solenv/bin/macosx-codesign-app-bundle

   1 #!/usr/bin/env bash
   2
   3 # Use of unset variable is an error
   4 set -u
   5 # If any part of a pipeline of commands fails, the whole pipeline fails
   6 set -o pipefail
   7
   8 # Script to sign executables, dylibs and frameworks in an app bundle plus the bundle itself. Called
   9 # from installer::simplepackage::create_package() in solenv/bin/modules/installer/simplepackage.pm
  10 # and the test-install target in Makefile.in.
  11
  12 test `uname` = Darwin || { echo This is for macOS only; exit 1; }
  13
  14 test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
  15
  16 for V in \
  17     BUILDDIR \
  18     MACOSX_BUNDLE_IDENTIFIER; do
  19     if test -z "$(eval echo '$'$V)"; then
  20        echo No '$'$V "environment variable! This should be run in a build only"
  21        exit 1
  22     fi
  23 done
  24
  25 APP_BUNDLE="$1"
  26 entitlements=
  27 entitlements_helper=
  28 application_identifier=
  29 if test -n "$ENABLE_MACOSX_SANDBOX"; then
  30     # In a sandboxed build executables need the entitlements
  31     entitlements="--entitlements $BUILDDIR/lo.xcent"
  32     # helper utilities must be signed with only the sandbox and inherit entitlements
  33     entitlements_helper="--entitlements $SRCDIR/sysui/desktop/macosx/sandbox_inherit.entitlements"
  34     application_identifier=`/usr/libexec/PlistBuddy -c "print com.apple.application-identifier"  $BUILDDIR/lo.xcent`
  35     # remove the key from the entitlement - only use it when signing the whole bundle in the final step
  36     /usr/libexec/PlistBuddy -c "delete com.apple.application-identifier"  $BUILDDIR/lo.xcent
  37     # All data files are in Resources and included in the app bundle signature
  38     other_files=''
  39     # HACK: remove donate menu entries, need to support apple-pay and be verified
  40     # as non profit as a bare minimum to allow asking....
  41     sed -I "" -e '\#<menu:menuitem menu:id=".uno:Donation"/>#d' $APP_BUNDLE/Contents/Resources/config/soffice.cfg/modules/*/menubar/menubar.xml
  42 else
  43     # We then want to sign data files, too, hmm.
  44     entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent"
  45     entitlements_helper=$entitlements
  46     other_files="\
  47  -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
  48  -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
  49  -or -name '*.applescript' -or -name '*.odt'"
  50 fi
  51
  52 if test -z "$MACOSX_CODESIGNING_IDENTITY"; then
  53     if test -n "$ENABLE_RELEASE_BUILD"; then
  54         echo "This is a release build! This should be run in a non-release build only"
  55         exit 1
  56     fi
  57
  58     # Skip codesigning for non-release builds if there is no identity set but
  59     # set entitlements to allow Xcode's Instruments application to connect to
  60     # the application. Note: the following command fails on some Mac Intel
  61     # machines, and since this not a release build, ignore any failures.
  62     codesign --force --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign - $entitlements "$APP_BUNDLE"
  63     exit 0
  64 fi
  65
  66 # Sign jnilibs first as workaround for signing issue on old baseline
  67 # order matters/screws things up otherwise
  68 find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l |
  69     while read file; do
  70     id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
  71     codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
  72 done
  73
  74 # Sign dylibs
  75 #
  76 # The dylibs in the Python framework are called *.so. Go figure
  77 #
  78 # On Mavericks also would like to have data files signed...
  79 # add some where it makes sense. Make a depth-first search to sign the contents
  80 # of e.g. the spotlight plugin before attempting to sign the plugin itself
  81
  82 find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \
  83         $other_files \) ! -type l |
  84 while read file; do
  85     id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
  86     codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
  87 done
  88
  89 # Sign included bundles. First .app ones (i.e. the Python.app inside
  90 # the LibreOfficePython.framework. Be generic for kicks...)
  91
  92 find "$APP_BUNDLE"/Contents -name '*.app' -type d |
  93 while read app; do
  94     # Assume the app has a XML (and not binary) Info.plist
  95     id=`grep -A 1 '<key>CFBundleIdentifier</key>' "$app/Contents/Info.plist" | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
  96     codesign --timestamp --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" || exit 1
  97 done
  98
  99 # Then .framework ones. Again, be generic just for kicks.
 100
 101 find "$APP_BUNDLE" -name '*.framework' -type d |
 102 while read framework; do
 103     for version in "$framework"/Versions/*; do
 104         if test ! -L "$version" -a -d "$version"; then
 105             # Assume the framework has a XML (and not binary) Info.plist
 106             id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
 107             if test -d $version/bin; then
 108                 # files in bin are not covered by signing the framework...
 109                 for scriptorexecutable in $(find $version/bin/ -type f); do
 110                     codesign --timestamp --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" || exit 1
 111                 done
 112             fi
 113             codesign --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" || exit 1
 114         fi
 115     done
 116 done
 117
 118 # Then mdimporters
 119
 120 find "$APP_BUNDLE" -name '*.mdimporter' -type d |
 121 while read bundle; do
 122     codesign --force --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle" || exit 1
 123 done
 124
 125 # Sign executables
 126
 127 find "$APP_BUNDLE/Contents/MacOS" -type f |
 128 while read file; do
 129     case "$file" in
 130         */soffice)
 131             ;;
 132         *)
 133             id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
 134             codesign --force --timestamp --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements_helper "$file" || exit 1
 135             ;;
 136     esac
 137 done
 138
 139 # Sign the app bundle as a whole which means (re-)signing the
 140 # CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
 141 # of the Resources tree.
 142 #
 143 # See also https://developer.apple.com/library/mac/technotes/tn2206/
 144
 145 if test -n "$ENABLE_MACOSX_SANDBOX" && test -n "$application_identifier"; then
 146     # add back the application-identifier to the entitlements
 147     # testflight/beta-testing won't work if that key is used when signing the other executables
 148     /usr/libexec/PlistBuddy -c "add com.apple.application-identifier string $application_identifier"  $BUILDDIR/lo.xcent
 149 fi
 150 codesign --force --timestamp --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" || exit 1
 151
 152 exit 0