[Libreoffice-commits] core.git: hardened_runtime.xcent solenv/bin solenv/gbuild
Christian Lohmaier (via logerrit)
logerrit at kemper.freedesktop.org
Fri May 31 19:14:21 UTC 2019
hardened_runtime.xcent | 15 +++++++++++++++
solenv/bin/macosx-codesign-app-bundle | 14 +++++++++-----
solenv/gbuild/platform/macosx.mk | 2 +-
3 files changed, 25 insertions(+), 6 deletions(-)
New commits:
commit c98b1f1cd43b3e109bcaf6324ef2d1f449b34099
Author: Christian Lohmaier <lohmaier+LibreOffice at googlemail.com>
AuthorDate: Fri May 31 11:57:16 2019 +0200
Commit: Christian Lohmaier <lohmaier+LibreOffice at googlemail.com>
CommitDate: Fri May 31 21:13:31 2019 +0200
macOS: enable hardened runtime when signing
hardened runtime is prerequisite for notarizing apps, which in turn is
required for new developer IDs with 10.14.5 already and will be required
for all software to run in future versions of macOS
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
Change-Id: Ifdf73fb5901be5dd0b62e1a51dee6e57c9816e5f
Reviewed-on: https://gerrit.libreoffice.org/73246
Tested-by: Jenkins
Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice at googlemail.com>
diff --git a/hardened_runtime.xcent b/hardened_runtime.xcent
new file mode 100644
index 000000000000..72abb432afc6
--- /dev/null
+++ b/hardened_runtime.xcent
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+ <dict>
+ <!-- AppleScript support -->
+ <key>com.apple.security.automation.apple-events</key>
+ <true/>
+ <!-- for extension manager, "exception in synchronize" -->
+ <key>com.apple.security.cs.disable-executable-page-protection</key>
+ <true/>
+ <!-- allow use of third-party plugins/frameworks (aka Java) -->
+ <key>com.apple.security.cs.disable-library-validation</key>
+ <true/>
+ </dict>
+</plist>
diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle
index 85d74514585c..db2f6ffc55d2 100755
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -36,7 +36,7 @@ if test -n "$ENABLE_MACOSX_SANDBOX"; then
other_files=''
else
# We then want to sign data files, too, hmm.
- entitlements=''
+ entitlements="--entitlements $SRCDIR/hardened_runtime.xcent"
other_files="\
-or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
-or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
@@ -83,7 +83,7 @@ while read app; do
fn=${fn%.*}
# Assume the app has a XML (and not binary) Info.plist
id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
- codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1
+ codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1
if [ "$?" != "0" ] ; then
exit 1
fi
@@ -100,7 +100,11 @@ while read framework; do
if test ! -L "$version" -a -d "$version"; then
# Assume the framework has a XML (and not binary) Info.plist
id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
- codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" > "/tmp/codesign_${fn}.log" 2>&1
+ # files in bin are not covered by signing the framework...
+ for scriptorexecutable in $(find $version/bin/ -type f); do
+ codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" >> "/tmp/codesign_${fn}.log" 2>&1
+ done
+ codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" >> "/tmp/codesign_${fn}.log" 2>&1
if [ "$?" != "0" ] ; then
exit 1
fi
@@ -129,7 +133,7 @@ while read file; do
;;
*)
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
- codesign --force --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1
+ codesign --force --verbose --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1
if [ "$?" != "0" ] ; then
exit 1
fi
@@ -152,7 +156,7 @@ done
id=`echo ${PRODUCTNAME} | tr ' ' '-'`
-codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1
+codesign --force --verbose --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1
if [ "$?" != "0" ] ; then
exit 1
fi
diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk
index b3e451bfcd74..eec2b052cb7e 100644
--- a/solenv/gbuild/platform/macosx.mk
+++ b/solenv/gbuild/platform/macosx.mk
@@ -132,7 +132,7 @@ $(call gb_Helper_abbreviate_dirs,\
$(if $(MACOSX_CODESIGNING_IDENTITY), \
$(if $(filter Executable,$(TARGETTYPE)), \
$(if $(filter-out $(call gb_Executable_get_target,soffice_bin),$(1)), \
- codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --force $(1) &&))) \
+ codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --options=runtime --force $(1) &&))) \
$(if $(filter Library,$(TARGETTYPE)),\
otool -l $(1) | grep -A 5 LC_ID_DYLIB \
> $(WORKDIR)/LinkTarget/$(2).exports.tmp && \
More information about the Libreoffice-commits
mailing list