Mac OS X >=
10.9.5 as "'soffice' can't be opened because the identity of the developer
cannot be confirmed." (Which I cannot verify for lack of an appstore-enabled
certificate, though.)
First of all, do not ignore errors from calls to codesign utitlity. Really.
That reveals that soffice cannot be signed as soon as it is linked, as it
requires all the other stuff in the app to be already signed. So just don't
sign it after linking, it will be signed last step in macosx-codesign-app-bundle
anyway.
Second, --resource-rules exemptions are no longer allowed per
<https://developer.apple.com/library/mac/technotes/tn2206/_index.html> "OS X
Code Signing In Depth."
Third, the handful of remaining shell scripts in MacOS/ need to be signed too.
(Signing them adds extended attributes to the files.)
Unfortunately, as discussed at
<http://porkrind.org/missives/mac-os-x-codesigning-woes/> "Mac OS X codesigning
woes," "hdiutil makehybrid" drops extended attributes from the generated dmg (so
the dmg's LibreOffice.app would no longer be considered properly signed, as the
shell scripts would no longer be signed). So switch from "hdiutil makehybrid"
to "hdiutil create."
Change-Id: I4b587f87d504666f7a1d0e3a24a8be76f22014c5
(cherry picked from commit 615fae2f67028f3c5c51c70c77dbaa9b9f3856d6)
Reviewed-on: https://gerrit.libreoffice.org/14400
Reviewed-by: Norbert Thiebaud <nthiebaud@gmail.com>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
| -rw-r--r-- | setup_native/source/mac/CodesignRules.plist | 17 | ||||
| -rwxr-xr-x | solenv/bin/macosx-codesign-app-bundle | 35 | ||||
| -rw-r--r-- | solenv/bin/modules/installer/simplepackage.pm | 5 | ||||
| -rw-r--r-- | solenv/gbuild/platform/macosx.mk | 6 |
4 files changed, 28 insertions, 35 deletions
diff --git a/setup_native/source/mac/CodesignRules.plist b/setup_native/source/mac/CodesignRules.plist deleted file mode 100644 index 41b2321ccf0f..000000000000 --- a/setup_native/source/mac/CodesignRules.plist +++ /dev/null @@ -1,17 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1.0"> -<dict> - <key>rules</key> - <dict> - <key>^MacOS/(bootstraprc|fundamentalrc|setuprc|sofficerc|unorc|versionrc)$</key> - <false/> - <key>^MacOS/pythonloader.unorc$</key> - <false/> - <key>^MacOS/(senddoc|python|gengal|unoinfo)$</key> - <false/> - <key>.*\.(png|svg|py|res|rdb)$</key> - <false/> - </dict> -</dict> -</plist> diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle index d1ba433036c6..78a7e53a5465 100755 --- a/solenv/bin/macosx-codesign-app-bundle +++ b/solenv/bin/macosx-codesign-app-bundle @@ -42,19 +42,30 @@ find -d "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.so' -or -name '*.fodt' \ -or -name '*.applescript' \) ! -type l | grep -v "LibreOfficePython\.framework" | \ while read file; do id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` - codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" + codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1 done find $APP_BUNDLE -name '*.dylib.*' ! -type l | \ while read dylib; do \ id=`basename "$dylib"`; \ id=`echo $id | sed -e 's/dylib.*/dylib/'`; \ - codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$dylib"; \ + codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$dylib" || exit 1 done # The executables have already been signed by # gb_LinkTarget__command_dynamiclink in -# solenv/gbuild/platform/macosx.mk. +# solenv/gbuild/platform/macosx.mk, but sign the handful of scripts remaining +# in MacOS +# (<https://developer.apple.com/library/mac/technotes/tn2206/_index.html> "OS X +# Code Signing In Depth" suggests we should get rid of them rather sooner than +# later, but they appear to be OK for now): + +for i in gengal python senddoc unoinfo +do + codesign --verbose --identifier="$MACOSX_BUNDLE_IDENTIFIER.$i" \ + --sign "$MACOSX_CODESIGNING_IDENTITY" "$APP_BUNDLE/Contents/MacOS/$i" \ + || exit 1 +done # Sign frameworks. # @@ -67,32 +78,28 @@ for framework in `find $APP_BUNDLE -name '*.framework' -type d`; do \ fn=${fn%.