core.git: Branch 'libreoffice-25-2-4' - configure.ac .gitignore solenv/bin sysui/desktop

Fri, 30 May 2025 11:07:50 -0700 

 .gitignore                                     |    1 +
 configure.ac                                   |    4 ++++
 solenv/bin/macosx-codesign-app-bundle          |   13 +++++++++----
 sysui/desktop/macosx/LaunchConstraint.plist.in |   23 +++++++++++++++++++++++
 4 files changed, 37 insertions(+), 4 deletions(-)

New commits:
commit 4213ac0cae9f06b9e83488d4bc4eafbc5035ac6c
Author:     Christian Lohmaier <lohmaier+libreoff...@googlemail.com>
AuthorDate: Mon May 26 13:16:48 2025 +0200
Commit:     Christian Lohmaier <lohmaier+libreoff...@googlemail.com>
CommitDate: Fri May 30 20:07:22 2025 +0200

    mac: add parent launch-constraint to packaged framework/helpers
    
    except for unopkg since that is meant to be used to install/manage
    extensions from the commandline
    
    Change-Id: I8bf60777bc0f4f9d814a4f7e1e12eacbc8803e6f
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/185792
    Reviewed-by: Patrick Luby <guibomac...@gmail.com>
    Reviewed-by: Christian Lohmaier <lohmaier+libreoff...@googlemail.com>
    Tested-by: Jenkins
    (cherry picked from commit 22ab2bec717b44e85e110cd67175c2f3599264c2)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/185889
    (cherry picked from commit cffc2d63729e49d6491c28d3880677440d6b55f9)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/186032
    Tested-by: Christian Lohmaier <lohmaier+libreoff...@googlemail.com>

diff --git a/.gitignore b/.gitignore
index 7bd30210ad5a..ed69ef94f996 100644
--- a/.gitignore
+++ b/.gitignore
@@ -63,6 +63,7 @@
 /lo.xcent
 /vs-code.code-workspace.template
 /Makefile
+/sysui/desktop/macosx/LaunchConstraint.plist
 
 # make id
 /ID
diff --git a/configure.ac b/configure.ac
index 9b16b4d0c8ad..9a365755b9a3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3819,6 +3819,7 @@ if test $_os = Darwin; then
         if test -n "$identity"; then
             MACOSX_CODESIGNING_IDENTITY=$identity
             pretty_name=`security find-identity -p codesigning -v | grep 
"$MACOSX_CODESIGNING_IDENTITY" | sed -e 's/^[[^"]]*"//' -e 's/"//'`
+            MACOSX_CODESIGNING_TEAM_IDENTIFIER=`echo $pretty_name | sed -e 
's#.*(\([[:alnum:]]*\))##'`
             AC_MSG_RESULT([yes, using the identity 
$MACOSX_CODESIGNING_IDENTITY for $pretty_name])
         else
             AC_MSG_ERROR([cannot determine identity to use])
@@ -3887,6 +3888,7 @@ AC_SUBST(MAC_OS_X_VERSION_MIN_REQUIRED)
 AC_SUBST(INSTALL_NAME_TOOL)
 AC_SUBST(LIBTOOL) # Note that the macOS libtool command is unrelated to GNU 
libtool
 AC_SUBST(MACOSX_CODESIGNING_IDENTITY)
+AC_SUBST(MACOSX_CODESIGNING_TEAM_IDENTIFIER)
 AC_SUBST(MACOSX_PACKAGE_SIGNING_IDENTITY)
 AC_SUBST(ENABLE_MACOSX_SANDBOX)
 AC_SUBST(MACOSX_BUNDLE_IDENTIFIER)
@@ -6037,6 +6039,7 @@ if test "$cross_compiling" = "yes"; then
         instsetoo_native/util/openoffice.lst.in \
         config_host/*.in \
         sysui/desktop/macosx/Info.plist.in \
+        sysui/desktop/macosx/LaunchConstraint.plist.in \
         sysui/desktop/macosx/hardened_runtime.xcent.in \
         sysui/desktop/macosx/lo.xcent.in \
         .vscode/vs-code-template.code-workspace.in \
@@ -15885,6 +15888,7 @@ AC_CONFIG_FILES([
                  bin/officeotron.sh
                  instsetoo_native/util/openoffice.lst
                  sysui/desktop/macosx/Info.plist
+                 sysui/desktop/macosx/LaunchConstraint.plist
                  
