solenv/bin/macosx-codesign-app-bundle


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

#!/usr/bin/env bash

# Use of unset variable is an error
set -u
# If any part of a pipeline of commands fails, the whole pipeline fails
set -o pipefail

# Script to sign executables, dylibs and frameworks in an app bundle plus the bundle itself. Called
# from installer::simplepackage::create_package() in solenv/bin/modules/installer/simplepackage.pm
# and the test-install target in Makefile.in.

test `uname` = Darwin || { echo This is for macOS only; exit 1; }

test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }

for V in \
    BUILDDIR \
    MACOSX_BUNDLE_IDENTIFIER \
    MACOSX_CODESIGNING_IDENTITY; do
    if test -z "$(eval echo '$'$V)"; then
       echo No '$'$V "environment variable! This should be run in a build only"
       exit 1
    fi
done

APP_BUNDLE="$1"
entitlements=
if test -n "$ENABLE_MACOSX_SANDBOX"; then
    # In a sandboxed build executables need the entitlements
    entitlements="--entitlements $BUILDDIR/lo.xcent"
    # All data files are in Resources and included in the app bundle signature
    # through that. I think.
    other_files=''
else
    # We then want to sign data files, too, hmm.
    entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent"
    other_files="\
 -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
 -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
 -or -name '*.applescript' -or -name '*.odt'"
fi

# Sign jnilibs first as workaround for signing issue on old baseline
# order matters/screws things up otherwise
find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l |
    while read file; do
    id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
    codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
done

# Sign dylibs
#
# The dylibs in the Python framework are called *.so. Go figure
#
# On Mavericks also would like to have data files signed...
# add some where it makes sense. Make a depth-first search to sign the contents
# of e.g. the spotlight plugin before attempting to sign the plugin itself

find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \
        $other_files \) ! -type l |
while read file; do
    id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
    codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
done

# Sign included bundles. First .app ones (i.e. the Python.app inside
# the LibreOfficePython.framework. Be generic for kicks...)

find "$APP_BUNDLE"/Contents -name '*.app' -type d |
while read app; do
    # Assume the app has a XML (and not binary) Info.plist
    id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
    codesign --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" || exit 1
done

# Then .framework ones. Again, be generic just for kicks.

find "$APP_BUNDLE" -name '*.framework' -type d |
while read framework; do
    for version in "$framework"/Versions/*; do
        if test ! -L "$version" -a -d "$version"; then
	    # Assume the framework has a XML (and not binary) Info.plist
	    id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
	    if test -d $version/bin; then
		# files in bin are not covered by signing the framework...
		for scriptorexecutable in $(find $version/bin/ -type f); do
		    codesign --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" || exit 1
		done
	    fi
            codesign --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" || exit 1
	fi
    done
done

# Then mdimporters

find "$APP_BUNDLE" -name '*.mdimporter' -type d |
while read bundle; do
    codesign --force --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle" || exit 1
done

# Sign executables

find "$APP_BUNDLE/Contents/MacOS" -type f |
while read file; do
    case "$file" in
	*/soffice)
	    ;;
	*)
	    id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
	    codesign --force --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" || exit 1
	    ;;
    esac
done

# Sign the app bundle as a whole which means (re-)signing the
# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
# of the Resources tree.
#
# At this stage we also attach the entitlements in the sandboxing case
#
# Also omit some files from the Bundle's seal via the resource-rules
# (bootstraprc and similar that the user might adjust and image files)
# See also https://developer.apple.com/library/mac/technotes/tn2206/

id=`echo ${PRODUCTNAME} | tr ' ' '-'`

codesign --force --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" || exit 1

exit 0