diff options
| -rw-r--r-- | setup_native/source/mac/CodesignRules.plist | 19 | ||||
| -rwxr-xr-x | solenv/bin/macosx-codesign-app-bundle | 22 | ||||
| -rw-r--r-- | solenv/bin/modules/installer/simplepackage.pm | 8 |
3 files changed, 40 insertions, 9 deletions
diff --git a/setup_native/source/mac/CodesignRules.plist b/setup_native/source/mac/CodesignRules.plist new file mode 100644 index 000000000000..e638f9298631 --- /dev/null +++ b/setup_native/source/mac/CodesignRules.plist @@ -0,0 +1,19 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>rules</key> + <dict> + <key>^MacOS/(bootstraprc|fundamentalrc|setuprc|sofficerc|unorc|versionrc)$</key> + <false/> + <key>^MacOS/pythonloader.unorc$</key> + <false/> + <key>^MacOS/postgresql-sdbc.ini$</key> + <false/> + <key>^MacOS/(senddoc|python|gengal|unoinfo)$</key> + <false/> + <key>.*\.(png|svg|py|res|rdb)$</key> + <false/> + </dict> +</dict> +</plist> diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle index 07a4996c7c80..e51c903a3199 100755 --- a/solenv/bin/macosx-codesign-app-bundle +++ b/solenv/bin/macosx-codesign-app-bundle @@ -35,8 +35,15 @@ APP_BUNDLE="$1" # First sign all files that can use the default identifier in the hope # that codesign will contact the timestamp server just once for all # mentioned on the command line. - -find $APP_BUNDLE \( -name '*.dylib' -or -name '*.so' \) ! -type l | grep -v "LibreOfficePython\.framework" | \ +# +# On Mavericks also would like to have data files signed... +# add some where it makes sense. Make a depth-first search to sign the contents +# of e.g. the spotlight plugin before attempting to sign the plugin itself + +find -d $APP_BUNDLE \( -name '*.dylib' -or -name '*.so' -or -name '*.fodt' \ + -or -name 'schema.strings' -or -name 'schema.xml' -or -name '*.mdimporter' \ + -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \ + -or -name '*.applescript' \) ! -type l | grep -v "LibreOfficePython\.framework" | \ xargs codesign --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" find $APP_BUNDLE -name '*.dylib.*' ! -type l | \ @@ -60,7 +67,10 @@ for framework in `find $APP_BUNDLE -name '*.framework' -type d`; do \ fn="$(basename $framework)" fn=${fn%.*} for version in $framework/Versions/*; do \ - if test ! -L $version -a -d $version; then codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn; fi; \ + if test ! -L $version -a -d $version; then + codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn + codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version + fi; \ done; \ done @@ -71,11 +81,15 @@ done # all of our non-code "resources"). # # At this stage we also attach the entitlements in the sandboxing case +# +# Also omit some files from the Bunlde's seal via the resource-rules +# (bootstraprc and similar that the user might adjust and image files) +# See also https://developer.apple.com/library/mac/technotes/tn2206/ if test "$ENABLE_MACOSX_SANDBOX" = "TRUE"; then entitlements="--entitlements $BUILDDIR/lo.xcent" fi -codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$(basename ${APP_BUNDLE})" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE +codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$(basename ${APP_BUNDLE})" --resource-rules "$SRCDIR/setup_native/source/mac/CodesignRules.plist" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE exit 0 diff --git a/solenv/bin/modules/installer/simplepackage.pm b/solenv/bin/modules/installer/simplepackage.pm index 2281a8d505e7..9c61d66d4cd3 100644 --- a/solenv/bin/modules/installer/simplepackage.pm +++ b/solenv/bin/modules/installer/simplepackage.pm @@ -433,11 +433,9 @@ sub create_package } } - $systemcall = "cd $localtempdir && hdiutil makehybrid -hfs -hfs-openfolder $folder $folder -hfs-volume-name \"$volume_name\" -ov -o $installdir/tmp && hdiutil convert -ov -format UDBZ $installdir/tmp.dmg -o $archive && "; - if (( $ref ne "" ) && ( $$ref ne "" )) { - $systemcall .= "hdiutil unflatten $archive && Rez -a $$ref -o $archive && hdiutil flatten $archive &&"; - } - $systemcall .= "rm -f $installdir/tmp.dmg"; + # makehybrid doesn't preserve extended attributes (needed when codesigning data files like .jar) + # unfortunately this method is slower than makehybrid followed by convert + $systemcall = "cd $localtempdir && hdiutil create -srcfolder $folder -volname \"$volume_name\" -ov -format UDBZ $archive"; } else { |