solenv/bin/macosx-codesign-app-bundle

   1 #!/bin/bash
   2
   3 # Use of unset variable is an error
   4 set -u
   5 # If any part of a pipeline of commands fails, the whole pipeline fails
   6 set -o pipefail
   7
   8 # Script to sign executables, dylibs and frameworks in an app bundle plus the bundle itself. Called
   9 # from installer::simplepackage::create_package() in solenv/bin/modules/installer/simplepackage.pm
  10 # and the test-install target in Makefile.in.
  11
  12 test `uname` = Darwin || { echo This is for macOS only; exit 1; }
  13
  14 test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
  15
  16 for V in \
  17     BUILDDIR \
  18     MACOSX_BUNDLE_IDENTIFIER \
  19     MACOSX_CODESIGNING_IDENTITY; do
  20     if test -z "$(eval echo '$'$V)"; then
  21        echo No '$'$V "environment variable! This should be run in a build only"
  22        exit 1
  23     fi
  24 done
  25
  26 APP_BUNDLE="$1"
  27 entitlements=
  28 if test -n "$ENABLE_MACOSX_SANDBOX"; then
  29     # In a sandboxed build executables need the entitlements
  30     entitlements="--entitlements $BUILDDIR/lo.xcent"
  31     # All data files are in Resources and included in the app bundle signature
  32     # through that. I think.
  33     other_files=''
  34 else
  35     # We then want to sign data files, too, hmm.
  36     entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent"
  37     other_files="\
  38  -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
  39  -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
  40  -or -name '*.applescript' -or -name '*.odt'"
  41 fi
  42
  43 # Sign jnilibs first as workaround for signing issue on old baseline
  44 # order matters/screws things up otherwise
  45 find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l |
  46     while read file; do
  47     id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
  48     codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
  49 done
  50
  51 # Sign dylibs
  52 #
  53 # The dylibs in the Python framework are called *.so. Go figure
  54 #
  55 # On Mavericks also would like to have data files signed...
  56 # add some where it makes sense. Make a depth-first search to sign the contents
  57 # of e.g. the spotlight plugin before attempting to sign the plugin itself
  58
  59 find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \
  60         $other_files \) ! -type l |
  61 while read file; do
  62     id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
  63     codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
  64 done
  65
  66 # Sign included bundles. First .app ones (i.e. the Python.app inside
  67 # the LibreOfficePython.framework. Be generic for kicks...)
  68
  69 find "$APP_BUNDLE"/Contents -name '*.app' -type d |
  70 while read app; do
  71     # Assume the app has a XML (and not binary) Info.plist
  72     id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
  73     codesign --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" || exit 1
  74 done
  75
  76 # Then .framework ones. Again, be generic just for kicks.
  77
  78 find "$APP_BUNDLE" -name '*.framework' -type d |
  79 while read framework; do
  80     for version in "$framework"/Versions/*; do
  81         if test ! -L "$version" -a -d "$version"; then
  82             # Assume the framework has a XML (and not binary) Info.plist
  83             id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
  84             if test -d $version/bin; then
  85                 # files in bin are not covered by signing the framework...
  86                 for scriptorexecutable in $(find $version/bin/ -type f); do
  87                     codesign --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" || exit 1
  88                 done
  89             fi
  90             codesign --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" || exit 1
  91         fi
  92     done
  93 done
  94
  95 # Then mdimporters
  96
  97 find "$APP_BUNDLE" -name '*.mdimporter' -type d |
  98 while read bundle; do
  99     codesign --force --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle" || exit 1
 100 done
 101
 102 # Sign executables
 103
 104 find "$APP_BUNDLE/Contents/MacOS" -type f |
 105 while read file; do
 106     case "$file" in
 107         */soffice)
 108             ;;
 109         *)
 110             id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
 111             codesign --force --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" || exit 1
 112             ;;
 113     esac
 114 done
 115
 116 # Sign the app bundle as a whole which means (re-)signing the
 117 # CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
 118 # of the Resources tree.
 119 #
 120 # At this stage we also attach the entitlements in the sandboxing case
 121 #
 122 # Also omit some files from the Bundle's seal via the resource-rules
 123 # (bootstraprc and similar that the user might adjust and image files)
 124 # See also https://developer.apple.com/library/mac/technotes/tn2206/
 125
 126 id=`echo ${PRODUCTNAME} | tr ' ' '-'`
 127
 128 codesign --force --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" || exit 1
 129
 130 exit 0