diff options
| -rw-r--r-- | config_host.mk.in | 1 | ||||
| -rw-r--r-- | configure.ac | 9 | ||||
| -rw-r--r-- | desktop/CustomTarget_soffice.mk | 19 | ||||
| -rw-r--r-- | desktop/Module_desktop.mk | 2 | ||||
| -rw-r--r-- | lo.xcent.in | 1 | ||||
| -rwxr-xr-x | solenv/bin/macosx-codesign-app-bundle | 16 | ||||
| -rw-r--r-- | solenv/bin/modules/installer/simplepackage.pm | 5 |
7 files changed, 44 insertions, 9 deletions
diff --git a/config_host.mk.in b/config_host.mk.in index 8b809bf9141f..6a120c2098cc 100644 --- a/config_host.mk.in +++ b/config_host.mk.in @@ -760,6 +760,7 @@ export ZLIB_CFLAGS=$(gb_SPACE)@ZLIB_CFLAGS@ export ZLIB_LIBS=$(gb_SPACE)@ZLIB_LIBS@ export ZMF_CFLAGS=$(gb_SPACE)@ZMF_CFLAGS@ export ZMF_LIBS=$(gb_SPACE)@ZMF_LIBS@ +export GET_TASK_ALLOW_ENTITLEMENT=@GET_TASK_ALLOW_ENTITLEMENT@ # lang-related stuff include $(BUILDDIR)/config_$(gb_Side)_lang.mk diff --git a/configure.ac b/configure.ac index 9d70be6200b6..d281d48ba8f0 100644 --- a/configure.ac +++ b/configure.ac @@ -2852,14 +2852,13 @@ AC_MSG_CHECKING([whether build target is Release Build]) if test "$enable_release_build" = "" -o "$enable_release_build" = "no"; then AC_MSG_RESULT([no]) ENABLE_RELEASE_BUILD= - GET_TASK_ALLOW_ENTITLEMENT=' - <!-- We want to be able to debug a hardened process when not building for release --> - <key>com.apple.security.get-task-allow</key> - <true/>' + dnl Pu the value on one line as make (at least on macOS) seems to ignore + dnl the newlines and then complains about spaces. + GET_TASK_ALLOW_ENTITLEMENT='<!-- We want to be able to debug a hardened process when not building for release --><key>com.apple.security.get-task-allow</key><true/>' else AC_MSG_RESULT([yes]) ENABLE_RELEASE_BUILD=TRUE - GET_TASK_ALLOW_ENTITLEMENT='' + GET_TASK_ALLOW_ENTITLEMENT= fi AC_SUBST(ENABLE_RELEASE_BUILD) AC_SUBST(GET_TASK_ALLOW_ENTITLEMENT) diff --git a/desktop/CustomTarget_soffice.mk b/desktop/CustomTarget_soffice.mk index d56f571628fe..4df29fc3cae3 100644 --- a/desktop/CustomTarget_soffice.mk +++ b/desktop/CustomTarget_soffice.mk @@ -9,6 +9,23 @@ $(eval $(call gb_CustomTarget_CustomTarget,desktop/soffice)) +ifeq ($(OS), MACOSX) + +ifeq (,$(ENABLE_RELEASE_BUILD)) + +# Add entitlements if this is a non-release build. Just to be safe, +# this target will always be run and MACOSX_CODESIGNING_IDENTITY is +# set to empty as we don't want to sign $(INSTROOTBASE). Ignore +# failures as it appears that setting only entitlements can fail +# with certain macOS SDKs. +$(call gb_CustomTarget_get_target,desktop/soffice) : \ + $(INSTROOT)/$(LIBO_BIN_FOLDER)/soffice + -MACOSX_CODESIGNING_IDENTITY= $(SRCDIR)/solenv/bin/macosx-codesign-app-bundle $(INSTROOTBASE) + +endif + +else + $(call gb_CustomTarget_get_target,desktop/soffice) : \ $(call gb_CustomTarget_get_workdir,desktop/soffice)/soffice.sh @@ -25,4 +42,6 @@ else endif $(call gb_Trace_EndRange,$(subst $(WORKDIR)/,,$@),SED) +endif + # vim:set shiftwidth=4 tabstop=4 noexpandtab: diff --git a/desktop/Module_desktop.mk b/desktop/Module_desktop.mk index fff879c83b0c..de56f3bd139f 100644 --- a/desktop/Module_desktop.mk +++ b/desktop/Module_desktop.mk @@ -46,7 +46,7 @@ $(eval $(call gb_Module_add_targets,desktop,\ Pagein_impress \ Pagein_writer \ ) \ - $(if $(filter-out MACOSX WNT,$(OS)),CustomTarget_soffice) \ + $(if $(filter-out WNT,$(OS)),CustomTarget_soffice) \ )) ifeq ($(USING_X11),TRUE) diff --git a/lo.xcent.in b/lo.xcent.in index 4b7303876e6b..09a8df9b6fb5 100644 --- a/lo.xcent.in +++ b/lo.xcent.in @@ -23,5 +23,6 @@ <true/> @SDREMOTE_ENTITLEMENT@ @MACOSX_PROVISIONING_INFO@ +@GET_TASK_ALLOW_ENTITLEMENT@ </dict> </plist> diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle index b1b17dbf7393..eceb5dd99996 100755 --- a/solenv/bin/macosx-codesign-app-bundle +++ b/solenv/bin/macosx-codesign-app-bundle @@ -15,8 +15,7 @@ test $# = 1 || { echo Usage: $0 app-bundle; exit 1; } for V in \ BUILDDIR \ - MACOSX_BUNDLE_IDENTIFIER \ - MACOSX_CODESIGNING_IDENTITY; do + MACOSX_BUNDLE_IDENTIFIER; do if test -z "$(eval echo '$'$V)"; then echo No '$'$V "environment variable! This should be run in a build only" exit 1 @@ -46,6 +45,19 @@ else -or -name '*.applescript' -or -name '*.odt'" fi +if test -z "$MACOSX_CODESIGNING_IDENTITY"; then + if test -n "$ENABLE_RELEASE_BUILD"; then + echo "This is a release build! This should be run in a non-release build only" + exit 1 + fi + + # Skip codesigning for non-release builds if there is no identity set but + # set entitlements to allow Xcode's Instruments application to connect to + # the application + codesign --force --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign - $entitlements "$APP_BUNDLE" || exit 1 + exit 0 +fi + # Sign jnilibs first as workaround for signing issue on old baseline # order matters/screws things up otherwise find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l | diff --git a/solenv/bin/modules/installer/simplepackage.pm b/solenv/bin/modules/installer/simplepackage.pm index dd29c4c9eb1b..86b3da71f440 100644 --- a/solenv/bin/modules/installer/simplepackage.pm +++ b/solenv/bin/modules/installer/simplepackage.pm @@ -409,7 +409,10 @@ sub create_package { my $subdir = "$tempdir/$packagename/$volume_name_classic_app.app/Contents/Resources"; if ( ! -d $subdir ) { installer::systemactions::create_directory($subdir); } - if ( $ENV{'MACOSX_CODESIGNING_IDENTITY'} ) + # For non-release builds where no identity is, set entitlements + # to allow Xcode's Instruments application to connect to the + # application + if ( $ENV{'MACOSX_CODESIGNING_IDENTITY'} || !$ENV{'ENABLE_RELEASE_BUILD'} ) { $systemcall = "$ENV{'SRCDIR'}/solenv/bin/macosx-codesign-app-bundle $localtempdir/$folder/$volume_name_classic_app.app"; print "... $systemcall ...\n"; |