macOS: don't sign executables early
macOS 10.14 and later (Mojave & Catalina) will treat signed exectuables as "restricted binary" and in turn will block any use of DYLD_LIBRARY_PATH settings, causing the build to fail with e.g.: dyld: Library not loaded: @__VIA_LIBRARY_PATH__/libuno_sal.dylib.3 Referenced from: /Users/cloph/build/workdir/LinkTarget/Executable/genconv_dict Reason: unsafe use of relative rpath @__VIA_LIBRARY_PATH__/libuno_sal.dylib.3 in /Users/cloph/build/workdir/LinkTarget/Executable/genconv_dict with restricted binary Change-Id: Ia90d8fa6f28f9a2c10f6b46eb1796e2730550119 Reviewed-on: Tested-by: Jenkins Reviewed-by: Christian Lohmaier <>
@@ -90,11 +90,9 @@ $(if $(filter Executable,$(1)),\
$$(call gb_Library_get_layer,$(2)))
-# We sign executables right after linking below. But not dylibs,
-# because many of them are built by ad-hoc or 3rd-party mechanisms. So
-# as we would need to sign those separately anyway, we do it for the
-# gbuild-built ones, too, after an app bundle has been constructed, in
-# the solenv/bin/macosx-codesign-app-bundle script.
+# We cannot sign executables early since Mojave/Catalina would treat them as
+# restricted binary and ignore any DYLD_LIBRARY_PATH setting - So all
+# signing is handled by the solenv/bin/macosx-codesign-app-bundle script.
# And the soffice executable needs to be signed last in
# macosx-codesign-app-bundle, as codesign would fail complaining that other
# parts of the app have not yet been signed:
@@ -129,10 +127,6 @@ $(call gb_Helper_abbreviate_dirs,\
$(PERL) $(SRCDIR)/solenv/bin/ app $(LAYER) $(1) &&) \
$(if $(filter Library Bundle CppunitTest,$(TARGETTYPE)),\
$(PERL) $(SRCDIR)/solenv/bin/ shl $(LAYER) $(1) &&) \
- $(if $(filter Executable,$(TARGETTYPE)), \
- $(if $(filter-out $(call gb_Executable_get_target,soffice_bin),$(1)), \
- codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --options=runtime --force $(1) &&))) \
$(if $(filter Library,$(TARGETTYPE)),\
otool -l $(1) | grep -A 5 LC_ID_DYLIB \
> $(WORKDIR)/LinkTarget/$(2).exports.tmp && \