setup_native/source/mac/CodesignRules.plist | 17
solenv/bin/macosx-codesign-app-bundle | 35 +++---
solenv/bin/modules/installer/simplepackage.pm |5 +--
solenv/gbuild/platform/macosx.mk |6 +++-
4 files changed, 28 insertions(+), 35 deletions(-)
New commits:
commit 615fae2f67028f3c5c51c70c77dbaa9b9f3856d6
Author: Stephan Bergmann sberg...@redhat.com
Date: Tue Feb 10 10:47:39 2015 +0100
Attempt at fixing Mac OS X code signing
...so that LibreOffice.app dmgs built with --enable-macosx-code-signing
with an
appstore-enabled identity will hopefully no longer be rejected on Mac OS X
=
10.9.5 as 'soffice' can't be opened because the identity of the developer
cannot be confirmed. (Which I cannot verify for lack of an
appstore-enabled
certificate, though.)
First of all, do not ignore errors from calls to codesign utitlity. Really.
That reveals that soffice cannot be signed as soon as it is linked, as it
requires all the other stuff in the app to be already signed. So just don't
sign it after linking, it will be signed last step in
macosx-codesign-app-bundle
anyway.
Second, --resource-rules exemptions are no longer allowed per
https://developer.apple.com/library/mac/technotes/tn2206/_index.html OS X
Code Signing In Depth.
Third, the handful of remaining shell scripts in MacOS/ need to be signed
too.
(Signing them adds extended attributes to the files.)
Unfortunately, as discussed at
http://porkrind.org/missives/mac-os-x-codesigning-woes/ Mac OS X
codesigning
woes, hdiutil makehybrid drops extended attributes from the generated
dmg (so
the dmg's LibreOffice.app would no longer be considered properly signed, as
the
shell scripts would no longer be signed). So switch from hdiutil
makehybrid
to hdiutil create.
Change-Id: I4b587f87d504666f7a1d0e3a24a8be76f22014c5
diff --git a/setup_native/source/mac/CodesignRules.plist
b/setup_native/source/mac/CodesignRules.plist
deleted file mode 100644
index 41b2321..000
--- a/setup_native/source/mac/CodesignRules.plist
+++ /dev/null
@@ -1,17 +0,0 @@
-?xml version=1.0 encoding=UTF-8?
-!DOCTYPE plist PUBLIC -//Apple//DTD PLIST 1.0//EN
http://www.apple.com/DTDs/PropertyList-1.0.dtd;
-plist version=1.0
-dict
-keyrules/key
-dict
-
key^MacOS/(bootstraprc|fundamentalrc|setuprc|sofficerc|unorc|versionrc)$/key
-false/
-key^MacOS/pythonloader.unorc$/key
-false/
-key^MacOS/(senddoc|python|gengal|unoinfo)$/key
-false/
-key.*\.(png|svg|py|res|rdb)$/key
-false/
-/dict
-/dict
-/plist
diff --git a/solenv/bin/macosx-codesign-app-bundle
b/solenv/bin/macosx-codesign-app-bundle
index d1ba433..78a7e53 100755
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -42,19 +42,30 @@ find -d $APP_BUNDLE \( -name '*.dylib' -or -name '*.so'
-or -name '*.fodt' \
-or -name '*.applescript' \) ! -type l | grep -v
LibreOfficePython\.framework | \
while read file; do
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
-codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign
$MACOSX_CODESIGNING_IDENTITY $file
+codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign
$MACOSX_CODESIGNING_IDENTITY $file || exit 1
done
find $APP_BUNDLE -name '*.dylib.*' ! -type l | \
while read dylib; do \
id=`basename $dylib`; \
id=`echo $id | sed -e 's/dylib.*/dylib/'`; \
-codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign
$MACOSX_CODESIGNING_IDENTITY $dylib; \
+codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign
$MACOSX_CODESIGNING_IDENTITY $dylib || exit 1
done
# The executables have already been signed by
# gb_LinkTarget__command_dynamiclink in
-# solenv/gbuild/platform/macosx.mk.
+# solenv/gbuild/platform/macosx.mk, but sign the handful of scripts remaining
+# in MacOS
+# (https://developer.apple.com/library/mac/technotes/tn2206/_index.html OS X
+# Code Signing In Depth suggests we should get rid of them rather sooner than
+# later, but they appear to be OK for now):
+
+for i in gengal python senddoc unoinfo
+do
+codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$i \
+--sign $MACOSX_CODESIGNING_IDENTITY $APP_BUNDLE/Contents/MacOS/$i \
+|| exit 1
+done
# Sign frameworks.
#
@@ -67,32 +78,28 @@ for framework in `find $APP_BUNDLE -name '*.framework'
-type d`; do \
fn=${fn%.*}
for version in $framework/Versions/*; do \
if test ! -L $version -a -d $version; then
-codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER.
--sign $MACOSX_CODESIGNING_IDENTITY $version/$fn
-codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER.
--sign $MACOSX_CODESIGNING_IDENTITY $version
+codesign --force