solenv/bin/macosx-codesign-app-bundle

   1 #!/bin/bash
   2
   3 # Script to sign dylibs and frameworks in an app bundle plus the
   4 # bundle itself. Called from
   5 # installer::simplepackage::create_package() in
   6 # solenv/bin/modules/installer/simplepackage.pm
   7
   8 test `uname` = Darwin || { echo This is for OS X only; exit 1; }
   9
  10 test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
  11
  12 for V in \
  13     BUILDDIR \
  14     MACOSX_BUNDLE_IDENTIFIER \
  15     MACOSX_CODESIGNING_IDENTITY; do
  16     if test -z "$(eval echo '$'$V)"; then
  17        echo No '$'$V "environment variable! This should be run in a build only"
  18        exit 1
  19     fi
  20 done
  21
  22 echo "codesigning using MACSOX_CODESIGNING_IDENTITY=[${MACOSX_CODESIGNING_IDENTITY?}]"
  23
  24 APP_BUNDLE="$1"
  25
  26 # Sign dylibs
  27 #
  28 # Executables get signed right after linking, see
  29 # solenv/gbuild/platform/macosx.mk. But many of our dylibs are built
  30 # by ad-hoc or 3rd-party mechanisms, so we can't easily sign them
  31 # right after linking. So do it here.
  32 #
  33 # The dylibs in the Python framework are called *.so. Go figure
  34 #
  35 # On Mavericks also would like to have data files signed...
  36 # add some where it makes sense. Make a depth-first search to sign the contents
  37 # of e.g. the spotlight plugin before attempting to sign the plugin itself
  38
  39 find -d "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.so' -or -name '*.fodt' -or -name '*.odt' \
  40         -or -name 'schema.strings' -or -name 'schema.xml' -or -name '*.mdimporter' \
  41         -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \
  42         -or -name '*.applescript' \) ! -type l | grep -v "LibreOfficePython\.framework" | \
  43 while read file; do
  44     id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
  45     codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
  46 done
  47
  48 find "$APP_BUNDLE" -name '*.dylib.*' ! -type l | \
  49 while read dylib; do \
  50     id=`basename "$dylib"`; \
  51     id=`echo $id | sed -e 's/dylib.*/dylib/'`; \
  52     codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$dylib" || exit 1
  53 done
  54
  55 # The executables have already been signed by
  56 # gb_LinkTarget__command_dynamiclink in
  57 # solenv/gbuild/platform/macosx.mk, but sign the handful of scripts remaining
  58 # in MacOS
  59 # (<https://developer.apple.com/library/mac/technotes/tn2206/_index.html> "OS X
  60 # Code Signing In Depth" suggests we should get rid of them rather sooner than
  61 # later, but they appear to be OK for now):
  62
  63 for i in python senddoc unoinfo
  64 do
  65     if [ -f "$APP_BUNDLE/Contents/MacOS/$i" ]
  66     then
  67         codesign --verbose --identifier="$MACOSX_BUNDLE_IDENTIFIER.$i" \
  68             --sign "$MACOSX_CODESIGNING_IDENTITY" "$APP_BUNDLE/Contents/MacOS/$i" \
  69         || exit 1
  70     fi
  71 done
  72
  73 # Sign frameworks.
  74 #
  75 # Yeah, we don't bundle any other framework than our Python one, and
  76 # it has just one version, so this generic search is mostly for
  77 # completeness.
  78
  79 find "$APP_BUNDLE" -name '*.framework' -type d -print0 | \
  80 while IFS= read -r -d '' framework; do \
  81     fn=$(basename "$framework")
  82     fn=${fn%.*}
  83     for version in "$framework"/Versions/*; do \
  84         if test ! -L "$version" -a -d "$version"; then
  85             codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$version/$fn" || exit 1
  86             codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" || exit 1
  87         fi; \
  88     done; \
  89 done
  90
  91 # Sign the app bundle as a whole which means finally signing the
  92 # CFBundleExecutable from Info.plist, i.e. soffice (which is exempted from the
  93 # on-the-go executable signing in gb_LinkTarget__command_dynamiclink in
  94 # solenv/gbuild/platform/macosx.mk), plus the contents
  95 # of the Resources tree (which unless you used
  96 # --enable-canonical-installation-tree-structure is not much, far from
  97 # all of our non-code "resources").
  98 #
  99 # At this stage we also attach the entitlements in the sandboxing case
 100
 101 id=`echo ${MACOSX_APP_NAME} | tr ' ' '-'`
 102
 103 if test -n "$ENABLE_MACOSX_SANDBOX"; then
 104     entitlements="--entitlements $BUILDDIR/lo.xcent"
 105 fi
 106
 107 codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" || exit 1
 108
 109 exit 0