diff options
| author | Christian Lohmaier <lohmaier+LibreOffice@googlemail.com> | 2023-11-02 10:30:34 +0100 |
|---|---|---|
| committer | Christian Lohmaier <lohmaier+LibreOffice@googlemail.com> | 2023-11-02 10:33:37 +0100 |
| commit | a2f298adf5b6aae54bd9c20a7fbfd007dd356617 (patch) | |
| tree | 64046ab3a041911ff874f5f4d5487fdbb4f11058 /solenv/bin | |
| parent | c96680125fc377e6a21e98ce14ce2359d89b02c8 (diff) | |
tdf#158038 fix opening pdf files in appstore ver (sandbox issue w/ helper tool)
https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app
"Adding other entitlements to the tool can cause problems. If the tool
immediately crashes with a code signing error when your app runs the
tool, check that the tool is signed with just these two entitlements:
com.apple.security.app-sandbox and com.apple.security.inherit."
This is indeed what happened..
Change-Id: Id03948c03b7d453aae4ca58719f582576e30a16f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158790
Tested-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
Diffstat (limited to 'solenv/bin')
| -rwxr-xr-x | solenv/bin/macosx-codesign-app-bundle | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle index cdbf7ce964ae..695b3ae97922 100755 --- a/solenv/bin/macosx-codesign-app-bundle +++ b/solenv/bin/macosx-codesign-app-bundle @@ -24,10 +24,13 @@ done APP_BUNDLE="$1" entitlements= +entitlements_helper= application_identifier= if test -n "$ENABLE_MACOSX_SANDBOX"; then # In a sandboxed build executables need the entitlements entitlements="--entitlements $BUILDDIR/lo.xcent" + # helper utilities must be signed with only the sandbox and inherit entitlements + entitlements_helper="--entitlements $SRCDIR/sysui/desktop/macosx/sandbox_inherit.entitlements" application_identifier=`/usr/libexec/PlistBuddy -c "print com.apple.application-identifier" $BUILDDIR/lo.xcent` # remove the key from the entitlement - only use it when signing the whole bundle in the final step /usr/libexec/PlistBuddy -c "delete com.apple.application-identifier" $BUILDDIR/lo.xcent @@ -39,6 +42,7 @@ if test -n "$ENABLE_MACOSX_SANDBOX"; then else # We then want to sign data files, too, hmm. entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent" + entitlements_helper=$entitlements other_files="\ -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \ -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \ @@ -127,7 +131,7 @@ while read file; do ;; *) id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` - codesign --force --timestamp --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" || exit 1 + codesign --force --timestamp --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements_helper "$file" || exit 1 ;; esac done |