solenv/bin/macosx-codesign-app-bundle

   1 #!/bin/bash
   2
   3 # Script to sign dylibs and frameworks in an app bundle plus the
   4 # bundle itself. Called from
   5 # installer::simplepackage::create_package() in
   6 # solenv/bin/modules/installer/simplepackage.pm
   7
   8 test `uname` = Darwin || { echo This is for OS X only; exit 1; }
   9
  10 test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
  11
  12 for V in \
  13     BUILDDIR \
  14     MACOSX_BUNDLE_IDENTIFIER \
  15     MACOSX_CODESIGNING_IDENTITY; do
  16     if test -z "$(eval echo '$'$V)"; then
  17        echo No '$'$V "environment variable! This should be run in a build only"
  18        exit 1
  19     fi
  20 done
  21
  22 APP_BUNDLE=$1
  23
  24 # Sign dylibs
  25 #
  26 # Executables get signed right after linking, see
  27 # solenv/gbuild/platform/macosx.mk. But many of our dylibs are built
  28 # by ad-hoc or 3rd-party mechanisms, so we can't easily sign them
  29 # right after linking. So do it here.
  30 #
  31 # The dylibs in the Python framework are called *.so. Go figure
  32 #
  33 # First sign all files that can use the default identifier in the hope
  34 # that codesign will contact the timestamp server just once for all
  35 # mentioned on the command line.
  36
  37 find $APP_BUNDLE \( -name '*.dylib' -or -name '*.so' \) ! -type l | \
  38 xargs codesign --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY"
  39
  40 find $APP_BUNDLE -name '*.dylib.*' ! -type l | \
  41 while read dylib; do \
  42     id=`basename "$dylib"`; \
  43     id=`echo $id | sed -e 's/dylib.*/dylib/'`; \
  44     codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$dylib"; \
  45 done
  46
  47 # The executables have already been signed by
  48 # gb_LinkTarget__command_dynamiclink in
  49 # solenv/gbuild/platform/macosx.mk.
  50
  51 # Sign frameworks.
  52 #
  53 # Yeah, we don't bundle any other framework than our Python one, and
  54 # it has just one version, so this generic search is mostly for
  55 # completeness.
  56
  57 for framework in `find $APP_BUNDLE -name '*.framework' -type d`; do \
  58     for version in $framework/Versions/*; do \
  59         if test ! -L $version -a -d $version; then codesign --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version; fi; \
  60     done; \
  61 done
  62
  63 # Sign the app bundle as a whole which means (re-)signing the
  64 # CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
  65 # of the Resources tree (which unless you used
  66 # --enable-canonical-installation-tree-structure is not much, far from
  67 # all of our non-code "resources").
  68 #
  69 # At this stage we also attach the entitlements in the sandboxing case
  70
  71 if test "$ENABLE_MACOSX_SANDBOX" = "TRUE"; then
  72     entitlements="--entitlements $BUILDDIR/lo.xcent"
  73 fi
  74
  75 codesign --force --verbose --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE
  76
  77 exit 0