solenv/bin/macosx-codesign-app-bundle

   1 #!/usr/bin/env bash
   2
   3 # Use of unset variable is an error
   4 set -u
   5 # If any part of a pipeline of commands fails, the whole pipeline fails
   6 set -o pipefail
   7
   8 # Script to sign executables, dylibs and frameworks in an app bundle plus the bundle itself. Called
   9 # from installer::simplepackage::create_package() in solenv/bin/modules/installer/simplepackage.pm
  10 # and the test-install target in Makefile.in.
  11
  12 test `uname` = Darwin || { echo This is for macOS only; exit 1; }
  13
  14 test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
  15
  16 for V in \
  17     BUILDDIR \
  18     MACOSX_BUNDLE_IDENTIFIER; do
  19     if test -z "$(eval echo '$'$V)"; then
  20        echo No '$'$V "environment variable! This should be run in a build only"
  21        exit 1
  22     fi
  23 done
  24
  25 APP_BUNDLE="$1"
  26 entitlements=
  27 entitlements_helper=
  28 application_identifier=
  29 if test -n "$ENABLE_MACOSX_SANDBOX"; then
  30     # In a sandboxed build executables need the entitlements
  31     entitlements="--entitlements $BUILDDIR/lo.xcent"
  32     # helper utilities must be signed with only the sandbox and inherit entitlements
  33     entitlements_helper="--entitlements $SRCDIR/sysui/desktop/macosx/sandbox_inherit.entitlements"
  34     application_identifier=`/usr/libexec/PlistBuddy -c "print com.apple.application-identifier"  $BUILDDIR/lo.xcent`
  35     # remove the key from the entitlement - only use it when signing the whole bundle in the final step
  36     /usr/libexec/PlistBuddy -c "delete com.apple.application-identifier"  $BUILDDIR/lo.xcent
  37     # HACK: remove donate menu entries, need to support apple-pay and be verified
  38     # as non profit as a bare minimum to allow asking....
  39     sed -I "" -e '\#<menu:menuitem menu:id=".uno:Donation"/>#d' $APP_BUNDLE/Contents/Resources/config/soffice.cfg/modules/*/menubar/menubar.xml
  40 else
  41     entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent"
  42     entitlements_helper=$entitlements
  43 fi
  44
  45 if test -z "$MACOSX_CODESIGNING_IDENTITY"; then
  46     if test -n "$ENABLE_RELEASE_BUILD"; then
  47         echo "This is a release build! This should be run in a non-release build only"
  48         exit 1
  49     fi
  50
  51     # Skip codesigning for non-release builds if there is no identity set but
  52     # set entitlements to allow Xcode's Instruments application to connect to
  53     # the application. Note: the following command fails on some Mac Intel
  54     # machines, and since this not a release build, ignore any failures.
  55     # Related: tdf#159529 fix increasing failures when setting entitlements
  56     # Starting in one of the Xcode versions 15.2 or earlier, setting the
  57     # entitlements without a certificate started failing on Mac Silicon.
  58     # The hacky solution is to make a copy of the application's executable,
  59     # set the entitlements on that binary only, and then move the copied
  60     # binary back.
  61     rm -f "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements"
  62     cp "$APP_BUNDLE/Contents/MacOS/soffice" "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements"
  63     if codesign --force --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign - $entitlements "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements"; then
  64         mv "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements" "$APP_BUNDLE/Contents/MacOS/soffice"
  65     else
  66         rm "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements"
  67     fi
  68     exit 0
  69 fi
  70
  71 # Sign dylibs
  72 #
  73 # The dylibs in the Python framework are called *.so. Go figure
  74 #
  75 # Make a depth-first search to sign the contents of e.g. the spotlight plugin
  76 # before attempting to sign the plugin itself
  77
  78 find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' -or -name '*.jnilib' \) ! -type l |
  79 while read file; do
  80     id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
  81     codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
  82 done
  83
  84 # Sign included bundles. First .app ones (i.e. the Python.app inside
  85 # the LibreOfficePython.framework. Be generic for kicks...)
  86
  87 find "$APP_BUNDLE"/Contents -name '*.app' -type d |
  88 while read app; do
  89     # Assume the app has a XML (and not binary) Info.plist
  90     id=`grep -A 1 '<key>CFBundleIdentifier</key>' "$app/Contents/Info.plist" | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
  91     codesign --timestamp --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" || exit 1
  92 done
  93
  94 # Then .framework ones. Again, be generic just for kicks.
  95
  96 find "$APP_BUNDLE" -name '*.framework' -type d |
  97 while read framework; do
  98     for version in "$framework"/Versions/*; do
  99         if test ! -L "$version" -a -d "$version"; then
 100             # Assume the framework has a XML (and not binary) Info.plist
 101             id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
 102             if test -d $version/bin; then
 103                 # files in bin are not covered by signing the framework...
 104                 for scriptorexecutable in $(find $version/bin/ -type f); do
 105                     codesign --timestamp --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" || exit 1
 106                 done
 107             fi
 108             codesign --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" || exit 1
 109         fi
 110     done
 111 done
 112
 113 # Then mdimporters
 114
 115 find "$APP_BUNDLE" -name '*.mdimporter' -type d |
 116 while read bundle; do
 117     codesign --force --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle" || exit 1
 118 done
 119
 120 # Sign executables
 121
 122 find "$APP_BUNDLE/Contents/MacOS" -type f |
 123 while read file; do
 124     case "$file" in
 125         */soffice)
 126             ;;
 127         *)
 128             id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
 129             codesign --force --timestamp --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements_helper "$file" || exit 1
 130             ;;
 131     esac
 132 done
 133
 134 # Sign the app bundle as a whole which means (re-)signing the
 135 # CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
 136 # of the Resources tree.
 137 #
 138 # See also https://developer.apple.com/library/mac/technotes/tn2206/
 139
 140 if test -n "$ENABLE_MACOSX_SANDBOX" && test -n "$application_identifier"; then
 141     # add back the application-identifier to the entitlements
 142     # testflight/beta-testing won't work if that key is used when signing the other executables
 143     /usr/libexec/PlistBuddy -c "add com.apple.application-identifier string $application_identifier"  $BUILDDIR/lo.xcent
 144 fi
 145 codesign --force --timestamp --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" || exit 1
 146
 147 exit 0