[PATCH libreoffice-4-0] Add support for codesigning on Mac OS X
Tor Lillqvist (via Code Review)
gerrit at gerrit.libreoffice.org
Thu Feb 7 15:24:53 PST 2013
Hi,
I have submitted a patch for review:
https://gerrit.libreoffice.org/2031
To pull it, you can do:
git pull ssh://gerrit.libreoffice.org:29418/core refs/changes/31/2031/1
Add support for codesigning on Mac OS X
Only sign the .app. Presumably that's enough here in the 4.0 branch.
Change-Id: I7a25c6b7bfa2047b1cb6bcb913750b1b476124f6
---
M config_host.mk.in
M configure.ac
M solenv/bin/modules/installer/simplepackage.pm
3 files changed, 73 insertions(+), 0 deletions(-)
diff --git a/config_host.mk.in b/config_host.mk.in
index d7ede5a..7b9834d 100644
--- a/config_host.mk.in
+++ b/config_host.mk.in
@@ -312,6 +312,7 @@
export LINK_X64_BINARY=@LINK_X64_BINARY@
@x_Cygwin@ export LS=@WIN_LS@
export MANDIR=@MANDIR@
+export MACOSX_CODESIGNING_IDENTITY=@MACOSX_CODESIGNING_IDENTITY@
export MACOSX_DEPLOYMENT_TARGET=@MACOSX_DEPLOYMENT_TARGET@
export MACOSX_DEPLOYMENT_TARGET_FOR_BUILD=@MACOSX_DEPLOYMENT_TARGET_FOR_BUILD@
export MACOSX_SDK_PATH=@MACOSX_SDK_PATH@
diff --git a/configure.ac b/configure.ac
index 5bdbd37..e7c06f2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1081,6 +1081,15 @@
[Enable MSI with LIMITUI=1 (silent install).]),
,)
+AC_ARG_ENABLE(macosx-code-signing,
+ AS_HELP_STRING([--enable-macosx-code-signing<=identity>],
+ [Sign the app bundle being stored in the disk image. The
+ default is to do signing if there is a suitable certificate
+ in your keychain, so if you don't want that, use the
+ corresponding --disable option. Experimental work in
+ progress, don't use unless you are working on this.]),
+,)
+
AC_ARG_ENABLE(postgresql-sdbc,
AS_HELP_STRING([--disable-postgresql-sdbc],
[Disable the build of the PostgreSQL-SDBC driver.])
@@ -2822,6 +2831,31 @@
fi
AC_MSG_NOTICE([MAC_OS_X_VERSION_MIN_REQUIRED=$MAC_OS_X_VERSION_MIN_REQUIRED])
AC_MSG_NOTICE([MAC_OS_X_VERSION_MAX_ALLOWED=$MAC_OS_X_VERSION_MAX_ALLOWED])
+
+ AC_MSG_CHECKING([whether to do code signing])
+
+ if test -z "$enable_macosx_code_signing" -o "$enable_macosx_code_signing" = yes; then
+ # By default use the first suitable certificate (?).
+
+ # http://stackoverflow.com/questions/13196291/difference-between-mac-developer-and-3rd-party-mac-developer-application
+ # says that the "Mac Developer" certificate is useful just for self-testing. For distribution
+ # outside the Mac App Store, use the "Developer ID Application" one, and for distribution in
+ # the App Store, the "3rd Party Mac Developer" one. I think it works best to the the
+ # "Developer ID Application" one.
