diff options
author | Tor Lillqvist <tml@collabora.com> | 2014-09-19 22:58:16 +0300 |
---|---|---|
committer | Tor Lillqvist <tml@collabora.com> | 2014-09-19 23:28:18 +0300 |
commit | 69c2fc6cfb12b939a076856bb82a18812afdfccc (patch) | |
tree | 2e9c1729fbe599ae06628bd78efec919c4b7f476 /solenv | |
parent | a925583c009d2829e313cea11ed6cf7b40eca097 (diff) |
OS X code signing fixes
Remove unnecessary Python executables and stuff that complicates code
signing in the test-install target.
Sign executables in codesign-macosx-app-bundle, not when building
them. It is more uniform to do all code signing in just one place.
All executables must have the com.apple.security.app-sandbox entitlement.
Change-Id: Ic6a640eb03964fe9ce75d3a8fff071971a3e1939
Diffstat (limited to 'solenv')
-rwxr-xr-x | solenv/bin/macosx-codesign-app-bundle | 58 | ||||
-rw-r--r-- | solenv/gbuild/platform/macosx.mk | 9 |
2 files changed, 34 insertions, 33 deletions
diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle index de5ec792e033..798bf004bc77 100755 --- a/solenv/bin/macosx-codesign-app-bundle +++ b/solenv/bin/macosx-codesign-app-bundle @@ -1,9 +1,8 @@ #!/bin/bash -# Script to sign dylibs and frameworks in an app bundle plus the -# bundle itself. Called from -# installer::simplepackage::create_package() in -# solenv/bin/modules/installer/simplepackage.pm +# Script to sign executables, dylibs and frameworks in an app bundle +# plus the bundle itself. Called from +# the test-install target in Makefile.in test `uname` = Darwin || { echo This is for OS X only; exit 1; } @@ -21,13 +20,26 @@ done APP_BUNDLE="$1" +if test -n "$ENABLE_MACOSX_SANDBOX"; then + # In a sandboxed build executables need the entitlements + entitlements="--entitlements $BUILDDIR/lo.xcent" + # We use --enable-canonical-installation-tree-structure so all + # data files in Resources are included in the app bundle signature + # through that. I think. + other_files='' +else + # In a non-sandboxed build (distributed outside the App Store) + # we traditionally have use --resource-rules. Let's not touch that? + resource_rules="--resource-rules $SRCDIR/setup_native/source/mac/CodesignRules.plist" + # And there we then want to sign data files, too, hmm. + other_files="\ + -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \ + -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \ + -or -name '*.applescript'" +fi + # Sign dylibs # -# Executables get signed right after linking, see -# solenv/gbuild/platform/macosx.mk. But many of our dylibs are built -# by ad-hoc or 3rd-party mechanisms, so we can't easily sign them -# right after linking. So do it here. -# # The dylibs in the Python framework are called *.so. Go figure # # On Mavericks also would like to have data files signed... @@ -35,17 +47,21 @@ APP_BUNDLE="$1" # of e.g. the spotlight plugin before attempting to sign the plugin itself find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \ - -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \ - -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \ - -or -name '*.applescript' \) ! -type l | grep -v "LibreOfficePython\.framework" | -while read dylib; do - id=`echo ${dylib#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` - codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$dylib" + $other_files \) ! -type l | +while read file; do + id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` + codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" done -# The executables have already been signed by -# gb_LinkTarget__command_dynamiclink in -# solenv/gbuild/platform/macosx.mk. +# Sign executables + +find "$APP_BUNDLE/Contents/MacOS" \ + "$APP_BUNDLE/Contents/Frameworks/LibreOfficePython.framework/Versions/"[1-9]*/Resources/Python.app/Contents/MacOS \ + -type f | +while read file; do + id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` + codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" +done # Sign included bundles. First frameworks. @@ -86,12 +102,6 @@ done id=`echo ${MACOSX_APP_NAME} | tr ' ' '-'` -if test -n "$ENABLE_MACOSX_SANDBOX"; then - entitlements="--entitlements $BUILDDIR/lo.xcent" -else - resource_rules="--resource-rules $SRCDIR/setup_native/source/mac/CodesignRules.plist" -fi - codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id" $resource_rules --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" exit 0 diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk index cd5c0c309ad2..be631d24f011 100644 --- a/solenv/gbuild/platform/macosx.mk +++ b/solenv/gbuild/platform/macosx.mk @@ -122,12 +122,6 @@ $(if $(filter Executable,$(1)),\ $$(call gb_Library_get_layer,$(2))) endef -# We sign executables right after linking below. But not dylibs, -# because many of them are built by ad-hoc or 3rd-party mechanisms. So -# as we would need to sign those separately anyway, we do it for the -# gbuild-built ones, too, after an app bundle has been constructed, in -# the solenv/bin/macosx-codesign-app-bundle script. - define gb_LinkTarget__command_dynamiclink $(call gb_Helper_abbreviate_dirs,\ $(if $(CXXOBJECTS)$(OBJCXXOBJECTS)$(GENCXXOBJECTS)$(EXTRAOBJECTLISTS),$(gb_CXX),$(gb_CC)) \ @@ -154,9 +148,6 @@ $(call gb_Helper_abbreviate_dirs,\ $(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl app $(LAYER) $(1) &&) \ $(if $(filter Library Bundle CppunitTest,$(TARGETTYPE)),\ $(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl shl $(LAYER) $(1) &&) \ - $(if $(MACOSX_CODESIGNING_IDENTITY), \ - $(if $(filter Executable,$(TARGETTYPE)), \ - (codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --force $(1) || true) &&)) \ $(if $(filter Library,$(TARGETTYPE)),\ otool -l $(1) | grep -A 5 LC_ID_DYLIB \ > $(WORKDIR)/LinkTarget/$(2).exports.tmp && \ |