[Libreoffice-commits] core.git: Branch 'libreoffice-4-2' - setup_native/source solenv/bin
Christian Lohmaier
lohmaier+LibreOffice at googlemail.com
Sat Jan 18 02:41:35 PST 2014
setup_native/source/mac/CodesignRules.plist | 19 +++++++++++++++++++
solenv/bin/macosx-codesign-app-bundle | 22 ++++++++++++++++++----
solenv/bin/modules/installer/simplepackage.pm | 8 +++-----
3 files changed, 40 insertions(+), 9 deletions(-)
New commits:
commit dad46670ccd3f2a79ad61812ea5a48120e82058d
Author: Christian Lohmaier <lohmaier+LibreOffice at googlemail.com>
Date: Fri Jan 17 07:06:04 2014 +0100
allow to codesign on Mac OS X Mavericks
codesign on Mavericks wants much more stuff to be signed apart from the
actual Mach libraries and executables. However the signature for those
data-style files are stored as extended files attributes, so one needs
to take special care on how to package the dmg to not break the seal.
Also explicitly remove some files from the signing, to allow adjusting
user-config path or similar or for gallery.
Change-Id: Ic4c4f7718df1bca7ffa2fecd3fb1d616146d7b14
Reviewed-on: https://gerrit.libreoffice.org/7490
Reviewed-by: Norbert Thiebaud <nthiebaud at gmail.com>
Tested-by: Norbert Thiebaud <nthiebaud at gmail.com>
diff --git a/setup_native/source/mac/CodesignRules.plist b/setup_native/source/mac/CodesignRules.plist
new file mode 100644
index 0000000..e638f92
--- /dev/null
+++ b/setup_native/source/mac/CodesignRules.plist
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>rules</key>
+ <dict>
+ <key>^MacOS/(bootstraprc|fundamentalrc|setuprc|sofficerc|unorc|versionrc)$</key>
+ <false/>
+ <key>^MacOS/pythonloader.unorc$</key>
+ <false/>
+ <key>^MacOS/postgresql-sdbc.ini$</key>
+ <false/>
+ <key>^MacOS/(senddoc|python|gengal|unoinfo)$</key>
+ <false/>
+ <key>.*\.(png|svg|py|res|rdb)$</key>
+ <false/>
+ </dict>
+</dict>
+</plist>
diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle
index 07a4996..e51c903 100755
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -35,8 +35,15 @@ APP_BUNDLE="$1"
# First sign all files that can use the default identifier in the hope
# that codesign will contact the timestamp server just once for all
# mentioned on the command line.
-
-find $APP_BUNDLE \( -name '*.dylib' -or -name '*.so' \) ! -type l | grep -v "LibreOfficePython\.framework" | \
+#
+# On Mavericks also would like to have data files signed...
+# add some where it makes sense. Make a depth-first search to sign the contents
+# of e.g. the spotlight plugin before attempting to sign the plugin itself
+
+find -d $APP_BUNDLE \( -name '*.dylib' -or -name '*.so' -or -name '*.fodt' \
+ -or -name 'schema.strings' -or -name 'schema.xml' -or -name '*.mdimporter' \
+ -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \
+ -or -name '*.applescript' \) ! -type l | grep -v "LibreOfficePython\.framework" | \
xargs codesign --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY"
find $APP_BUNDLE -name '*.dylib.*' ! -type l | \
@@ -60,7 +67,10 @@ for framework in `find $APP_BUNDLE -name '*.framework' -type d`; do \
fn="$(basename $framework)"
fn=${fn%.*}
for version in $framework/Versions/*; do \
- if test ! -L $version -a -d $version; then codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn; fi; \
+ if test ! -L $version -a -d $version; then
+ codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn
+ codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version
+ fi; \
done; \
done
@@ -71,11 +81,15 @@ done
# all of our non-code "resources").
#
# At this stage we also attach the entitlements in the sandboxing case
+#
+# Also omit some files from the Bunlde's seal via the resource-rules
+# (bootstraprc and similar that the user might adjust and image files)
+# See also https://developer.apple.com/library/mac/technotes/tn2206/
if test "$ENABLE_MACOSX_SANDBOX" = "TRUE"; then
entitlements="--entitlements $BUILDDIR/lo.xcent"
fi
-codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$(basename ${APP_BUNDLE})" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE
+codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$(basename ${APP_BUNDLE})" --resource-rules "$SRCDIR/setup_native/source/mac/CodesignRules.plist" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE
exit 0
diff --git a/solenv/bin/modules/installer/simplepackage.pm b/solenv/bin/modules/installer/simplepackage.pm
index 2281a8d..9c61d66 100644
--- a/solenv/bin/modules/installer/simplepackage.pm
+++ b/solenv/bin/modules/installer/simplepackage.pm
@@ -433,11 +433,9 @@ sub create_package
}
}
- $systemcall = "cd $localtempdir && hdiutil makehybrid -hfs -hfs-openfolder $folder $folder -hfs-volume-name \"$volume_name\" -ov -o $installdir/tmp && hdiutil convert -ov -format UDBZ $installdir/tmp.dmg -o $archive && ";
- if (( $ref ne "" ) && ( $$ref ne "" )) {
- $systemcall .= "hdiutil unflatten $archive && Rez -a $$ref -o $archive && hdiutil flatten $archive &&";
- }
- $systemcall .= "rm -f $installdir/tmp.dmg";
+ # makehybrid doesn't preserve extended attributes (needed when codesigning data files like .jar)
+ # unfortunately this method is slower than makehybrid followed by convert
+ $systemcall = "cd $localtempdir && hdiutil create -srcfolder $folder -volname \"$volume_name\" -ov -format UDBZ $archive";
}
else
{
More information about the Libreoffice-commits
mailing list