diff options
author | Tor Lillqvist <tml@iki.fi> | 2013-02-08 01:08:42 +0200 |
---|---|---|
committer | Norbert Thiebaud <nthiebaud@gmail.com> | 2013-02-10 05:25:01 +0000 |
commit | 4db4976033e55e35eb779e0f9083981f8a2b2cbc (patch) | |
tree | f262f52fc3fadf13f624434ed27fe8ac9a94d26e | |
parent | 662f0c0d4f07927534359a17055ffaa78508c8bc (diff) |
Add support for codesigning on Mac OS X
Only sign the .app. Presumably that's enough here in the 4.0 branch.
Change-Id: I7a25c6b7bfa2047b1cb6bcb913750b1b476124f6
Reviewed-on: https://gerrit.libreoffice.org/2031
Reviewed-by: Norbert Thiebaud <nthiebaud@gmail.com>
Tested-by: Norbert Thiebaud <nthiebaud@gmail.com>
-rw-r--r-- | config_host.mk.in | 1 | ||||
-rw-r--r-- | configure.ac | 35 | ||||
-rwxr-xr-x | solenv/bin/modules/installer/simplepackage.pm | 37 |
3 files changed, 73 insertions, 0 deletions
diff --git a/config_host.mk.in b/config_host.mk.in index d7ede5a445da..7b9834dc0368 100644 --- a/config_host.mk.in +++ b/config_host.mk.in @@ -312,6 +312,7 @@ export LIBXSLT_LIBS=$(gb_SPACE)@LIBXSLT_LIBS@ export LINK_X64_BINARY=@LINK_X64_BINARY@ @x_Cygwin@ export LS=@WIN_LS@ export MANDIR=@MANDIR@ +export MACOSX_CODESIGNING_IDENTITY=@MACOSX_CODESIGNING_IDENTITY@ export MACOSX_DEPLOYMENT_TARGET=@MACOSX_DEPLOYMENT_TARGET@ export MACOSX_DEPLOYMENT_TARGET_FOR_BUILD=@MACOSX_DEPLOYMENT_TARGET_FOR_BUILD@ export MACOSX_SDK_PATH=@MACOSX_SDK_PATH@ diff --git a/configure.ac b/configure.ac index 5bdbd371dad2..e7c06f2536f9 100644 --- a/configure.ac +++ b/configure.ac @@ -1081,6 +1081,15 @@ AC_ARG_ENABLE(silent-msi, [Enable MSI with LIMITUI=1 (silent install).]), ,) +AC_ARG_ENABLE(macosx-code-signing, + AS_HELP_STRING([--enable-macosx-code-signing<=identity>], + [Sign the app bundle being stored in the disk image. The + default is to do signing if there is a suitable certificate + in your keychain, so if you don't want that, use the + corresponding --disable option. Experimental work in + progress, don't use unless you are working on this.]), +,) + AC_ARG_ENABLE(postgresql-sdbc, AS_HELP_STRING([--disable-postgresql-sdbc], [Disable the build of the PostgreSQL-SDBC driver.]) @@ -2822,6 +2831,31 @@ if test "$_os" = "Darwin"; then fi AC_MSG_NOTICE([MAC_OS_X_VERSION_MIN_REQUIRED=$MAC_OS_X_VERSION_MIN_REQUIRED]) AC_MSG_NOTICE([MAC_OS_X_VERSION_MAX_ALLOWED=$MAC_OS_X_VERSION_MAX_ALLOWED]) + + AC_MSG_CHECKING([whether to do code signing]) + + if test -z "$enable_macosx_code_signing" -o "$enable_macosx_code_signing" = yes; then + # By default use the first suitable certificate (?). + + # http://stackoverflow.com/questions/13196291/difference-between-mac-developer-and-3rd-party-mac-developer-application + # says that the "Mac Developer" certificate is useful just for self-testing. For distribution + # outside the Mac App Store, use the "Developer ID Application" one, and for distribution in + # the App Store, the "3rd Party Mac Developer" one. I think it works best to the the + # "Developer ID Application" one. + + identity=`security find-identity -p codesigning -v 2>/dev/null | grep 'Developer ID Application:' | awk '{print $2}' |head -1` + if test -n "$identity"; then + MACOSX_CODESIGNING_IDENTITY=$identity + pretty_name=`security find-identity -p codesigning -v | grep $MACOSX_CODESIGNING_IDENTITY | sed -e 's/^[[^"]]*"//' -e 's/"//'` + AC_MSG_RESULT([yes, using the identity $MACOSX_CODESIGNING_IDENTITY for $pretty_name]) + fi + elif test -n "$enable_macosx_code_signing"; then + MACOSX_CODESIGNING_IDENTITY=$enable_macosx_code_signing + pretty_name=`security find-identity -p codesigning -v | grep $MACOSX_CODESIGNING_IDENTITY | sed -e 's/^[[^"]]*"//' -e 's/"//'` + AC_MSG_RESULT([yes, using the identity $MACOSX_CODESIGNING_IDENTITY for $pretty_name]) + else + AC_MSG_RESULT([no]) + fi fi AC_SUBST(FRAMEWORKSHOME) AC_SUBST(MACOSX_SDK_PATH) @@ -2830,6 +2864,7 @@ AC_SUBST(MACOSX_DEPLOYMENT_TARGET) AC_SUBST(MAC_OS_X_VERSION_MIN_REQUIRED) AC_SUBST(MAC_OS_X_VERSION_MAX_ALLOWED) AC_SUBST(XCRUN) +AC_SUBST(MACOSX_CODESIGNING_IDENTITY) dnl =================================================================== dnl Windows specific tests and stuff diff --git a/solenv/bin/modules/installer/simplepackage.pm b/solenv/bin/modules/installer/simplepackage.pm index 561b0fe3f25f..26911a4d414b 100755 --- a/solenv/bin/modules/installer/simplepackage.pm +++ b/solenv/bin/modules/installer/simplepackage.pm @@ -418,6 +418,43 @@ sub create_package chdir $localfrom; } + else + { + if (defined($ENV{'MACOSX_CODESIGNING_IDENTITY'})) + { + # Just sign the .app as a whole, which means signing + # the CFBundleExecutable from Info.plist, + # i.e. soffice, plus the contents of the Resources + # treee (which is not much, far from all of our + # non-code "resources"). + + # Don't bother here in the 4.0 branch to sign each + # individual .dylib, or each additional binary. See + # master for more work plus possibly eventually + # re-organising the app bundle structure to be more + # Mac-like (the "program" symlink, eek!) and actually + # putting all non-code resources (including extension + # scripts!) into Resources so that they participate + # in the signing and their validity can be guaranteed. + + $systemcall = "codesign --sign $ENV{'MACOSX_CODESIGNING_IDENTITY'} -v -v -v $tempdir/$packagename/$volume_name_classic_app.app"; + print "... $systemcall ...\n"; + my $returnvalue = system($systemcall); + $infoline = "Systemcall: $systemcall\n"; + push( @installer::globals::logfileinfo, $infoline); + + if ($returnvalue) + { + $infoline = "ERROR: Could not execute \"$systemcall\"!\n"; + push( @installer::globals::logfileinfo, $infoline); + } + else + { + $infoline = "Success: Executed \"$systemcall\" successfully!\n"; + push( @installer::globals::logfileinfo, $infoline); + } + } + } $systemcall = "cd $localtempdir && hdiutil makehybrid -hfs -hfs-openfolder $folder $folder -hfs-volume-name \"$volume_name\" -ov -o $installdir/tmp && hdiutil convert -ov -format UDBZ $installdir/tmp.dmg -o $archive && "; if (( $ref ne "" ) && ( $$ref ne "" )) { |