[Libreoffice-commits] core.git: config_host.mk.in configure.ac desktop/CustomTarget_soffice.mk desktop/Module_desktop.mk lo.xcent.in solenv/bin

Patrick Luby (via logerrit) Wed, 07 Jun 2023 13:09:16 -0700

 config_host.mk.in                             |    1 +
 configure.ac                                  |    9 ++++-----
 desktop/CustomTarget_soffice.mk               |   19 +++++++++++++++++++
 desktop/Module_desktop.mk                     |    2 +-
 lo.xcent.in                                   |    1 +
 solenv/bin/macosx-codesign-app-bundle         |   16 ++++++++++++++--
 solenv/bin/modules/installer/simplepackage.pm |    5 ++++-
 7 files changed, 44 insertions(+), 9 deletions(-)


New commits:
commit 67b808eea02219ef51324f560e673e3aaaa3e736
Author:     Patrick Luby <plub...@neooffice.org>
AuthorDate: Sat May 20 08:50:12 2023 -0400
Commit:     Patrick Luby <plub...@neooffice.org>
CommitDate: Wed Jun 7 22:08:50 2023 +0200

    Set entitlements in non-release in $(INSTROOTBASE) and .dmg package
    
    Also, when building a .dmg for macOS, skip codesigning for non-release
    builds, both with and without the macOS sandbox, if there is no identity
    set but set entitlements to allow Xcode's Instruments application to
    connect to the application.
    
    Lastly, add entitlements when building soffice in $(INSTROOTBASE) if
    this is a non-release build.
    
    Change-Id: I764bf5bd5d44e878669c4287906e6efd6aac593f
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152655
    Tested-by: Jenkins
    Reviewed-by: Patrick Luby <plub...@neooffice.org>

diff --git a/config_host.mk.in b/config_host.mk.in
index 8b809bf9141f..6a120c2098cc 100644
--- a/config_host.mk.in
+++ b/config_host.mk.in
@@ -760,6 +760,7 @@ export ZLIB_CFLAGS=$(gb_SPACE)@ZLIB_CFLAGS@
 export ZLIB_LIBS=$(gb_SPACE)@ZLIB_LIBS@
 export ZMF_CFLAGS=$(gb_SPACE)@ZMF_CFLAGS@
 export ZMF_LIBS=$(gb_SPACE)@ZMF_LIBS@
+export GET_TASK_ALLOW_ENTITLEMENT=@GET_TASK_ALLOW_ENTITLEMENT@
 
 # lang-related stuff
 include $(BUILDDIR)/config_$(gb_Side)_lang.mk
diff --git a/configure.ac b/configure.ac
index 9d70be6200b6..d281d48ba8f0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2852,14 +2852,13 @@ AC_MSG_CHECKING([whether build target is Release Build])
 if test "$enable_release_build" = "" -o "$enable_release_build" = "no"; then
     AC_MSG_RESULT([no])
     ENABLE_RELEASE_BUILD=
-    GET_TASK_ALLOW_ENTITLEMENT='
-        <!-- We want to be able to debug a hardened process when not building 
for release -->
-        <key>com.apple.security.get-task-allow</key>
-        <true/>'
+    dnl Pu the value on one line as make (at least on macOS) seems to ignore
+    dnl the newlines and then complains about spaces.
+    GET_TASK_ALLOW_ENTITLEMENT='<!-- We want to be able to debug a hardened 
process when not building for release 
--><key>com.apple.security.get-task-allow</key><true/>'
 else
     AC_MSG_RESULT([yes])
     ENABLE_RELEASE_BUILD=TRUE
-    GET_TASK_ALLOW_ENTITLEMENT=''
+    GET_TASK_ALLOW_ENTITLEMENT=
 fi
 AC_SUBST(ENABLE_RELEASE_BUILD)
 AC_SUBST(GET_TASK_ALLOW_ENTITLEMENT)
diff --git a/desktop/CustomTarget_soffice.mk b/desktop/CustomTarget_soffice.mk
index d56f571628fe..4df29fc3cae3 100644
--- a/desktop/CustomTarget_soffice.mk
+++ b/desktop/CustomTarget_soffice.mk
@@ -9,6 +9,23 @@
 
 $(eval $(call gb_CustomTarget_CustomTarget,desktop/soffice))
 
