[Libreoffice-commits] core.git: Branch 'distro/collabora/cp-4.4' - 2 commits - distro-configs/CPOSX.conf solenv/bin
Andras Timar
andras.timar at collabora.com
Tue Apr 28 05:49:25 PDT 2015
distro-configs/CPOSX.conf | 4 -
solenv/bin/macosx-codesign-app-bundle | 121 ++++++++++++++++++----------------
2 files changed, 67 insertions(+), 58 deletions(-)
New commits:
commit 41e09edc262ecb74379a3eb817d4a6369bf8a815
Author: Andras Timar <andras.timar at collabora.com>
Date: Tue Apr 28 13:13:18 2015 +0200
codesigning tweaks
Change-Id: I6a931285a585e28a47cdfde1c2f75528ed641534
diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle
index 78a7e53..04d52aa 100755
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -1,9 +1,8 @@
#!/bin/bash
-# Script to sign dylibs and frameworks in an app bundle plus the
-# bundle itself. Called from
-# installer::simplepackage::create_package() in
-# solenv/bin/modules/installer/simplepackage.pm
+# Script to sign executables, dylibs and frameworks in an app bundle
+# plus the bundle itself. Called from
+# the test-install target in Makefile.in
test `uname` = Darwin || { echo This is for OS X only; exit 1; }
@@ -19,87 +18,97 @@ for V in \
fi
done
-echo "codesigning using MACSOX_CODESIGNING_IDENTITY=[${MACOSX_CODESIGNING_IDENTITY?}]"
-
APP_BUNDLE="$1"
+if test -n "$ENABLE_MACOSX_SANDBOX"; then
+ # In a sandboxed build executables need the entitlements
+ entitlements="--entitlements $BUILDDIR/lo.xcent"
+ # We use --enable-canonical-installation-tree-structure so all
+ # data files in Resources are included in the app bundle signature
+ # through that. I think.
+ other_files=''
+else
+ # In a non-sandboxed build (distributed outside the App Store)
+ # we traditionally have use --resource-rules. Let's not touch that?
+ resource_rules="--resource-rules $SRCDIR/setup_native/source/mac/CodesignRules.plist"
+ # And there we then want to sign data files, too, hmm.
+ other_files="\
+ -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
+ -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \
+ -or -name '*.applescript' -or -name '*.odt'"
+fi
+
# Sign dylibs
#
-# Executables get signed right after linking, see
-# solenv/gbuild/platform/macosx.mk. But many of our dylibs are built
-# by ad-hoc or 3rd-party mechanisms, so we can't easily sign them
-# right after linking. So do it here.
-#
# The dylibs in the Python framework are called *.so. Go figure
#
# On Mavericks also would like to have data files signed...
# add some where it makes sense. Make a depth-first search to sign the contents
# of e.g. the spotlight plugin before attempting to sign the plugin itself
-find -d "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.so' -or -name '*.fodt' \
- -or -name 'schema.strings' -or -name 'schema.xml' -or -name '*.mdimporter' \
- -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \
- -or -name '*.applescript' \) ! -type l | grep -v "LibreOfficePython\.framework" | \
+find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \
+ $other_files \) ! -type l |
while read file; do
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
- codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" || exit 1
+ codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file"
done
-find $APP_BUNDLE -name '*.dylib.*' ! -type l | \
-while read dylib; do \
- id=`basename "$dylib"`; \
- id=`echo $id | sed -e 's/dylib.*/dylib/'`; \
- codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$dylib" || exit 1
+# Sign executables
+
+find "$APP_BUNDLE/Contents/MacOS" -type f |
+while read file; do
+ id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
+ codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file"
done
-# The executables have already been signed by
-# gb_LinkTarget__command_dynamiclink in
-# solenv/gbuild/platform/macosx.mk, but sign the handful of scripts remaining
-# in MacOS
-# (<https://developer.apple.com/library/mac/technotes/tn2206/_index.html> "OS X
-# Code Signing In Depth" suggests we should get rid of them rather sooner than
-# later, but they appear to be OK for now):
-
-for i in gengal python senddoc unoinfo
-do
- codesign --verbose --identifier="$MACOSX_BUNDLE_IDENTIFIER.$i" \
- --sign "$MACOSX_CODESIGNING_IDENTITY" "$APP_BUNDLE/Contents/MacOS/$i" \
- || exit 1
+# Sign included bundles. First .app ones (i.e. the Python.app inside
+# the LibreOfficePython.framework. Be generic for kicks...)