+
+ identity=`security find-identity -p codesigning -v 2>/dev/null | grep 'Developer ID Application:' | awk '{print $2}' |head -1`
+ if test -n "$identity"; then
+ MACOSX_CODESIGNING_IDENTITY=$identity
+ pretty_name=`security find-identity -p codesigning -v | grep $MACOSX_CODESIGNING_IDENTITY | sed -e 's/^[[^"]]*"//' -e 's/"//'`
+ AC_MSG_RESULT([yes, using the identity $MACOSX_CODESIGNING_IDENTITY for $pretty_name])
+ fi
+ elif test -n "$enable_macosx_code_signing"; then
+ MACOSX_CODESIGNING_IDENTITY=$enable_macosx_code_signing
+ pretty_name=`security find-identity -p codesigning -v | grep $MACOSX_CODESIGNING_IDENTITY | sed -e 's/^[[^"]]*"//' -e 's/"//'`
+ AC_MSG_RESULT([yes, using the identity $MACOSX_CODESIGNING_IDENTITY for $pretty_name])
+ else
+ AC_MSG_RESULT([no])
+ fi
fi
AC_SUBST(FRAMEWORKSHOME)
AC_SUBST(MACOSX_SDK_PATH)
@@ -2830,6 +2864,7 @@
AC_SUBST(MAC_OS_X_VERSION_MIN_REQUIRED)
AC_SUBST(MAC_OS_X_VERSION_MAX_ALLOWED)
AC_SUBST(XCRUN)
+AC_SUBST(MACOSX_CODESIGNING_IDENTITY)
dnl ===================================================================
dnl Windows specific tests and stuff
diff --git a/solenv/bin/modules/installer/simplepackage.pm b/solenv/bin/modules/installer/simplepackage.pm
index 561b0fe..26911a4 100755
--- a/solenv/bin/modules/installer/simplepackage.pm
+++ b/solenv/bin/modules/installer/simplepackage.pm
@@ -418,6 +418,43 @@
chdir $localfrom;
}
+ else
+ {
+ if (defined($ENV{'MACOSX_CODESIGNING_IDENTITY'}))
+ {
+ # Just sign the .app as a whole, which means signing
+ # the CFBundleExecutable from Info.plist,
+ # i.e. soffice, plus the contents of the Resources
+ # treee (which is not much, far from all of our
+ # non-code "resources").
+
+ # Don't bother here in the 4.0 branch to sign each
+ # individual .dylib, or each additional binary. See
+ # master for more work plus possibly eventually
+ # re-organising the app bundle structure to be more
+ # Mac-like (the "program" symlink, eek!) and actually
+ # putting all non-code resources (including extension
+ # scripts!) into Resources so that they participate
+ # in the signing and their validity can be guaranteed.
+
+ $systemcall = "codesign --sign $ENV{'MACOSX_CODESIGNING_IDENTITY'} -v -v -v $tempdir/$packagename/$volume_name_classic_app.app";
+ print "... $systemcall ...\n";
+ my $returnvalue = system($systemcall);
+ $infoline = "Systemcall: $systemcall\n";
+ push( @installer::globals::logfileinfo, $infoline);
+
+ if ($returnvalue)
+ {
+ $infoline = "ERROR: Could not execute \"$systemcall\"!\n";
+ push( @installer::globals::logfileinfo, $infoline);
+ }
+ else
+ {
+ $infoline = "Success: Executed \"$systemcall\" successfully!\n";
+ push( @installer::globals::logfileinfo, $infoline);
+ }
+ }
+ }
$systemcall = "cd $localtempdir && hdiutil makehybrid -hfs -hfs-openfolder $folder $folder -hfs-volume-name \"$volume_name\" -ov -o $installdir/tmp && hdiutil convert -ov -format UDBZ $installdir/tmp.dmg -o $archive && ";
if (( $ref ne "" ) && ( $$ref ne "" )) {
--
To view, visit https://gerrit.libreoffice.org/2031
To unsubscribe, visit https://gerrit.libreoffice.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I7a25c6b7bfa2047b1cb6bcb913750b1b476124f6
Gerrit-PatchSet: 1
Gerrit-Project: core
Gerrit-Branch: libreoffice-4-0
Gerrit-Owner: Tor Lillqvist <tml at iki.fi>
More information about the LibreOffice
mailing list