*} for version in $framework/Versions/*; do \ if test ! -L $version -a -d $version; then - codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn - codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version + codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn || exit 1 + codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version || exit 1 fi; \ done; \ done -# Sign the app bundle as a whole which means (re-)signing the -# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents +# Sign the app bundle as a whole which means finally signing the +# CFBundleExecutable from Info.plist, i.e. soffice (which is exempted from the +# on-the-go executable signing in gb_LinkTarget__command_dynamiclink in +# solenv/gbuild/platform/macosx.mk), plus the contents # of the Resources tree (which unless you used # --enable-canonical-installation-tree-structure is not much, far from # all of our non-code "resources"). # # At this stage we also attach the entitlements in the sandboxing case -# -# Also omit some files from the Bunlde's seal via the resource-rules -# (bootstraprc and similar that the user might adjust and image files) -# See also https://developer.apple.com/library/mac/technotes/tn2206/ id=`echo ${MACOSX_APP_NAME} | tr ' ' '-'` if test -n "$ENABLE_MACOSX_SANDBOX"; then entitlements="--entitlements $BUILDDIR/lo.xcent" -else - resource_rules="--resource-rules $SRCDIR/setup_native/source/mac/CodesignRules.plist" fi -codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id" $resource_rules --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE +codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE || exit 1 exit 0 diff --git a/solenv/bin/modules/installer/simplepackage.pm b/solenv/bin/modules/installer/simplepackage.pm index 6d77e4143653..ae91d0c37bd1 100644 --- a/solenv/bin/modules/installer/simplepackage.pm +++ b/solenv/bin/modules/installer/simplepackage.pm @@ -417,11 +417,10 @@ sub create_package } } - $systemcall = "cd $localtempdir && hdiutil makehybrid -hfs -hfs-openfolder $folder $folder -hfs-volume-name \"$volume_name\" -ov -o $installdir/tmp && hdiutil convert -ov -format UDBZ $installdir/tmp.dmg -o $archive && "; + $systemcall = "cd $localtempdir && hdiutil create -srcfolder $folder $archive -ov -fs HFS+ -volname \"$volume_name\" -format UDBZ"; if (( $ref ne "" ) && ( $$ref ne "" )) { - $systemcall .= "hdiutil unflatten $archive && Rez -a $$ref -o $archive && hdiutil flatten $archive &&"; + $systemcall .= " && hdiutil unflatten $archive && Rez -a $$ref -o $archive && hdiutil flatten $archive &&"; } - $systemcall .= "rm -f $installdir/tmp.dmg"; } else { diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk index 6547ed425042..bc28a06270c0 100644 --- a/solenv/gbuild/platform/macosx.mk +++ b/solenv/gbuild/platform/macosx.mk @@ -105,6 +105,9 @@ endef # as we would need to sign those separately anyway, we do it for the # gbuild-built ones, too, after an app bundle has been constructed, in # the solenv/bin/macosx-codesign-app-bundle script. +# And the soffice executable needs to be signed last in +# macosx-codesign-app-bundle, as codesign would fail complaining that other +# parts of the app have not yet been signed: define gb_LinkTarget__command_dynamiclink $(call gb_Helper_abbreviate_dirs,\ @@ -133,7 +136,8 @@ $(call gb_Helper_abbreviate_dirs,\ $(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl shl $(LAYER) $(1) &&) \ $(if $(MACOSX_CODESIGNING_IDENTITY), \ $(if $(filter Executable,$(TARGETTYPE)), \ - (codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --force $(1) || true) &&)) \ + $(if $(filter-out $(call gb_Executable_get_target,soffice_bin),$(1)), \ + codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --force $(1) &&))) \ $(if $(filter Library,$(TARGETTYPE)),\ otool -l $(1) | grep -A 5 LC_ID_DYLIB \ > $(WORKDIR)/LinkTarget/$(2).exports.tmp && \ |