OS X code signing fixes

Remove unnecessary Python executables and stuff that complicates code
signing in the test-install target.

Sign executables in codesign-macosx-app-bundle, not when building
them. It is more uniform to do all code signing in just one place.

All executables must have the com.apple.security.app-sandbox entitlement.

Change-Id: Ic6a640eb03964fe9ce75d3a8fff071971a3e1939

2 files changed, 34 insertions, 33 deletions

diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle
index de5ec792e033..798bf004bc77 100755
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -1,9 +1,8 @@
 #!/bin/bash
 
-# Script to sign dylibs and frameworks in an app bundle plus the
-# bundle itself. Called from
-# installer::simplepackage::create_package() in
-# solenv/bin/modules/installer/simplepackage.pm
+# Script to sign executables, dylibs and frameworks in an app bundle
+# plus the bundle itself. Called from
+# the test-install target in Makefile.in
 
 test `uname` = Darwin || { echo This is for OS X only; exit 1; }
 
@@ -21,13 +20,26 @@ done
 
 APP_BUNDLE="$1"
 
+if test -n "$ENABLE_MACOSX_SANDBOX"; then
+    # In a sandboxed build executables need the entitlements
+    entitlements="--entitlements $BUILDDIR/lo.xcent"
+    # We use --enable-canonical-installation-tree-structure so all
+    # data files in Resources are included in the app bundle signature
+    # through that. I think.
+    other_files=''
+else
+    # In a non-sandboxed build (distributed outside the App Store)
+    # we traditionally have use --resource-rules. Let's not touch that?
+    resource_rules="--resource-rules $SRCDIR/setup_native/source/mac/CodesignRules.plist"
+    # And there we then want to sign data files, too, hmm.
+    other_files="\
+ -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
+ -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \
+ -or -name '*.applescript'"
+fi
+
 # Sign dylibs
 #
-# Executables get signed right after linking, see
-# solenv/gbuild/platform/macosx.mk. But many of our dylibs are built
-# by ad-hoc or 3rd-party mechanisms, so we can't easily sign them
-# right after linking. So do it here.
-#
 # The dylibs in the Python framework are called *.so. Go figure
 #
 # On Mavericks also would like to have data files signed...
@@ -35,17 +47,21 @@ APP_BUNDLE="$1"
 # of e.g. the spotlight plugin before attempting to sign the plugin itself
 
 find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \
-        -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
-        -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \
-        -or -name '*.applescript' \) ! -type l | grep -v "LibreOfficePython\.framework" |
-while read dylib; do
-    id=`echo ${dylib#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
-    codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$dylib"
+        $other_files \) ! -type l |
+while read file; do
+    id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
+    codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file"
 done
 
-# The executables have already been signed by
-# gb_LinkTarget__command_dynamiclink in
-# solenv/gbuild/platform/macosx.mk.
+# Sign executables
+
+find "$APP_BUNDLE/Contents/MacOS" \
+     "$APP_BUNDLE/Contents/Frameworks/LibreOfficePython.framework/Versions/"[1-9]*/Resources/Python.app/Contents/MacOS \
+     -type f |
+while read file; do
+    id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
+    codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file"
+done
 
 # Sign included bundles. First frameworks.
 
@@ -86,12 +102,6 @@ done
 
 id=`echo ${MACOSX_APP_NAME} | tr ' ' '-'`
 
-if test -n "$ENABLE_MACOSX_SANDBOX"; then
-    entitlements="--entitlements $BUILDDIR/lo.xcent"
-else
-    resource_rules="--resource-rules $SRCDIR/setup_native/source/mac/CodesignRules.plist"
-fi
-
 codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id" $resource_rules --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE"
 
 exit 0
diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk
index cd5c0c309ad2..be631d24f011 100644
--- a/solenv/gbuild/platform/macosx.mk
+++ b/solenv/gbuild/platform/macosx.mk
@@ -122,12 +122,6 @@ $(if $(filter Executable,$(1)),\
 	$$(call gb_Library_get_layer,$(2)))
 endef
 
-# We sign executables right after linking below. But not dylibs,
-# because many of them are built by ad-hoc or 3rd-party mechanisms. So
-# as we would need to sign those separately anyway, we do it for the
-# gbuild-built ones, too, after an app bundle has been constructed, in
-# the solenv/bin/macosx-codesign-app-bundle script.
-
 define gb_LinkTarget__command_dynamiclink
 $(call gb_Helper_abbreviate_dirs,\
 	$(if $(CXXOBJECTS)$(OBJCXXOBJECTS)$(GENCXXOBJECTS)$(EXTRAOBJECTLISTS),$(gb_CXX),$(gb_CC)) \
@@ -154,9 +148,6 @@ $(call gb_Helper_abbreviate_dirs,\
 		$(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl app $(LAYER) $(1) &&) \
 	$(if $(filter Library Bundle CppunitTest,$(TARGETTYPE)),\
 		$(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl shl $(LAYER) $(1) &&) \
-	$(if $(MACOSX_CODESIGNING_IDENTITY), \
-		$(if $(filter Executable,$(TARGETTYPE)), \
-			(codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --force $(1) || true) &&)) \
 	$(if $(filter Library,$(TARGETTYPE)),\
 		otool -l $(1) | grep -A 5 LC_ID_DYLIB \
 			> $(WORKDIR)/LinkTarget/$(2).exports.tmp && \