diff options
| -rw-r--r-- | hardened_runtime.xcent | 15 | ||||
| -rwxr-xr-x | solenv/bin/macosx-codesign-app-bundle | 14 | ||||
| -rw-r--r-- | solenv/gbuild/platform/macosx.mk | 2 |
3 files changed, 25 insertions, 6 deletions
diff --git a/hardened_runtime.xcent b/hardened_runtime.xcent new file mode 100644 index 000000000000..72abb432afc6 --- /dev/null +++ b/hardened_runtime.xcent @@ -0,0 +1,15 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> + <dict> + <!-- AppleScript support --> + <key>com.apple.security.automation.apple-events</key> + <true/> + <!-- for extension manager, "exception in synchronize" --> + <key>com.apple.security.cs.disable-executable-page-protection</key> + <true/> + <!-- allow use of third-party plugins/frameworks (aka Java) --> + <key>com.apple.security.cs.disable-library-validation</key> + <true/> + </dict> +</plist> diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle index 85d74514585c..db2f6ffc55d2 100755 --- a/solenv/bin/macosx-codesign-app-bundle +++ b/solenv/bin/macosx-codesign-app-bundle @@ -36,7 +36,7 @@ if test -n "$ENABLE_MACOSX_SANDBOX"; then other_files='' else # We then want to sign data files, too, hmm. - entitlements='' + entitlements="--entitlements $SRCDIR/hardened_runtime.xcent" other_files="\ -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \ -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \ @@ -83,7 +83,7 @@ while read app; do fn=${fn%.*} # Assume the app has a XML (and not binary) Info.plist id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'` - codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1 + codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi @@ -100,7 +100,11 @@ while read framework; do if test ! -L "$version" -a -d "$version"; then # Assume the framework has a XML (and not binary) Info.plist id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'` - codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" > "/tmp/codesign_${fn}.log" 2>&1 + # files in bin are not covered by signing the framework... + for scriptorexecutable in $(find $version/bin/ -type f); do + codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" >> "/tmp/codesign_${fn}.log" 2>&1 + done + codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" >> "/tmp/codesign_${fn}.log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi @@ -129,7 +133,7 @@ while read file; do ;; *) id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` - codesign --force --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1 + codesign --force --verbose --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi @@ -152,7 +156,7 @@ done id=`echo ${PRODUCTNAME} | tr ' ' '-'` -codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1 +codesign --force --verbose --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk index b3e451bfcd74..eec2b052cb7e 100644 --- a/solenv/gbuild/platform/macosx.mk +++ b/solenv/gbuild/platform/macosx.mk @@ -132,7 +132,7 @@ $(call gb_Helper_abbreviate_dirs,\ $(if $(MACOSX_CODESIGNING_IDENTITY), \ $(if $(filter Executable,$(TARGETTYPE)), \ $(if $(filter-out $(call gb_Executable_get_target,soffice_bin),$(1)), \ - codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --force $(1) &&))) \ + codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --options=runtime --force $(1) &&))) \ $(if $(filter Library,$(TARGETTYPE)),\ otool -l $(1) | grep -A 5 LC_ID_DYLIB \ > $(WORKDIR)/LinkTarget/$(2).exports.tmp && \ |