solenv/bin/macosx-codesign-app-bundle


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

#!/bin/bash

# Script to sign executables, dylibs and frameworks in an app bundle
# plus the bundle itself. Called from
# the test-install target in Makefile.in

test `uname` = Darwin || { echo This is for OS X only; exit 1; }

test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }

for V in \
    BUILDDIR \
    MACOSX_BUNDLE_IDENTIFIER \
    MACOSX_CODESIGNING_IDENTITY; do
    if test -z "$(eval echo '$'$V)"; then
       echo No '$'$V "environment variable! This should be run in a build only"
       exit 1
    fi
done

APP_BUNDLE="$1"

if test -n "$ENABLE_MACOSX_SANDBOX"; then
    # In a sandboxed build executables need the entitlements
    entitlements="--entitlements $BUILDDIR/lo.xcent"
    # We use --enable-canonical-installation-tree-structure so all
    # data files in Resources are included in the app bundle signature
    # through that. I think.
    other_files=''
else
    # We then want to sign data files, too, hmm.
    other_files="\
 -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
 -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
 -or -name '*.applescript' -or -name '*.odt'"
fi

# Sign jnilibs first as workaround for signing issue on old baseline
# order matters/screws things up otherwise
find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l |
    while read file; do
    id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
    codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
done

# Sign dylibs
#
# The dylibs in the Python framework are called *.so. Go figure
#
# On Mavericks also would like to have data files signed...
# add some where it makes sense. Make a depth-first search to sign the contents
# of e.g. the spotlight plugin before attempting to sign the plugin itself

find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \
        $other_files \) ! -type l |
while read file; do
    id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
    codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
done

# Sign executables

find "$APP_BUNDLE/Contents/MacOS" -type f |
while read file; do
    id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
    codesign --force --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file"
done

# Sign included bundles. First .app ones (i.e. the Python.app inside
# the LibreOfficePython.framework. Be generic for kicks...)

find "$APP_BUNDLE" -name '*.app' -type d |
while read app; do
    fn=`basename "$app"`
    fn=${fn%.*}
    # Assume the app has a XML (and not binary) Info.plist
    id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
    codesign --verbose --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app"
done

# Then .framework ones. Again, be generic just for kicks.

find "$APP_BUNDLE" -name '*.framework' -type d |
while read framework; do
    fn=`basename "$framework"`
    fn=${fn%.*}
    for version in "$framework"/Versions/*; do
        if test ! -L "$version" -a -d "$version"; then
	    # Assume the framework has a XML (and not binary) Info.plist
	    id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
            codesign --verbose --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version"
        fi
    done
done

# Then mdimporters

find "$APP_BUNDLE" -name '*.mdimporter' -type d |
while read bundle; do
    codesign --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle"
done

# Sign the app bundle as a whole which means (re-)signing the
# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
# of the Resources tree (which unless you used
# --enable-canonical-installation-tree-structure is not much, far from
# all of our non-code "resources").
#
# At this stage we also attach the entitlements in the sandboxing case
#
# Also omit some files from the Bundle's seal via the resource-rules
# (bootstraprc and similar that the user might adjust and image files)
# See also https://developer.apple.com/library/mac/technotes/tn2206/

id=`echo ${PRODUCTNAME} | tr ' ' '-'`

codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE"

exit 0