diff options
| -rw-r--r-- | setup_native/source/mac/CodesignRules.plist | 17 | ||||
| -rwxr-xr-x | solenv/bin/macosx-codesign-app-bundle | 35 | ||||
| -rw-r--r-- | solenv/bin/modules/installer/simplepackage.pm | 5 | ||||
| -rw-r--r-- | solenv/gbuild/platform/macosx.mk | 6 |
4 files changed, 28 insertions, 35 deletions
diff --git a/setup_native/source/mac/CodesignRules.plist b/setup_native/source/mac/CodesignRules.plist deleted file mode 100644 index 41b2321ccf0f..000000000000 --- a/setup_native/source/mac/CodesignRules.plist +++ /dev/null @@ -1,17 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1.0"> -<dict> - <key>rules</key> - <dict> - <key>^MacOS/(bootstraprc|fundamentalrc|setuprc|sofficerc|unorc|versionrc)$</key> - <false/> - <key>^MacOS/pythonloader.unorc$</key> - <false/> - <key>^MacOS/(senddoc|python|gengal|unoinfo)$</key> - <false/> - <key>.*\.(png|svg|py|res|rdb)$</key> - <false/> - </dict> -</dict> -</plist> diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle index d1ba433036c6..78a7e53a5465 100755 --- a/solenv/bin/macosx-codesign-app-bundle +++ b/solenv/bin/macosx-codesign-app-bundle @@ -42,19 +42,30 @@ find -d "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.so' -or -name '*.fodt' \ -or -name '*.applescript' \) ! -type l | grep -v "LibreOfficePython\.framework" | \ while read file; do id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` - codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" + codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1 done find $APP_BUNDLE -name '*.dylib.*' ! -type l | \ while read dylib; do \ id=`basename "$dylib"`; \ id=`echo $id | sed -e 's/dylib.*/dylib/'`; \ - codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$dylib"; \ + codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$dylib" || exit 1 done # The executables have already been signed by # gb_LinkTarget__command_dynamiclink in -# solenv/gbuild/platform/macosx.mk. +# solenv/gbuild/platform/macosx.mk, but sign the handful of scripts remaining +# in MacOS +# (<https://developer.apple.com/library/mac/technotes/tn2206/_index.html> "OS X +# Code Signing In Depth" suggests we should get rid of them rather sooner than +# later, but they appear to be OK for now): + +for i in gengal python senddoc unoinfo +do + codesign --verbose --identifier="$MACOSX_BUNDLE_IDENTIFIER.$i" \ + --sign "$MACOSX_CODESIGNING_IDENTITY" "$APP_BUNDLE/Contents/MacOS/$i" \ + || exit 1 +done # Sign frameworks. # @@ -67,32 +78,28 @@ for framework in `find $APP_BUNDLE -name '*.framework' -type d`; do \ fn=${fn%.*} for version in $framework/Versions/*; do \ if test ! -L $version -a -d $version; then - codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn - codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version + codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn || exit 1 + codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version || exit 1 fi; \ done; \ done -# Sign the app bundle as a whole which means (re-)signing the -# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents +# Sign the app bundle as a whole which means finally signing the +# CFBundleExecutable from Info.plist, i.e. soffice (which is exempted from the +# on-the-go executable signing in gb_LinkTarget__command_dynamiclink in +# solenv/gbuild/platform/macosx.mk), plus the contents # of the Resources tree (which unless you used # --enable-canonical-installation-tree-structure is not much, far from # all of our non-code "resources"). # # At this stage we also attach the entitlements in the sandboxing case -# -# Also omit some files from the Bunlde's seal via the resource-rules -# (bootstraprc and similar that the user might adjust and image files) -# See also https://developer.apple.com/library/mac/technotes/tn2206/ id=`echo ${MACOSX_APP_NAME} | tr ' ' '-'` if test -n "$ENABLE_MACOSX_SANDBOX"; then entitlements="--entitlements $BUILDDIR/lo.xcent" -else - resource_rules="--resource-rules $SRCDIR/setup_native/source/mac/CodesignRules.plist" fi -codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id" $resource_rules --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE +codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE || exit 1 exit 0 diff --git a/solenv/bin/modules/installer/simplepackage.pm b/solenv/bin/modules/installer/simplepackage.pm index 6d77e4143653..ae91d0c37bd1 100644 --- a/solenv/bin/modules/installer/simplepackage.pm +++ b/solenv/bin/modules/installer/simplepackage.pm @@ -417,11 +417,10 @@ sub create_package } } - $systemcall = "cd $localtempdir && hdiutil makehybrid -hfs -hfs-openfolder $folder $folder -hfs-volume-name \"$volume_name\" -ov -o $installdir/tmp && hdiutil convert -ov -format UDBZ $installdir/tmp.dmg -o $archive && "; + $systemcall = "cd $localtempdir && hdiutil create -srcfolder $folder $archive -ov -fs HFS+ -volname \"$volume_name\" -format UDBZ"; if (( $ref ne "" ) && ( $$ref ne "" )) { - $systemcall .= "hdiutil unflatten $archive && Rez -a $$ref -o $archive && hdiutil flatten $archive &&"; + $systemcall .= " && hdiutil unflatten $archive && Rez -a $$ref -o $archive && hdiutil flatten $archive &&"; } - $systemcall .= "rm -f $installdir/tmp.dmg"; } else { diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk index 6547ed425042..bc28a06270c0 100644 --- a/solenv/gbuild/platform/macosx.mk +++ b/solenv/gbuild/platform/macosx.mk @@ -105,6 +105,9 @@ endef # as we would need to sign those separately anyway, we do it for the # gbuild-built ones, too, after an app bundle has been constructed, in # the solenv/bin/macosx-codesign-app-bundle script. +# And the soffice executable needs to be signed last in +# macosx-codesign-app-bundle, as codesign would fail complaining that other +# parts of the app have not yet been signed: define gb_LinkTarget__command_dynamiclink $(call gb_Helper_abbreviate_dirs,\ @@ -133,7 +136,8 @@ $(call gb_Helper_abbreviate_dirs,\ $(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl shl $(LAYER) $(1) &&) \ $(if $(MACOSX_CODESIGNING_IDENTITY), \ $(if $(filter Executable,$(TARGETTYPE)), \ - (codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --force $(1) || true) &&)) \ + $(if $(filter-out $(call gb_Executable_get_target,soffice_bin),$(1)), \ + codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --force $(1) &&))) \ $(if $(filter Library,$(TARGETTYPE)),\ otool -l $(1) | grep -A 5 LC_ID_DYLIB \ > $(WORKDIR)/LinkTarget/$(2).exports.tmp && \ |