summaryrefslogtreecommitdiff
path: root/solenv/bin/macosx-codesign-app-bundle
blob: afd3e682976543a2caac4cf991e26432341cdbdb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#!/bin/bash

# Script to sign dylibs and frameworks in an app bundle plus the
# bundle itself. Called from
# installer::simplepackage::create_package() in
# solenv/bin/modules/installer/simplepackage.pm

test `uname` = Darwin || { echo This is for OS X only; exit 1; }

test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }

for V in \
    BUILDDIR \
    MACOSX_BUNDLE_IDENTIFIER \
    MACOSX_CODESIGNING_IDENTITY; do
    if test -z "$(eval echo '$'$V)"; then
       echo No '$'$V "environment variable! This should be run in a build only"
       exit 1
    fi
done

echo "codesigning using MACSOX_CODESIGNING_IDENTITY=[${MACOSX_CODESIGNING_IDENTITY?}]"

APP_BUNDLE="$1"

# Sign dylibs
#
# Executables get signed right after linking, see
# solenv/gbuild/platform/macosx.mk. But many of our dylibs are built
# by ad-hoc or 3rd-party mechanisms, so we can't easily sign them
# right after linking. So do it here.
#
# The dylibs in the Python framework are called *.so. Go figure
#
# On Mavericks also would like to have data files signed...
# add some where it makes sense. Make a depth-first search to sign the contents
# of e.g. the spotlight plugin before attempting to sign the plugin itself

find -d "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.so' -or -name '*.fodt' -or -name '*.odt' \
        -or -name 'schema.strings' -or -name 'schema.xml' -or -name '*.mdimporter' \
        -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \
        -or -name '*.applescript' \) ! -type l | grep -v "LibreOfficePython\.framework" | \
while read file; do
    id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
    codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
done

find "$APP_BUNDLE" -name '*.dylib.*' ! -type l | \
while read dylib; do \
    id=`basename "$dylib"`; \
    id=`echo $id | sed -e 's/dylib.*/dylib/'`; \
    codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$dylib" || exit 1
done

# The executables have already been signed by
# gb_LinkTarget__command_dynamiclink in
# solenv/gbuild/platform/macosx.mk, but sign the handful of scripts remaining
# in MacOS
# (<https://developer.apple.com/library/mac/technotes/tn2206/_index.html> "OS X
# Code Signing In Depth" suggests we should get rid of them rather sooner than
# later, but they appear to be OK for now):

for i in python senddoc unoinfo
do
    if [ -f "$APP_BUNDLE/Contents/MacOS/$i" ]
    then
        codesign --verbose --identifier="$MACOSX_BUNDLE_IDENTIFIER.$i" \
            --sign "$MACOSX_CODESIGNING_IDENTITY" "$APP_BUNDLE/Contents/MacOS/$i" \
        || exit 1
    fi
done

# Sign frameworks.
#
# Yeah, we don't bundle any other framework than our Python one, and
# it has just one version, so this generic search is mostly for
# completeness.

find "$APP_BUNDLE" -name '*.framework' -type d -print0 | \
while IFS= read -r -d '' framework; do \
    fn=$(basename "$framework")
    fn=${fn%.*}
    for version in "$framework"/Versions/*; do \
        if test ! -L "$version" -a -d "$version"; then
            codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$version/$fn" || exit 1
            codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" || exit 1
        fi; \
    done; \
done

# Sign the app bundle as a whole which means finally signing the
# CFBundleExecutable from Info.plist, i.e. soffice (which is exempted from the
# on-the-go executable signing in gb_LinkTarget__command_dynamiclink in
# solenv/gbuild/platform/macosx.mk), plus the contents
# of the Resources tree (which unless you used
# --enable-canonical-installation-tree-structure is not much, far from
# all of our non-code "resources").
#
# At this stage we also attach the entitlements in the sandboxing case

id=`echo ${MACOSX_APP_NAME} | tr ' ' '-'`

if test -n "$ENABLE_MACOSX_SANDBOX"; then
    entitlements="--entitlements $BUILDDIR/lo.xcent"
fi

codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" || exit 1

exit 0