diff options
| -rw-r--r-- | Makefile.in | 46 | ||||
| -rwxr-xr-x | solenv/bin/macosx-codesign-app-bundle | 77 | ||||
| -rw-r--r-- | solenv/bin/modules/installer/simplepackage.pm | 19 | ||||
| -rw-r--r-- | solenv/gbuild/platform/macosx.mk | 6 |
4 files changed, 85 insertions, 63 deletions
diff --git a/Makefile.in b/Makefile.in index 16f18b80ff02..eef1aecf3d62 100644 --- a/Makefile.in +++ b/Makefile.in @@ -262,10 +262,6 @@ install-strip: endif # !MACOSX -ifeq ($(ENABLE_MACOSX_SANDBOX),YES) -entitlements:=--entitlements $(BUILDDIR)/lo.xcent -endif - dev-install: build @rm -rf $(DEVINSTALLDIR) @mkdir $(DEVINSTALLDIR) @@ -275,47 +271,7 @@ else ifeq ($(DISABLE_LINKOO),TRUE) @ooinstall $(DEVINSTALLDIR)/opt ifneq ($(MACOSX_CODESIGNING_IDENTITY),) -# -# Sign dylibs -# -# Executables get signed right after linking, see -# solenv/gbuild/platform/macosx.mk. But many of our dylibs are built -# by ad-hoc or 3rd-party mechanisms, so we can't easily sign them -# right after linking. So do it here. -# -# The dylibs in the Python framework are called *.so. Go figure -# - find $(DEVINSTALLDIR)/opt/LibreOffice.app \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \) ! -type l | \ - while read dylib; do \ - id=`basename "$$dylib"`; \ - case $$id in \ - *.dylib|*.so) \ - ;; \ - *.dylib.*) \ - id=`echo $$id | sed -e 's/dylib.*/dylib/'`; \ - ;; \ - esac; \ - codesign --verbose --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$$id --sign $(MACOSX_CODESIGNING_IDENTITY) "$$dylib"; \ - done -# -# Sign frameworks. -# -# Yeah, we don't bundle any other framework than our Python one, and -# it has just one version, so this generic search is mostly for -# completeness. -# - for framework in `find $(DEVINSTALLDIR)/opt/LibreOffice.app -name '*.framework' -type d`; do \ - for version in $$framework/Versions/*; do \ - if test ! -L $$version -a -d $$version; then codesign --force --verbose --prefix=$(MACOSX_BUNDLE_IDENTIFIER). --sign $(MACOSX_CODESIGNING_IDENTITY) $$version; fi; \ - done; \ - done -# -# Sign the app bundle as a whole (will sign the soffice binary too) -# -# At this stage we also attach the entitlements in the sandboxing case -# - codesign --force --verbose --sign $(MACOSX_CODESIGNING_IDENTITY) $(entitlements) $(DEVINSTALLDIR)/opt/LibreOffice.app -# + @macosx-codesign-app-bundle $(DEVINSTALLDIR)/opt/LibreOffice.app endif ifneq ($(OS),MACOSX) @install-gdb-printers -L diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle new file mode 100755 index 000000000000..cbe9fa00f356 --- /dev/null +++ b/solenv/bin/macosx-codesign-app-bundle @@ -0,0 +1,77 @@ +#!/bin/bash + +# Script to sign dylibs and frameworks in an app bundle plus the +# bundle itself. Called from +# installer::simplepackage::create_package() in +# solenv/bin/modules/installer/simplepackage.pm + +test `uname` = Darwin || { echo This is for OS X only; exit 1; } + +test $# = 1 || { echo Usage: $0 app-bundle; exit 1; } + +for V in \ + BUILDDIR \ + MACOSX_BUNDLE_IDENTIFIER \ + MACOSX_CODESIGNING_IDENTITY; do + if test -z `eval echo '$'$V`; then + echo No '$'$V "environment variable! This should be run in a build only" + exit 1 + fi +done + +APP_BUNDLE=$1 + +# Sign dylibs +# +# Executables get signed right after linking, see +# solenv/gbuild/platform/macosx.mk. But many of our dylibs are built +# by ad-hoc or 3rd-party mechanisms, so we can't easily sign them +# right after linking. So do it here. +# +# The dylibs in the Python framework are called *.so. Go figure +# +# First sign all files that can use the default identifier in the hope +# that codesign will contact the timestamp server just once for all +# mentioned on the command line. + +find $APP_BUNDLE \( -name '*.dylib' -or -name '*.so' \) ! -type l | \ +xargs codesign --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign $MACOSX_CODESIGNING_IDENTITY + +find $APP_BUNDLE -name '*.dylib.