diff options
| author | Christian Lohmaier <lohmaier+LibreOffice@googlemail.com> | 2019-10-28 11:58:14 +0100 |
|---|---|---|
| committer | Christian Lohmaier <lohmaier+LibreOffice@googlemail.com> | 2020-02-28 19:41:36 +0100 |
| commit | 1e1e2a6d8c10ecfaafb2ea28298c467e41b20228 (patch) | |
| tree | 856506dc2db919519f8f16d4b16b8d1cece9d4d1 /solenv | |
| parent | 2a04b3d676a1db76cc8fb19a1126648e7548dc47 (diff) | |
macOS: don't sign executables early
macOS 10.14 and later (Mojave & Catalina) will treat signed exectuables
as "restricted binary" and in turn will block any use of
DYLD_LIBRARY_PATH settings, causing the build to fail with e.g.:
dyld: Library not loaded: @__VIA_LIBRARY_PATH__/libuno_sal.dylib.3
Referenced from: /Users/cloph/build/workdir/LinkTarget/Executable/genconv_dict
Reason: unsafe use of relative rpath @__VIA_LIBRARY_PATH__/libuno_sal.dylib.3 in /Users/cloph/build/workdir/LinkTarget/Executable/genconv_dict with restricted binary
Change-Id: Ia90d8fa6f28f9a2c10f6b46eb1796e2730550119
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/81599
Tested-by: Jenkins
Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
(cherry picked from commit 1a73975918d5057336466733f3f0964c128bfcb7)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/89678
Diffstat (limited to 'solenv')
| -rw-r--r-- | solenv/bin/modules/installer/simplepackage.pm | 34 | ||||
| -rw-r--r-- | solenv/gbuild/platform/macosx.mk | 12 |
2 files changed, 35 insertions, 11 deletions
diff --git a/solenv/bin/modules/installer/simplepackage.pm b/solenv/bin/modules/installer/simplepackage.pm index 78a09e78e5e5..b32f77d3bef6 100644 --- a/solenv/bin/modules/installer/simplepackage.pm +++ b/solenv/bin/modules/installer/simplepackage.pm @@ -391,7 +391,7 @@ sub create_package chdir $localfrom; - if ( defined($ENV{'MACOSX_CODESIGNING_IDENTITY'}) && $ENV{'MACOSX_CODESIGNING_IDENTITY'} ne "" ) { + if ( $ENV{'MACOSX_CODESIGNING_IDENTITY'} ) { my @lp_sign = ('codesign', '--verbose', '--sign', $ENV{'MACOSX_CODESIGNING_IDENTITY'}, '--deep', $appfolder); if (system(@lp_sign) == 0) { $infoline = "Success: \"@lp_sign\" executed successfully!\n"; @@ -405,7 +405,7 @@ sub create_package { my $subdir = "$tempdir/$packagename/$volume_name_classic_app.app/Contents/Resources"; if ( ! -d $subdir ) { installer::systemactions::create_directory($subdir); } - if ( defined($ENV{'MACOSX_CODESIGNING_IDENTITY'}) && $ENV{'MACOSX_CODESIGNING_IDENTITY'} ne "" ) + if ( $ENV{'MACOSX_CODESIGNING_IDENTITY'} ) { $systemcall = "$ENV{'SRCDIR'}/solenv/bin/macosx-codesign-app-bundle $localtempdir/$folder/$volume_name_classic_app.app"; print "... $systemcall ...\n"; @@ -425,7 +425,35 @@ sub create_package } } } + elsif ($volume_name_classic_app eq 'LibreOffice SDK' || $volume_name_classic_app eq 'LibreOfficeDev SDK') + { + if ( $ENV{'MACOSX_CODESIGNING_IDENTITY'} ) + { + my $sdkbindir = "$localtempdir/$folder/$allvariables->{'PRODUCTNAME'}$allvariables->{'PRODUCTVERSION'}_SDK/bin"; + opendir(my $dh, $sdkbindir); + foreach my $sdkbinary (readdir $dh) { + next unless -f "$sdkbindir/$sdkbinary"; + $systemcall = "codesign --force --verbose --options=runtime --identifier='$ENV{MACOSX_BUNDLE_IDENTIFIER}.$sdkbinary' --sign '$ENV{MACOSX_CODESIGNING_IDENTITY}' --entitlements $ENV{SRCDIR}/hardened_runtime.xcent $sdkbindir/$sdkbinary > /tmp/codesign_losdk_$sdkbinary.log 2>&1"; + print "... $systemcall ...\n"; + my $returnvalue = system($systemcall); + $infoline = "Systemcall: $systemcall\n"; + push( @installer::globals::logfileinfo, $infoline); + if ($returnvalue) + { + $infoline = "ERROR: Could not execute \"$systemcall\"!\n"; + push( @installer::globals::logfileinfo, $infoline); + } + else + { + $infoline = "Success: Executed \"$systemcall\" successfully!\n"; + push( @installer::globals::logfileinfo, $infoline); + unlink "/tmp/codesign_losdk_$sdkbinary.log"; + } + } + closedir($dh); + } + } my $megabytes = 1500; $megabytes = 2000 if $ENV{'ENABLE_DBGUTIL'}; $systemcall = "cd $localtempdir && hdiutil create -megabytes $megabytes -srcfolder $folder $archive -ov -fs HFS+ -volname \"$volume_name\" -format UDBZ"; @@ -695,3 +723,5 @@ sub create_simple_package } 1; + +# vim: set shiftwidth=4 softtabstop=4 expandtab: diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk index eec2b052cb7e..e7362a503395 100644 --- a/solenv/gbuild/platform/macosx.mk +++ b/solenv/gbuild/platform/macosx.mk @@ -90,11 +90,9 @@ $(if $(filter Executable,$(1)),\ $$(call gb_Library_get_layer,$(2))) endef -# We sign executables right after linking below. But not dylibs, -# because many of them are built by ad-hoc or 3rd-party mechanisms. So -# as we would need to sign those separately anyway, we do it for the -# gbuild-built ones, too, after an app bundle has been constructed, in -# the solenv/bin/macosx-codesign-app-bundle script. +# We cannot sign executables early since Mojave/Catalina would treat them as +# restricted binary and ignore any DYLD_LIBRARY_PATH setting - So all +# signing is handled by the solenv/bin/macosx-codesign-app-bundle script. # And the soffice executable needs to be signed last in # macosx-codesign-app-bundle, as codesign would fail complaining that other # parts of the app have not yet been signed: @@ -129,10 +127,6 @@ $(call gb_Helper_abbreviate_dirs,\ $(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl app $(LAYER) $(1) &&) \ $(if $(filter Library Bundle CppunitTest,$(TARGETTYPE)),\ $(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl shl $(LAYER) $(1) &&) \ - $(if $(MACOSX_CODESIGNING_IDENTITY), \ - $(if $(filter Executable,$(TARGETTYPE)), \ - $(if $(filter-out $(call gb_Executable_get_target,soffice_bin),$(1)), \ - codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --options=runtime --force $(1) &&))) \ $(if $(filter Library,$(TARGETTYPE)),\ otool -l $(1) | grep -A 5 LC_ID_DYLIB \ > $(WORKDIR)/LinkTarget/$(2).exports.tmp && \ |