+
+find "$APP_BUNDLE" -name '*.app' -type d |
+while read app; do
+ fn=`basename "$app"`
+ fn=${fn%.*}
+ # Assume the app has a XML (and not binary) Info.plist
+ id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
+ codesign --verbose --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app"
done
-# Sign frameworks.
-#
-# Yeah, we don't bundle any other framework than our Python one, and
-# it has just one version, so this generic search is mostly for
-# completeness.
+# Then .framework ones. Again, be generic just for kicks.
-for framework in `find $APP_BUNDLE -name '*.framework' -type d`; do \
- fn="$(basename $framework)"
+find "$APP_BUNDLE" -name '*.framework' -type d |
+while read framework; do
+ fn=`basename "$framework"`
fn=${fn%.*}
- for version in $framework/Versions/*; do \
- if test ! -L $version -a -d $version; then
- codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version/$fn || exit 1
- codesign --force --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" $version || exit 1
- fi; \
- done; \
+ for version in "$framework"/Versions/*; do
+ if test ! -L "$version" -a -d "$version"; then
+ # Assume the framework has a XML (and not binary) Info.plist
+ id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
+ codesign --verbose --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version"
+ fi
+ done
+done
+
+# Then mdimporters
+
+find "$APP_BUNDLE" -name '*.mdimporter' -type d |
+while read bundle; do
+ codesign --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign "$MACOSX_CODESIGNING_IDENTITY" "$bundle"
done
-# Sign the app bundle as a whole which means finally signing the
-# CFBundleExecutable from Info.plist, i.e. soffice (which is exempted from the
-# on-the-go executable signing in gb_LinkTarget__command_dynamiclink in
-# solenv/gbuild/platform/macosx.mk), plus the contents
+# Sign the app bundle as a whole which means (re-)signing the
+# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
# of the Resources tree (which unless you used
# --enable-canonical-installation-tree-structure is not much, far from
# all of our non-code "resources").
#
# At this stage we also attach the entitlements in the sandboxing case
+#
+# Also omit some files from the Bundle's seal via the resource-rules
+# (bootstraprc and similar that the user might adjust and image files)
+# See also https://developer.apple.com/library/mac/technotes/tn2206/
id=`echo ${MACOSX_APP_NAME} | tr ' ' '-'`
-if test -n "$ENABLE_MACOSX_SANDBOX"; then
- entitlements="--entitlements $BUILDDIR/lo.xcent"
-fi
-
-codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements $APP_BUNDLE || exit 1
+codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}" $resource_rules --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE"
exit 0
commit d3e6f73ffdb03c544bda12fbefa102617054ba05
Author: Andras Timar <andras.timar at collabora.com>
Date: Tue Apr 28 09:52:38 2015 +0200
CPOSX.conf tweaks
Change-Id: I3b9ce36838f273c43d80f02d7810152812b0be6f
diff --git a/distro-configs/CPOSX.conf b/distro-configs/CPOSX.conf
index f591a92..c3031e9 100644
--- a/distro-configs/CPOSX.conf
+++ b/distro-configs/CPOSX.conf
@@ -7,8 +7,6 @@
--disable-online-update
--disable-odk
--enable-epm
---with-macosx-sdk=10.8
---with-macosx-version-min-required=10.6
--enable-ext-wiki-publisher
--enable-report-builder
--enable-ext-nlpsolver
@@ -16,5 +14,7 @@
--enable-ext-ct2n
--enable-ext-languagetool
--enable-release-build
+--without-system-postgresql
+--disable-gtk
--with-package-format=dmg
--with-lang=ar as ast bg bn-IN br ca ca-valencia cy cs da de el en-US en-GB es et eu fi fr ga gd gl gu he hi hr hu id is it ja km kn ko lt lv ml mr nb nl nn oc or pa-IN pl pt pt-BR ro ru sk sl sr sr-Latn sv ta te tr uk vi zh-CN zh-TW
More information about the Libreoffice-commits
mailing list