+ifeq ($(OS), MACOSX)
+
+ifeq (,$(ENABLE_RELEASE_BUILD))
+
+# Add entitlements if this is a non-release build. Just to be safe,
+# this target will always be run and MACOSX_CODESIGNING_IDENTITY is
+# set to empty as we don't want to sign $(INSTROOTBASE). Ignore
+# failures as it appears that setting only entitlements can fail
+# with certain macOS SDKs.
+$(call gb_CustomTarget_get_target,desktop/soffice) : \
+       $(INSTROOT)/$(LIBO_BIN_FOLDER)/soffice
+       -MACOSX_CODESIGNING_IDENTITY= 
$(SRCDIR)/solenv/bin/macosx-codesign-app-bundle $(INSTROOTBASE)
+
+endif
+
+else
+
 $(call gb_CustomTarget_get_target,desktop/soffice) : \
        $(call gb_CustomTarget_get_workdir,desktop/soffice)/soffice.sh
 
@@ -25,4 +42,6 @@ else
 endif
        $(call gb_Trace_EndRange,$(subst $(WORKDIR)/,,$@),SED)
 
+endif
+
 # vim:set shiftwidth=4 tabstop=4 noexpandtab:
diff --git a/desktop/Module_desktop.mk b/desktop/Module_desktop.mk
index fff879c83b0c..de56f3bd139f 100644
--- a/desktop/Module_desktop.mk
+++ b/desktop/Module_desktop.mk
@@ -46,7 +46,7 @@ $(eval $(call gb_Module_add_targets,desktop,\
         Pagein_impress \
         Pagein_writer \
     ) \
-    $(if $(filter-out MACOSX WNT,$(OS)),CustomTarget_soffice) \
+    $(if $(filter-out WNT,$(OS)),CustomTarget_soffice) \
 ))
 
 ifeq ($(USING_X11),TRUE)
diff --git a/lo.xcent.in b/lo.xcent.in
index 4b7303876e6b..09a8df9b6fb5 100644
--- a/lo.xcent.in
+++ b/lo.xcent.in
@@ -23,5 +23,6 @@
         <true/>
 @SDREMOTE_ENTITLEMENT@
 @MACOSX_PROVISIONING_INFO@
+@GET_TASK_ALLOW_ENTITLEMENT@
 </dict>
 </plist>
diff --git a/solenv/bin/macosx-codesign-app-bundle 
b/solenv/bin/macosx-codesign-app-bundle
index b1b17dbf7393..eceb5dd99996 100755
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -15,8 +15,7 @@ test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
 
 for V in \
     BUILDDIR \
-    MACOSX_BUNDLE_IDENTIFIER \
-    MACOSX_CODESIGNING_IDENTITY; do
+    MACOSX_BUNDLE_IDENTIFIER; do
     if test -z "$(eval echo '$'$V)"; then
        echo No '$'$V "environment variable! This should be run in a build only"
        exit 1
@@ -46,6 +45,19 @@ else
  -or -name '*.applescript' -or -name '*.odt'"
 fi
 
+if test -z "$MACOSX_CODESIGNING_IDENTITY"; then
+    if test -n "$ENABLE_RELEASE_BUILD"; then
+        echo "This is a release build! This should be run in a non-release 
build only"
+        exit 1
+    fi
+
+    # Skip codesigning for non-release builds if there is no identity set but
+    # set entitlements to allow Xcode's Instruments application to connect to
+    # the application
+    codesign --force --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign - 
$entitlements "$APP_BUNDLE" || exit 1
+    exit 0
+fi
+
 # Sign jnilibs first as workaround for signing issue on old baseline
 # order matters/screws things up otherwise
 find -d "$APP_BUNDLE" \( -name '*.jnilib' \) ! -type l |
diff --git a/solenv/bin/modules/installer/simplepackage.pm 
b/solenv/bin/modules/installer/simplepackage.pm
index dd29c4c9eb1b..86b3da71f440 100644
--- a/solenv/bin/modules/installer/simplepackage.pm
+++ b/solenv/bin/modules/installer/simplepackage.pm
@@ -409,7 +409,10 @@ sub create_package
         {
             my $subdir = 
"$tempdir/$packagename/$volume_name_classic_app.app/Contents/Resources";
             if ( ! -d $subdir ) { 
installer::systemactions::create_directory($subdir); }
-            if ( $ENV{'MACOSX_CODESIGNING_IDENTITY'} )
+            # For non-release builds where no identity is, set entitlements
+            # to allow Xcode's Instruments application to connect to the
+            # application
+            if ( $ENV{'MACOSX_CODESIGNING_IDENTITY'} || 
!$ENV{'ENABLE_RELEASE_BUILD'} )
             {
                 $systemcall = 
"$ENV{'SRCDIR'}/solenv/bin/macosx-codesign-app-bundle 
$localtempdir/$folder/$volume_name_classic_app.app";
                 print "... $systemcall ...\n";

[Libreoffice-commits] core.git: config_host.mk.in configure.ac desktop/CustomTarget_soffice.mk desktop/Module_desktop.mk lo.xcent.in solenv/bin

Reply via email to