*' ! -type l | \ +while read dylib; do \ + id=`basename "$dylib"`; \ + id=`echo $id | sed -e 's/dylib.*/dylib/'`; \ + codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign $MACOSX_CODESIGNING_IDENTITY "$dylib"; \ +done + +# The executables have already been signed by +# gb_LinkTarget__command_dynamiclink in +# solenv/gbuild/platform/macosx.mk. + +# Sign frameworks. +# +# Yeah, we don't bundle any other framework than our Python one, and +# it has just one version, so this generic search is mostly for +# completeness. + +for framework in `find $APP_BUNDLE -name '*.framework' -type d`; do \ + for version in $framework/Versions/*; do \ + if test ! -L $version -a -d $version; then codesign --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign $MACOSX_CODESIGNING_IDENTITY $version; fi; \ + done; \ +done + +# Sign the app bundle as a whole which means (re-)signing the +# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents +# of the Resources tree (which unless you used +# --enable-canonical-installation-tree-structure is not much, far from +# all of our non-code "resources"). +# +# At this stage we also attach the entitlements in the sandboxing case + +if test $ENABLE_MACOSX_SANDBOX = YES; then + entitlements="--entitlements $BUILDDIR/lo.xcent" +fi + +codesign --force --verbose --sign $MACOSX_CODESIGNING_IDENTITY $entitlements $APP_BUNDLE + +exit 0 diff --git a/solenv/bin/modules/installer/simplepackage.pm b/solenv/bin/modules/installer/simplepackage.pm index 8f8cddd588d3..5f9433fd0aaa 100644 --- a/solenv/bin/modules/installer/simplepackage.pm +++ b/solenv/bin/modules/installer/simplepackage.pm @@ -404,24 +404,7 @@ sub create_package if (($volume_name_classic_app eq 'LibreOffice' || $volume_name_classic_app eq 'LibreOfficeDev') && defined($ENV{'MACOSX_CODESIGNING_IDENTITY'}) && $ENV{'MACOSX_CODESIGNING_IDENTITY'} ne "" ) { - # Sign the .app as a whole, which means (re-)signing - # the CFBundleExecutable from Info.plist, i.e. - # soffice, plus the contents of the Resources tree - # (which unless you used - # --enable-canonical-installation-tree-structure is - # not much, far from all of our non-code "resources"). - - # Don't bother yet to sign each individual .dylib. (We - # do that for "make dev-install", but not here.) - - # The executables have already been signed by - # gb_LinkTarget__command_dynamiclink in - # solenv/gbuild/platform/macosx.mk. - - $entitlements = ''; - $entitlements = "--entitlements $ENV{'BUILDDIR'}/lo.xcent" if defined($ENV{'ENABLE_MACOSX_SANDBOX'}); - - $systemcall = "codesign --sign $ENV{'MACOSX_CODESIGNING_IDENTITY'} --force $entitlements -v -v -v $localtempdir/$folder/$volume_name_classic_app.app"; + $systemcall = "$ENV{'SRCDIR'}/solenv/bin/macosx-codesign-app-bundle $localtempdir/$folder/$volume_name_classic_app.app"; print "... $systemcall ...\n"; my $returnvalue = system($systemcall); $infoline = "Systemcall: $systemcall\n"; diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk index c03efa479d88..d5d7d48ea3a2 100644 --- a/solenv/gbuild/platform/macosx.mk +++ b/solenv/gbuild/platform/macosx.mk @@ -124,6 +124,12 @@ $(if $(filter Executable,$(1)),\ $$(call gb_Library_get_layer,$(2))) endef +# We sign executables right after linking below. But not dylibs, +# because many of them are built by ad-hoc or 3rd-party mechanisms. So +# as we would need to sign those separately anyway, we do it for the +# gbuild-built ones, too, after an app bundle has been constructed, in +# the solenv/bin/macosx-codesign-app-bundle script. + define gb_LinkTarget__command_dynamiclink $(call gb_Helper_abbreviate_dirs,\ mkdir -p $(dir $(1)) && \ |