#!/bin/bash # Script to sign dylibs and frameworks in an app bundle plus the # bundle itself. Called from # installer::simplepackage::create_package() in # solenv/bin/modules/installer/simplepackage.pm test `uname` = Darwin || { echo This is for OS X only; exit 1; } test $# = 1 || { echo Usage: $0 app-bundle; exit 1; } for V in \ BUILDDIR \ MACOSX_BUNDLE_IDENTIFIER \ MACOSX_CODESIGNING_IDENTITY; do if test -z "$(eval echo '$'$V)"; then echo No '$'$V "environment variable! This should be run in a build only" exit 1 fi done echo "codesigning using MACSOX_CODESIGNING_IDENTITY=[${MACOSX_CODESIGNING_IDENTITY?}]" APP_BUNDLE="$1" # Sign dylibs # # Executables get signed right after linking, see # solenv/gbuild/platform/macosx.mk. But many of our dylibs are built # by ad-hoc or 3rd-party mechanisms, so we can't easily sign them # right after linking. So do it here. # # The dylibs in the Python framework are called *.so. Go figure # # On Mavericks also would like to have data files signed... # add some where it makes sense. Make a depth-first search to sign the contents # of e.g. the spotlight plugin before attempting to sign the plugin itself find -d "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.so' -or -name '*.fodt' \ -or -name 'schema.strings' -or -name 'schema.xml' -or -name '*.mdimporter' \ -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \ -or -name '*.applescript' \) ! -type l | grep -v "LibreOfficePython\.framework" | \ while read file; do id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1 done find $APP_BUNDLE -name '*.dylib.*' ! -type l | \ while read dylib; do \ id=`basename "$dylib"`; \ id=`echo $id | sed -e 's/dylib.*/dylib/'`; \ codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$dylib" || exit 1 done # The executables have already been signed by # gb_LinkTarget__command_dynamiclink in # solenv/gbuild/platform/macosx.mk, but sign the handful of scripts remaining # in MacOS # ( "OS X # Code Signing In Depth" suggests we should get rid of them rather sooner than # later, but they appear to be OK for now): for i in gengal python senddoc unoinfo do codesign --verbose --identifier="$MACOSX_BUNDLE_IDENTIFIER.$i" \ --sign "$MACOSX_CODESIGNING_IDENTITY" "$APP_BUNDLE/Contents/MacOS/$i" \ || exit 1 done # Sign frameworks. # # Yeah, we don't bundle any other framework than our Python one, and # it has just one version, so this generic search is mostly for # completeness. for framework in `find $APP_BUNDLE -name '*.framework' -type d`; do \ fn="$(basename $framework)" fn=${fn%.*} for version in $framework/Versions/*; do \ if test ! -L $version -a -d $version; then codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn || exit 1 codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version || exit 1 fi; \ done; \ done # Sign the app bundle as a whole which means finally signing the # CFBundleExecutable from Info.plist, i.e. soffice (which is exempted from the # on-the-go executable signing in gb_LinkTarget__command_dynamiclink in # solenv/gbuild/platform/macosx.mk), plus the contents # of the Resources tree (which unless you used # --enable-canonical-installation-tree-structure is not much, far from # all of our non-code "resources"). # # At this stage we also attach the entitlements in the sandboxing case id=`echo ${MACOSX_APP_NAME} | tr ' ' '-'` if test -n "$ENABLE_MACOSX_SANDBOX"; then entitlements="--entitlements $BUILDDIR/lo.xcent" fi codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE || exit 1 exit 0