[Libreoffice-commits] core.git: Branch 'libreoffice-6-4' - solenv/bin solenv/gbuild
Christian Lohmaier (via logerrit)
logerrit at kemper.freedesktop.org
Fri Feb 28 18:42:06 UTC 2020
solenv/bin/modules/installer/simplepackage.pm | 34 ++++++++++++++++++++++++--
solenv/gbuild/platform/macosx.mk | 12 ++-------
2 files changed, 35 insertions(+), 11 deletions(-)
New commits:
commit 1e1e2a6d8c10ecfaafb2ea28298c467e41b20228
Author: Christian Lohmaier <lohmaier+LibreOffice at googlemail.com>
AuthorDate: Mon Oct 28 11:58:14 2019 +0100
Commit: Christian Lohmaier <lohmaier+LibreOffice at googlemail.com>
CommitDate: Fri Feb 28 19:41:36 2020 +0100
macOS: don't sign executables early
macOS 10.14 and later (Mojave & Catalina) will treat signed exectuables
as "restricted binary" and in turn will block any use of
DYLD_LIBRARY_PATH settings, causing the build to fail with e.g.:
dyld: Library not loaded: @__VIA_LIBRARY_PATH__/libuno_sal.dylib.3
Referenced from: /Users/cloph/build/workdir/LinkTarget/Executable/genconv_dict
Reason: unsafe use of relative rpath @__VIA_LIBRARY_PATH__/libuno_sal.dylib.3 in /Users/cloph/build/workdir/LinkTarget/Executable/genconv_dict with restricted binary
Change-Id: Ia90d8fa6f28f9a2c10f6b46eb1796e2730550119
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/81599
Tested-by: Jenkins
Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice at googlemail.com>
(cherry picked from commit 1a73975918d5057336466733f3f0964c128bfcb7)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/89678
diff --git a/solenv/bin/modules/installer/simplepackage.pm b/solenv/bin/modules/installer/simplepackage.pm
index 78a09e78e5e5..b32f77d3bef6 100644
--- a/solenv/bin/modules/installer/simplepackage.pm
+++ b/solenv/bin/modules/installer/simplepackage.pm
@@ -391,7 +391,7 @@ sub create_package
chdir $localfrom;
- if ( defined($ENV{'MACOSX_CODESIGNING_IDENTITY'}) && $ENV{'MACOSX_CODESIGNING_IDENTITY'} ne "" ) {
+ if ( $ENV{'MACOSX_CODESIGNING_IDENTITY'} ) {
my @lp_sign = ('codesign', '--verbose', '--sign', $ENV{'MACOSX_CODESIGNING_IDENTITY'}, '--deep', $appfolder);
if (system(@lp_sign) == 0) {
$infoline = "Success: \"@lp_sign\" executed successfully!\n";
@@ -405,7 +405,7 @@ sub create_package
{
my $subdir = "$tempdir/$packagename/$volume_name_classic_app.app/Contents/Resources";
if ( ! -d $subdir ) { installer::systemactions::create_directory($subdir); }
- if ( defined($ENV{'MACOSX_CODESIGNING_IDENTITY'}) && $ENV{'MACOSX_CODESIGNING_IDENTITY'} ne "" )
+ if ( $ENV{'MACOSX_CODESIGNING_IDENTITY'} )
{
$systemcall = "$ENV{'SRCDIR'}/solenv/bin/macosx-codesign-app-bundle $localtempdir/$folder/$volume_name_classic_app.app";
print "... $systemcall ...\n";
@@ -425,7 +425,35 @@ sub create_package
}
}
}
+ elsif ($volume_name_classic_app eq 'LibreOffice SDK' || $volume_name_classic_app eq 'LibreOfficeDev SDK')
+ {
+ if ( $ENV{'MACOSX_CODESIGNING_IDENTITY'} )
+ {
+ my $sdkbindir = "$localtempdir/$folder/$allvariables->{'PRODUCTNAME'}$allvariables->{'PRODUCTVERSION'}_SDK/bin";
+ opendir(my $dh, $sdkbindir);
+ foreach my $sdkbinary (readdir $dh) {
+ next unless -f "$sdkbindir/$sdkbinary";
+ $systemcall = "codesign --force --verbose --options=runtime --identifier='$ENV{MACOSX_BUNDLE_IDENTIFIER}.$sdkbinary' --sign '$ENV{MACOSX_CODESIGNING_IDENTITY}' --entitlements $ENV{SRCDIR}/hardened_runtime.xcent $sdkbindir/$sdkbinary > /tmp/codesign_losdk_$sdkbinary.log 2>&1";
+ print "... $systemcall ...\n";
+ my $returnvalue = system($systemcall);
+ $infoline = "Systemcall: $systemcall\n";
+ push( @installer::globals::logfileinfo, $infoline);
+ if ($returnvalue)
+ {
+ $infoline = "ERROR: Could not execute \"$systemcall\"!\n";
+ push( @installer::globals::logfileinfo, $infoline);
+ }
+ else
+ {
+ $infoline = "Success: Executed \"$systemcall\" successfully!\n";
+ push( @installer::globals::logfileinfo, $infoline);
+ unlink "/tmp/codesign_losdk_$sdkbinary.log";
+ }
+ }
+ closedir($dh);
+ }
+ }
my $megabytes = 1500;
$megabytes = 2000 if $ENV{'ENABLE_DBGUTIL'};
$systemcall = "cd $localtempdir && hdiutil create -megabytes $megabytes -srcfolder $folder $archive -ov -fs HFS+ -volname \"$volume_name\" -format UDBZ";
@@ -695,3 +723,5 @@ sub create_simple_package
}
1;
+
+# vim: set shiftwidth=4 softtabstop=4 expandtab:
diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk
index eec2b052cb7e..e7362a503395 100644
--- a/solenv/gbuild/platform/macosx.mk
+++ b/solenv/gbuild/platform/macosx.mk
@@ -90,11 +90,9 @@ $(if $(filter Executable,$(1)),\
$$(call gb_Library_get_layer,$(2)))
endef
-# We sign executables right after linking below. But not dylibs,
-# because many of them are built by ad-hoc or 3rd-party mechanisms. So
-# as we would need to sign those separately anyway, we do it for the
-# gbuild-built ones, too, after an app bundle has been constructed, in
-# the solenv/bin/macosx-codesign-app-bundle script.
+# We cannot sign executables early since Mojave/Catalina would treat them as
+# restricted binary and ignore any DYLD_LIBRARY_PATH setting - So all
+# signing is handled by the solenv/bin/macosx-codesign-app-bundle script.
# And the soffice executable needs to be signed last in
# macosx-codesign-app-bundle, as codesign would fail complaining that other
# parts of the app have not yet been signed:
@@ -129,10 +127,6 @@ $(call gb_Helper_abbreviate_dirs,\
$(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl app $(LAYER) $(1) &&) \
$(if $(filter Library Bundle CppunitTest,$(TARGETTYPE)),\
$(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl shl $(LAYER) $(1) &&) \
- $(if $(MACOSX_CODESIGNING_IDENTITY), \
- $(if $(filter Executable,$(TARGETTYPE)), \
- $(if $(filter-out $(call gb_Executable_get_target,soffice_bin),$(1)), \
- codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --options=runtime --force $(1) &&))) \
$(if $(filter Library,$(TARGETTYPE)),\
otool -l $(1) | grep -A 5 LC_ID_DYLIB \
> $(WORKDIR)/LinkTarget/$(2).exports.tmp && \
More information about the Libreoffice-commits
mailing list