#!/bin/bash # Exit on errors set -e # Use of unset variable is an error set -u # If any part of a pipeline of commands fails, the whole pipeline fails set -o pipefail # Script to sign executables, dylibs and frameworks in an app bundle plus the bundle itself. Called # from installer::simplepackage::create_package() in solenv/bin/modules/installer/simplepackage.pm # and the test-install target in Makefile.in. test `uname` = Darwin || { echo This is for macOS only; exit 1; } test $# = 1 || { echo Usage: $0 app-bundle; exit 1; } for V in \ BUILDDIR \ MACOSX_BUNDLE_IDENTIFIER \ MACOSX_CODESIGNING_IDENTITY; do if test -z "$(eval echo '$'$V)"; then echo No '$'$V "environment variable! This should be run in a build only" exit 1 fi done APP_BUNDLE="$1" entitlements= if test -n "$ENABLE_MACOSX_SANDBOX"; then # In a sandboxed build executables need the entitlements entitlements="--entitlements $BUILDDIR/lo.xcent" # All data files are in Resources and included in the app bundle signature # through that. I think. other_files='' else # We then want to sign data files, too, hmm. entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent" other_files="\ -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \ -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \ -or -name '*.applescript' -or -name '*.odt'" fi # Sign jnilibs first as workaround for signing issue on old baseline # order matters/screws things up otherwise find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l | while read file; do id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` codesign --verbose --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" > "/tmp/codesign_$(basename "$file").log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi rm "/tmp/codesign_$(basename "$file").log" done # Sign dylibs # # The dylibs in the Python framework are called *.so. Go figure # # On Mavericks also would like to have data files signed... # add some where it makes sense. Make a depth-first search to sign the contents # of e.g. the spotlight plugin before attempting to sign the plugin itself find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \ $other_files \) ! -type l | while read file; do id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` codesign --verbose --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" > "/tmp/codesign_$(basename "$file").log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi rm "/tmp/codesign_$(basename "$file").log" done # Sign included bundles. First .app ones (i.e. the Python.app inside # the LibreOfficePython.framework. Be generic for kicks...) find "$APP_BUNDLE"/Contents -name '*.app' -type d | while read app; do fn=`basename "$app"` fn=${fn%.*} # Assume the app has a XML (and not binary) Info.plist id=`grep -A 1 'CFBundleIdentifier' $app/Contents/Info.plist | tail -1 | sed -e 's,.*,,' -e 's,.*,,'` codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi rm "/tmp/codesign_${fn}.log" done # Then .framework ones. Again, be generic just for kicks. find "$APP_BUNDLE" -name '*.framework' -type d | while read framework; do fn=`basename "$framework"` fn=${fn%.*} for version in "$framework"/Versions/*; do if test ! -L "$version" -a -d "$version"; then # Assume the framework has a XML (and not binary) Info.plist id=`grep -A 1 'CFBundleIdentifier' $version/Resources/Info.plist | tail -1 | sed -e 's,.*,,' -e 's,.*,,'` if test -d $version/bin; then # files in bin are not covered by signing the framework... for scriptorexecutable in $(find $version/bin/ -type f); do codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" >> "/tmp/codesign_${fn}.log" 2>&1 done fi codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" >> "/tmp/codesign_${fn}.log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi rm "/tmp/codesign_${fn}.log" fi done done # Then mdimporters find "$APP_BUNDLE" -name '*.mdimporter' -type d | while read bundle; do codesign --verbose --force --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle" > "/tmp/codesign_$(basename "${bundle}").log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi rm "/tmp/codesign_$(basename "${bundle}").log" done # Sign executables find "$APP_BUNDLE/Contents/MacOS" -type f | while read file; do case "$file" in */soffice) ;; *) id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` codesign --force --verbose --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi rm "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" ;; esac done # Sign the app bundle as a whole which means (re-)signing the # CFBundleExecutable from Info.plist, i.e. soffice, plus the contents # of the Resources tree. # # At this stage we also attach the entitlements in the sandboxing case # # Also omit some files from the Bundle's seal via the resource-rules # (bootstraprc and similar that the user might adjust and image files) # See also https://developer.apple.com/library/mac/technotes/tn2206/ id=`echo ${PRODUCTNAME} | tr ' ' '-'` codesign --force --verbose --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi rm "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" exit 0