summaryrefslogtreecommitdiff
path: root/solenv/bin
diff options
context:
space:
mode:
authorChristian Lohmaier <lohmaier+LibreOffice@googlemail.com>2019-05-31 11:57:16 +0200
committerChristian Lohmaier <lohmaier+LibreOffice@googlemail.com>2019-05-31 21:13:31 +0200
commitc98b1f1cd43b3e109bcaf6324ef2d1f449b34099 (patch)
tree82c51b2882da3734ecf06006410acd0e6d935cce /solenv/bin
parent1ee64eb345ef116e19a63dc97f791e80ba38fe80 (diff)
macOS: enable hardened runtime when signinglibreoffice-6-3-branch-point
hardened runtime is prerequisite for notarizing apps, which in turn is required for new developer IDs with 10.14.5 already and will be required for all software to run in future versions of macOS https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution Change-Id: Ifdf73fb5901be5dd0b62e1a51dee6e57c9816e5f Reviewed-on: https://gerrit.libreoffice.org/73246 Tested-by: Jenkins Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
Diffstat (limited to 'solenv/bin')
-rwxr-xr-xsolenv/bin/macosx-codesign-app-bundle14
1 files changed, 9 insertions, 5 deletions
diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle
index 85d74514585c..db2f6ffc55d2 100755
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -36,7 +36,7 @@ if test -n "$ENABLE_MACOSX_SANDBOX"; then
other_files=''
else
# We then want to sign data files, too, hmm.
- entitlements=''
+ entitlements="--entitlements $SRCDIR/hardened_runtime.xcent"
other_files="\
-or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
-or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
@@ -83,7 +83,7 @@ while read app; do
fn=${fn%.*}
# Assume the app has a XML (and not binary) Info.plist
id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
- codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1
+ codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1
if [ "$?" != "0" ] ; then
exit 1
fi
@@ -100,7 +100,11 @@ while read framework; do
if test ! -L "$version" -a -d "$version"; then
# Assume the framework has a XML (and not binary) Info.plist
id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
- codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" > "/tmp/codesign_${fn}.log" 2>&1
+ # files in bin are not covered by signing the framework...
+ for scriptorexecutable in $(find $version/bin/ -type f); do
+ codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" >> "/tmp/codesign_${fn}.log" 2>&1
+ done
+ codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" >> "/tmp/codesign_${fn}.log" 2>&1
if [ "$?" != "0" ] ; then
exit 1
fi
@@ -129,7 +133,7 @@ while read file; do
;;
*)
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
- codesign --force --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1
+ codesign --force --verbose --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1
if [ "$?" != "0" ] ; then
exit 1
fi
@@ -152,7 +156,7 @@ done
id=`echo ${PRODUCTNAME} | tr ' ' '-'`
-codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1
+codesign --force --verbose --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1
if [ "$?" != "0" ] ; then
exit 1
fi