hardened_runtime.xcent:sysui/desktop/macosx/hardened_runtime.xcent.in
                  lo.xcent:sysui/desktop/macosx/lo.xcent.in
                  extensions/source/macosx/quicklookpreview/appex/Info.plist
diff --git a/solenv/bin/macosx-codesign-app-bundle 
b/solenv/bin/macosx-codesign-app-bundle
index 54f534cccb1c..c1ef0dd645ad 100755
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -26,6 +26,7 @@ APP_BUNDLE="$1"
 entitlements=
 entitlements_helper=
 entitlements_quicklookappex="--entitlements 
$SRCDIR/sysui/desktop/macosx/quicklookappex.entitlements"
+launch_constraint="--launch-constraint-parent 
$BUILDDIR/sysui/desktop/macosx/LaunchConstraint.plist"
 application_identifier=
 if test -n "$ENABLE_MACOSX_SANDBOX"; then
     # In a sandboxed build executables need the entitlements
@@ -96,7 +97,7 @@ find "$APP_BUNDLE"/Contents -name '*.app' -type d |
 while read app; do
     # Assume the app has a XML (and not binary) Info.plist
     id=`grep -A 1 '<key>CFBundleIdentifier</key>' "$app/Contents/Info.plist" | 
tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
-    codesign --timestamp --options=runtime --force --identifier=$id --sign 
"$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" || exit 1
+    codesign --timestamp --options=runtime --force --identifier=$id --sign 
"$MACOSX_CODESIGNING_IDENTITY" $entitlements $launch_constraint "$app" || exit 1
 done
 
 # Then .framework ones. Again, be generic just for kicks.
@@ -110,10 +111,10 @@ while read framework; do
            if test -d $version/bin; then
                # files in bin are not covered by signing the framework...
                for scriptorexecutable in $(find $version/bin/ -type f); do
-                   codesign --timestamp --options=runtime --force 
--identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" || 
exit 1
+                   codesign --timestamp --options=runtime --force 
--identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $launch_constraint 
"$scriptorexecutable" || exit 1
                done
            fi
-            codesign --force --identifier=$id --sign 
"$MACOSX_CODESIGNING_IDENTITY" "$version" || exit 1
+            codesign --force --identifier=$id --sign 
"$MACOSX_CODESIGNING_IDENTITY" $launch_constraint "$version" || exit 1
        fi
     done
 done
@@ -138,10 +139,14 @@ while read file; do
     case "$file" in
        */soffice)
            ;;
-       *)
+       */unopkg)
            id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
            codesign --force --timestamp --options=runtime 
--identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign 
"$MACOSX_CODESIGNING_IDENTITY" $entitlements_helper "$file" || exit 1
            ;;
+       *)
+           id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
+           codesign --force --timestamp --options=runtime 
--identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign 
"$MACOSX_CODESIGNING_IDENTITY" $entitlements_helper $launch_constraint "$file" 
|| exit 1
+           ;;
     esac
 done
 
diff --git a/sysui/desktop/macosx/LaunchConstraint.plist.in 
b/sysui/desktop/macosx/LaunchConstraint.plist.in
new file mode 100644
index 000000000000..c10bdfede58b
--- /dev/null
+++ b/sysui/desktop/macosx/LaunchConstraint.plist.in
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?><!-- -*- Mode: nXML; tab-width: 4; 
indent-tabs-mode: nil; nxml-child-indent:4 -*- -->
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
+<!--
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+-->
+<plist version="1.0">
+<dict>
+<!-- require the parent process to be LibreOffice -->
+    <key>parent-constraints</key>
+    <dict>
+        <key>signing-identifier</key>
+        <string>@MACOSX_BUNDLE_IDENTIFIER@</string>
+        <key>team-identifier</key>
+        <string>@MACOSX_CODESIGNING_TEAM_IDENTIFIER@</string>
+    </dict>
+</dict>
+</plist>
+<!-- vim:set shiftwidth=4 softtabstop=4 expandtab: -->

Reply via email to