setup_native/source/mac/CodesignRules.plist | 17 ------------
solenv/bin/macosx-codesign-app-bundle | 35 +++++++++++++++-----------
solenv/bin/modules/installer/simplepackage.pm | 5 +--
solenv/gbuild/platform/macosx.mk | 6 +++-
4 files changed, 28 insertions(+), 35 deletions(-)
New commits:
commit 89dfb8d732312b452c53c9522f75fb2eb61561c8
Author: Stephan Bergmann <sberg...@redhat.com>
Date: Tue Feb 10 10:47:39 2015 +0100
Attempt at fixing Mac OS X code signing
...so that LibreOffice.app dmgs built with --enable-macosx-code-signing
with an
appstore-enabled identity will hopefully no longer be rejected on Mac OS X
>=
10.9.5 as "'soffice' can't be opened because the identity of the developer
cannot be confirmed." (Which I cannot verify for lack of an
appstore-enabled
certificate, though.)
First of all, do not ignore errors from calls to codesign utitlity. Really.
That reveals that soffice cannot be signed as soon as it is linked, as it
requires all the other stuff in the app to be already signed. So just don't
sign it after linking, it will be signed last step in
macosx-codesign-app-bundle
anyway.
Second, --resource-rules exemptions are no longer allowed per
<https://developer.apple.com/library/mac/technotes/tn2206/_index.html> "OS X
Code Signing In Depth."
Third, the handful of remaining shell scripts in MacOS/ need to be signed
too.
(Signing them adds extended attributes to the files.)
Unfortunately, as discussed at
<http://porkrind.org/missives/mac-os-x-codesigning-woes/> "Mac OS X
codesigning
woes," "hdiutil makehybrid" drops extended attributes from the generated
dmg (so
the dmg's LibreOffice.app would no longer be considered properly signed, as
the
shell scripts would no longer be signed). So switch from "hdiutil
makehybrid"
to "hdiutil create."
Change-Id: I4b587f87d504666f7a1d0e3a24a8be76f22014c5
(cherry picked from commit 615fae2f67028f3c5c51c70c77dbaa9b9f3856d6)
Reviewed-on: https://gerrit.libreoffice.org/14398
Tested-by: Norbert Thiebaud <nthieb...@gmail.com>
Reviewed-by: Norbert Thiebaud <nthieb...@gmail.com>
diff --git a/setup_native/source/mac/CodesignRules.plist
b/setup_native/source/mac/CodesignRules.plist
deleted file mode 100644
index 41b2321..0000000
--- a/setup_native/source/mac/CodesignRules.plist
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
-<plist version="1.0">
-<dict>
- <key>rules</key>
- <dict>
-
<key>^MacOS/(bootstraprc|fundamentalrc|setuprc|sofficerc|unorc|versionrc)$</key>
- <false/>
- <key>^MacOS/pythonloader.unorc$</key>
- <false/>
- <key>^MacOS/(senddoc|python|gengal|unoinfo)$</key>
- <false/>
- <key>.*\.(png|svg|py|res|rdb)$</key>
- <false/>
- </dict>
-</dict>
-</plist>
diff --git a/solenv/bin/macosx-codesign-app-bundle
b/solenv/bin/macosx-codesign-app-bundle
index d1ba433..78a7e53 100755
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -42,19 +42,30 @@ find -d "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.so'
-or -name '*.fodt' \
-or -name '*.applescript' \) ! -type l | grep -v
"LibreOfficePython\.framework" | \
while read file; do
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
- codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign
"$MACOSX_CODESIGNING_IDENTITY" "$file"
+ codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign
"$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
done
find $APP_BUNDLE -name '*.dylib.*' ! -type l | \
while read dylib; do \
id=`basename "$dylib"`; \
id=`echo $id | sed -e 's/dylib.*/dylib/'`; \
- codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign
"$MACOSX_CODESIGNING_IDENTITY" "$dylib"; \
+ codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign
"$MACOSX_CODESIGNING_IDENTITY" "$dylib" || exit 1
done
# The executables have already been signed by
# gb_LinkTarget__command_dynamiclink in
-# solenv/gbuild/platform/macosx.mk.
+# solenv/gbuild/platform/macosx.mk, but sign the handful of scripts remaining
+# in MacOS
+# (<https://developer.apple.com/library/mac/technotes/tn2206/_index.html> "OS X
+# Code Signing In Depth" suggests we should get rid of them rather sooner than
+# later, but they appear to be OK for now):
+
+for i in gengal python senddoc unoinfo
+do
+ codesign --verbose --identifier="$MACOSX_BUNDLE_IDENTIFIER.$i" \
+ --sign "$MACOSX_CODESIGNING_IDENTITY" "$APP_BUNDLE/Contents/MacOS/$i" \
+ || exit 1
+done
# Sign frameworks.
#
@@ -67,32 +78,28 @@ for framework in `find $APP_BUNDLE -name '*.framework'
-type d`; do \
fn=${fn%.*}
for version in $framework/Versions/*; do \
if test ! -L $version -a -d $version; then
- codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER.
--sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn
- codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER.
--sign "$MACOSX_CODESIGNING_IDENTITY" $version
+ codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER.
--sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn || exit 1
+ codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER.
--sign "$MACOSX_CODESIGNING_IDENTITY" $version || exit 1
fi; \
done; \
done
-# Sign the app bundle as a whole which means (re-)signing the
-# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
+# Sign the app bundle as a whole which means finally signing the
+# CFBundleExecutable from Info.plist, i.e. soffice (which is exempted from the
+# on-the-go executable signing in gb_LinkTarget__command_dynamiclink in
+# solenv/gbuild/platform/macosx.mk), plus the contents
# of the Resources tree (which unless you used
# --enable-canonical-installation-tree-structure is not much, far from
# all of our non-code "resources").
#
# At this stage we also attach the entitlements in the sandboxing case
-#
-# Also omit some files from the Bunlde's seal via the resource-rules
-# (bootstraprc and similar that the user might adjust and image files)
-# See also https://developer.apple.com/library/mac/technotes/tn2206/
id=`echo ${MACOSX_APP_NAME} | tr ' ' '-'`
if test -n "$ENABLE_MACOSX_SANDBOX"; then
entitlements="--entitlements $BUILDDIR/lo.xcent"
-else
- resource_rules="--resource-rules
$SRCDIR/setup_native/source/mac/CodesignRules.plist"
fi
-codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id"
$resource_rules --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE
+codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id"
--sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE || exit 1
exit 0
diff --git a/solenv/bin/modules/installer/simplepackage.pm
b/solenv/bin/modules/installer/simplepackage.pm
index 6d77e41..ae91d0c 100644
--- a/solenv/bin/modules/installer/simplepackage.pm
+++ b/solenv/bin/modules/installer/simplepackage.pm
@@ -417,11 +417,10 @@ sub create_package
}
}
- $systemcall = "cd $localtempdir && hdiutil makehybrid -hfs
-hfs-openfolder $folder $folder -hfs-volume-name \"$volume_name\" -ov -o
$installdir/tmp && hdiutil convert -ov -format UDBZ $installdir/tmp.dmg -o
$archive && ";
+ $systemcall = "cd $localtempdir && hdiutil create -srcfolder $folder
$archive -ov -fs HFS+ -volname \"$volume_name\" -format UDBZ";
if (( $ref ne "" ) && ( $$ref ne "" )) {
- $systemcall .= "hdiutil unflatten $archive && Rez -a $$ref -o
$archive && hdiutil flatten $archive &&";
+ $systemcall .= " && hdiutil unflatten $archive && Rez -a $$ref -o
$archive && hdiutil flatten $archive &&";
}
- $systemcall .= "rm -f $installdir/tmp.dmg";
}
else
{
diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk
index 6547ed4..bc28a062 100644
--- a/solenv/gbuild/platform/macosx.mk
+++ b/solenv/gbuild/platform/macosx.mk
@@ -105,6 +105,9 @@ endef
# as we would need to sign those separately anyway, we do it for the
# gbuild-built ones, too, after an app bundle has been constructed, in
# the solenv/bin/macosx-codesign-app-bundle script.
+# And the soffice executable needs to be signed last in
+# macosx-codesign-app-bundle, as codesign would fail complaining that other
+# parts of the app have not yet been signed:
define gb_LinkTarget__command_dynamiclink
$(call gb_Helper_abbreviate_dirs,\
@@ -133,7 +136,8 @@ $(call gb_Helper_abbreviate_dirs,\
$(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl shl
$(LAYER) $(1) &&) \
$(if $(MACOSX_CODESIGNING_IDENTITY), \
$(if $(filter Executable,$(TARGETTYPE)), \
- (codesign
--identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign
$(MACOSX_CODESIGNING_IDENTITY) --force $(1) || true) &&)) \
+ $(if $(filter-out $(call
gb_Executable_get_target,soffice_bin),$(1)), \
+ codesign
--identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign
$(MACOSX_CODESIGNING_IDENTITY) --force $(1) &&))) \
$(if $(filter Library,$(TARGETTYPE)),\
otool -l $(1) | grep -A 5 LC_ID_DYLIB \
> $(WORKDIR)/LinkTarget/$(2).exports.tmp && \
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
