[PATCH libreoffice-4-0] Add support for codesigning on Mac OS X

Tor Lillqvist (via Code Review) gerrit at gerrit.libreoffice.org
Thu Feb 7 15:24:53 PST 2013


Hi,

I have submitted a patch for review:

    https://gerrit.libreoffice.org/2031

To pull it, you can do:

    git pull ssh://gerrit.libreoffice.org:29418/core refs/changes/31/2031/1

Add support for codesigning on Mac OS X

Only sign the .app. Presumably that's enough here in the 4.0 branch.

Change-Id: I7a25c6b7bfa2047b1cb6bcb913750b1b476124f6
---
M config_host.mk.in
M configure.ac
M solenv/bin/modules/installer/simplepackage.pm
3 files changed, 73 insertions(+), 0 deletions(-)



diff --git a/config_host.mk.in b/config_host.mk.in
index d7ede5a..7b9834d 100644
--- a/config_host.mk.in
+++ b/config_host.mk.in
@@ -312,6 +312,7 @@
 export LINK_X64_BINARY=@LINK_X64_BINARY@
 @x_Cygwin@ export LS=@WIN_LS@
 export MANDIR=@MANDIR@
+export MACOSX_CODESIGNING_IDENTITY=@MACOSX_CODESIGNING_IDENTITY@
 export MACOSX_DEPLOYMENT_TARGET=@MACOSX_DEPLOYMENT_TARGET@
 export MACOSX_DEPLOYMENT_TARGET_FOR_BUILD=@MACOSX_DEPLOYMENT_TARGET_FOR_BUILD@
 export MACOSX_SDK_PATH=@MACOSX_SDK_PATH@
diff --git a/configure.ac b/configure.ac
index 5bdbd37..e7c06f2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1081,6 +1081,15 @@
         [Enable MSI with LIMITUI=1 (silent install).]),
 ,)
 
+AC_ARG_ENABLE(macosx-code-signing,
+    AS_HELP_STRING([--enable-macosx-code-signing<=identity>],
+        [Sign the app bundle being stored in the disk image. The
+         default is to do signing if there is a suitable certificate
+         in your keychain, so if you don't want that, use the
+         corresponding --disable option. Experimental work in
+         progress, don't use unless you are working on this.]),
+,)
+
 AC_ARG_ENABLE(postgresql-sdbc,
     AS_HELP_STRING([--disable-postgresql-sdbc],
         [Disable the build of the PostgreSQL-SDBC driver.])
@@ -2822,6 +2831,31 @@
     fi
     AC_MSG_NOTICE([MAC_OS_X_VERSION_MIN_REQUIRED=$MAC_OS_X_VERSION_MIN_REQUIRED])
     AC_MSG_NOTICE([MAC_OS_X_VERSION_MAX_ALLOWED=$MAC_OS_X_VERSION_MAX_ALLOWED])
+
+    AC_MSG_CHECKING([whether to do code signing])
+
+    if test -z "$enable_macosx_code_signing" -o "$enable_macosx_code_signing" = yes; then
+        # By default use the first suitable certificate (?).
+
+        # http://stackoverflow.com/questions/13196291/difference-between-mac-developer-and-3rd-party-mac-developer-application
+        # says that the "Mac Developer" certificate is useful just for self-testing. For distribution
+        # outside the Mac App Store, use the "Developer ID Application" one, and for distribution in
+        # the App Store, the "3rd Party Mac Developer" one. I think it works best to the the
+        # "Developer ID Application" one.
+
+        identity=`security find-identity -p codesigning -v 2>/dev/null | grep 'Developer ID Application:' | awk '{print $2}' |head -1`
+        if test -n "$identity"; then
+            MACOSX_CODESIGNING_IDENTITY=$identity
+            pretty_name=`security find-identity -p codesigning -v | grep $MACOSX_CODESIGNING_IDENTITY | sed -e 's/^[[^"]]*"//' -e 's/"//'`
+            AC_MSG_RESULT([yes, using the identity $MACOSX_CODESIGNING_IDENTITY for $pretty_name])
+        fi
+    elif test -n "$enable_macosx_code_signing"; then
+        MACOSX_CODESIGNING_IDENTITY=$enable_macosx_code_signing
+        pretty_name=`security find-identity -p codesigning -v | grep $MACOSX_CODESIGNING_IDENTITY | sed -e 's/^[[^"]]*"//' -e 's/"//'`
+        AC_MSG_RESULT([yes, using the identity $MACOSX_CODESIGNING_IDENTITY for $pretty_name])
+    else
+        AC_MSG_RESULT([no])
+    fi
 fi
 AC_SUBST(FRAMEWORKSHOME)
 AC_SUBST(MACOSX_SDK_PATH)
@@ -2830,6 +2864,7 @@
 AC_SUBST(MAC_OS_X_VERSION_MIN_REQUIRED)
 AC_SUBST(MAC_OS_X_VERSION_MAX_ALLOWED)
 AC_SUBST(XCRUN)
+AC_SUBST(MACOSX_CODESIGNING_IDENTITY)
 
