solenv/bin/macosx-codesign-app-bundle

   1 #!/bin/bash
   2
   3 # Exit on errors
   4 set -e
   5 # Use of unset variable is an error
   6 set -u
   7 # If any part of a pipeline of commands fails, the whole pipeline fails
   8 set -o pipefail
   9
  10 # Script to sign executables, dylibs and frameworks in an app bundle plus the bundle itself. Called
  11 # from installer::simplepackage::create_package() in solenv/bin/modules/installer/simplepackage.pm
  12 # and the test-install target in Makefile.in.
  13
  14 test `uname` = Darwin || { echo This is for macOS only; exit 1; }
  15
  16 test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
  17
  18 for V in \
  19     BUILDDIR \
  20     MACOSX_BUNDLE_IDENTIFIER \
  21     MACOSX_CODESIGNING_IDENTITY; do
  22     if test -z "$(eval echo '$'$V)"; then
  23        echo No '$'$V "environment variable! This should be run in a build only"
  24        exit 1
  25     fi
  26 done
  27
  28 APP_BUNDLE="$1"
  29 entitlements=
  30 if test -n "$ENABLE_MACOSX_SANDBOX"; then
  31     # In a sandboxed build executables need the entitlements
  32     entitlements="--entitlements $BUILDDIR/lo.xcent"
  33     # We use --enable-canonical-installation-tree-structure so all
  34     # data files in Resources are included in the app bundle signature
  35     # through that. I think.
  36     other_files=''
  37 else
  38     # We then want to sign data files, too, hmm.
  39     entitlements="--entitlements $SRCDIR/hardened_runtime.xcent"
  40     other_files="\
  41  -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
  42  -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
  43  -or -name '*.applescript' -or -name '*.odt'"
  44 fi
  45
  46 # Sign jnilibs first as workaround for signing issue on old baseline
  47 # order matters/screws things up otherwise
  48 find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l |
  49     while read file; do
  50     id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
  51     codesign --verbose --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" > "/tmp/codesign_$(basename "$file").log" 2>&1
  52     if [ "$?" != "0" ] ; then
  53         exit 1
  54     fi
  55     rm "/tmp/codesign_$(basename "$file").log"
  56 done
  57
  58 # Sign dylibs
  59 #
  60 # The dylibs in the Python framework are called *.so. Go figure
  61 #
  62 # On Mavericks also would like to have data files signed...
  63 # add some where it makes sense. Make a depth-first search to sign the contents
  64 # of e.g. the spotlight plugin before attempting to sign the plugin itself
  65
  66 find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \
  67         $other_files \) ! -type l |
  68 while read file; do
  69     id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
  70     codesign --verbose --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" > "/tmp/codesign_$(basename "$file").log" 2>&1
  71     if [ "$?" != "0" ] ; then
  72         exit 1
  73     fi
  74     rm "/tmp/codesign_$(basename "$file").log"
  75 done
  76
  77 # Sign included bundles. First .app ones (i.e. the Python.app inside
  78 # the LibreOfficePython.framework. Be generic for kicks...)
  79
  80 find "$APP_BUNDLE"/Contents -name '*.app' -type d |
  81 while read app; do
  82     fn=`basename "$app"`
  83     fn=${fn%.*}
  84     # Assume the app has a XML (and not binary) Info.plist
  85     id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
  86     codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1
  87     if [ "$?" != "0" ] ; then
  88         exit 1
  89     fi
  90     rm "/tmp/codesign_${fn}.log"
  91 done
  92
  93 # Then .framework ones. Again, be generic just for kicks.
  94
  95 find "$APP_BUNDLE" -name '*.framework' -type d |
  96 while read framework; do
  97     fn=`basename "$framework"`
  98     fn=${fn%.*}
  99     for version in "$framework"/Versions/*; do
 100         if test ! -L "$version" -a -d "$version"; then
 101             # Assume the framework has a XML (and not binary) Info.plist
 102             id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
 103             # files in bin are not covered by signing the framework...
 104             for scriptorexecutable in $(find $version/bin/ -type f); do
 105                 codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" >> "/tmp/codesign_${fn}.log" 2>&1
 106             done
 107             codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" >> "/tmp/codesign_${fn}.log" 2>&1
 108             if [ "$?" != "0" ] ; then
 109                 exit 1
 110             fi
 111             rm "/tmp/codesign_${fn}.log"
 112         fi
 113     done
 114 done
 115
 116 # Then mdimporters
 117
 118 find "$APP_BUNDLE" -name '*.mdimporter' -type d |
 119 while read bundle; do
 120     codesign --verbose --force --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle" > "/tmp/codesign_$(basename "${bundle}").log" 2>&1
 121     if [ "$?" != "0" ] ; then
 122         exit 1
 123     fi
 124     rm "/tmp/codesign_$(basename "${bundle}").log"
 125 done
 126
 127 # Sign executables
 128
 129 find "$APP_BUNDLE/Contents/MacOS" -type f |
 130 while read file; do
 131     case "$file" in
 132         */soffice)
 133             ;;
 134         *)
 135             id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
 136             codesign --force --verbose --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file"  > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1
 137             if [ "$?" != "0" ] ; then
 138                 exit 1
 139             fi
 140             rm "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log"
 141             ;;
 142     esac
 143 done
 144
 145 # Sign the app bundle as a whole which means (re-)signing the
 146 # CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
 147 # of the Resources tree (which unless you used
 148 # --enable-canonical-installation-tree-structure is not much, far from
 149 # all of our non-code "resources").
 150 #
 151 # At this stage we also attach the entitlements in the sandboxing case
 152 #
 153 # Also omit some files from the Bundle's seal via the resource-rules
 154 # (bootstraprc and similar that the user might adjust and image files)
 155 # See also https://developer.apple.com/library/mac/technotes/tn2206/
 156
 157 id=`echo ${PRODUCTNAME} | tr ' ' '-'`
 158
 159 codesign --force --verbose --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1
 160 if [ "$?" != "0" ] ; then
 161     exit 1
 162 fi
 163 rm "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log"
 164 exit 0