1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
#!/usr/bin/env bash
# Use of unset variable is an error
set -u
# If any part of a pipeline of commands fails, the whole pipeline fails
set -o pipefail
# Script to sign executables, dylibs and frameworks in an app bundle plus the bundle itself. Called
# from installer::simplepackage::create_package() in solenv/bin/modules/installer/simplepackage.pm
# and the test-install target in Makefile.in.
test `uname` = Darwin || { echo This is for macOS only; exit 1; }
test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
for V in \
BUILDDIR \
MACOSX_BUNDLE_IDENTIFIER; do
if test -z "$(eval echo '$'$V)"; then
echo No '$'$V "environment variable! This should be run in a build only"
exit 1
fi
done
APP_BUNDLE="$1"
entitlements=
entitlements_helper=
application_identifier=
if test -n "$ENABLE_MACOSX_SANDBOX"; then
# In a sandboxed build executables need the entitlements
entitlements="--entitlements $BUILDDIR/lo.xcent"
# helper utilities must be signed with only the sandbox and inherit entitlements
entitlements_helper="--entitlements $SRCDIR/sysui/desktop/macosx/sandbox_inherit.entitlements"
application_identifier=`/usr/libexec/PlistBuddy -c "print com.apple.application-identifier" $BUILDDIR/lo.xcent`
# remove the key from the entitlement - only use it when signing the whole bundle in the final step
/usr/libexec/PlistBuddy -c "delete com.apple.application-identifier" $BUILDDIR/lo.xcent
# HACK: remove donate menu entries, need to support apple-pay and be verified
# as non profit as a bare minimum to allow asking....
sed -I "" -e '\#<menu:menuitem menu:id=".uno:Donation"/>#d' $APP_BUNDLE/Contents/Resources/config/soffice.cfg/modules/*/menubar/menubar.xml
else
entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent"
entitlements_helper=$entitlements
fi
if test -z "$MACOSX_CODESIGNING_IDENTITY"; then
if test -n "$ENABLE_RELEASE_BUILD"; then
echo "This is a release build! This should be run in a non-release build only"
exit 1
fi
# Skip codesigning for non-release builds if there is no identity set but
# set entitlements to allow Xcode's Instruments application to connect to
# the application. Note: the following command fails on some Mac Intel
# machines, and since this not a release build, ignore any failures.
# Related: tdf#159529 fix increasing failures when setting entitlements
# Starting in one of the Xcode versions 15.2 or earlier, setting the
# entitlements without a certificate started failing on Mac Silicon.
# The hacky solution is to make a copy of the application's executable,
# set the entitlements on that binary only, and then move the copied
# binary back.
rm -f "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements"
cp "$APP_BUNDLE/Contents/MacOS/soffice" "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements"
if codesign --force --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign - $entitlements "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements"; then
mv "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements" "$APP_BUNDLE/Contents/MacOS/soffice"
else
rm "$APP_BUNDLE/Contents/MacOS/soffice.withentitlements"
fi
exit 0
fi
# Sign dylibs
#
# The dylibs in the Python framework are called *.so. Go figure
#
# Make a depth-first search to sign the contents of e.g. the spotlight plugin
# before attempting to sign the plugin itself
find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' -or -name '*.jnilib' \) ! -type l |
while read file; do
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
codesign --force --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
done
# Sign included bundles. First .app ones (i.e. the Python.app inside
# the LibreOfficePython.framework. Be generic for kicks...)
find "$APP_BUNDLE"/Contents -name '*.app' -type d |
while read app; do
# Assume the app has a XML (and not binary) Info.plist
id=`grep -A 1 '<key>CFBundleIdentifier</key>' "$app/Contents/Info.plist" | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
codesign --timestamp --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" || exit 1
done
# Then .framework ones. Again, be generic just for kicks.
find "$APP_BUNDLE" -name '*.framework' -type d |
while read framework; do
for version in "$framework"/Versions/*; do
if test ! -L "$version" -a -d "$version"; then
# Assume the framework has a XML (and not binary) Info.plist
id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
if test -d $version/bin; then
# files in bin are not covered by signing the framework...
for scriptorexecutable in $(find $version/bin/ -type f); do
codesign --timestamp --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" || exit 1
done
fi
codesign --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" || exit 1
fi
done
done
# Then mdimporters
find "$APP_BUNDLE" -name '*.mdimporter' -type d |
while read bundle; do
codesign --force --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle" || exit 1
done
# Sign executables
find "$APP_BUNDLE/Contents/MacOS" -type f |
while read file; do
case "$file" in
*/soffice)
;;
*)
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
codesign --force --timestamp --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements_helper "$file" || exit 1
;;
esac
done
# Sign the app bundle as a whole which means (re-)signing the
# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
# of the Resources tree.
#
# See also https://developer.apple.com/library/mac/technotes/tn2206/
if test -n "$ENABLE_MACOSX_SANDBOX" && test -n "$application_identifier"; then
# add back the application-identifier to the entitlements
# testflight/beta-testing won't work if that key is used when signing the other executables
/usr/libexec/PlistBuddy -c "add com.apple.application-identifier string $application_identifier" $BUILDDIR/lo.xcent
fi
codesign --force --timestamp --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" || exit 1
exit 0
|