 dnl ===================================================================
 dnl Windows specific tests and stuff
diff --git a/solenv/bin/modules/installer/simplepackage.pm b/solenv/bin/modules/installer/simplepackage.pm
index 561b0fe..26911a4 100755
--- a/solenv/bin/modules/installer/simplepackage.pm
+++ b/solenv/bin/modules/installer/simplepackage.pm
@@ -418,6 +418,43 @@
 
             chdir $localfrom;
         }
+	else
+	{
+	    if (defined($ENV{'MACOSX_CODESIGNING_IDENTITY'}))
+	    {
+		# Just sign the .app as a whole, which means signing
+		# the CFBundleExecutable from Info.plist,
+		# i.e. soffice, plus the contents of the Resources
+		# treee (which is not much, far from all of our
+		# non-code "resources").
+
+		# Don't bother here in the 4.0 branch to sign each
+		# individual .dylib, or each additional binary. See
+		# master for more work plus possibly eventually
+		# re-organising the app bundle structure to be more
+		# Mac-like (the "program" symlink, eek!) and actually
+		# putting all non-code resources (including extension
+		# scripts!)  into Resources so that they participate
+		# in the signing and their validity can be guaranteed.
+
+		$systemcall = "codesign --sign $ENV{'MACOSX_CODESIGNING_IDENTITY'} -v -v -v $tempdir/$packagename/$volume_name_classic_app.app";
+		print "... $systemcall ...\n";
+		my $returnvalue = system($systemcall);
+		$infoline = "Systemcall: $systemcall\n";
+		push( @installer::globals::logfileinfo, $infoline);
+
+		if ($returnvalue)
+		{
+		    $infoline = "ERROR: Could not execute \"$systemcall\"!\n";
+		    push( @installer::globals::logfileinfo, $infoline);
+		}
+		else
+		{
+		    $infoline = "Success: Executed \"$systemcall\" successfully!\n";
+		    push( @installer::globals::logfileinfo, $infoline);
+		}
+	    }
+	}
 
         $systemcall = "cd $localtempdir && hdiutil makehybrid -hfs -hfs-openfolder $folder $folder -hfs-volume-name \"$volume_name\" -ov -o $installdir/tmp && hdiutil convert -ov -format UDBZ $installdir/tmp.dmg -o $archive && ";
         if (( $ref ne "" ) && ( $$ref ne "" )) {

-- 
To view, visit https://gerrit.libreoffice.org/2031
To unsubscribe, visit https://gerrit.libreoffice.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I7a25c6b7bfa2047b1cb6bcb913750b1b476124f6
Gerrit-PatchSet: 1
Gerrit-Project: core
Gerrit-Branch: libreoffice-4-0
Gerrit-Owner: Tor Lillqvist <tml at iki.fi>


More information about the LibreOffice mailing list