Merge pull request #18335 from sy6sy2/ATV-fake-sign-topshelf

[tools/codesign][tvOS][Jailbreak] Fake sign kodi-topshelf + fix crash on start on Unc0verTV 

7 files changed, 51 insertions, 85 deletions

diff --git a/cmake/scripts/darwin_embedded/ExtraTargets.cmake b/cmake/scripts/darwin_embedded/ExtraTargets.cmake
index 1b984f36b8..01ab6328c5 100644
--- a/cmake/scripts/darwin_embedded/ExtraTargets.cmake
+++ b/cmake/scripts/darwin_embedded/ExtraTargets.cmake
@@ -23,5 +23,10 @@ if(CORE_PLATFORM_NAME_LC STREQUAL tvos)
                                                               XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS ${ENTITLEMENTS_OUT_PATH})
   target_link_libraries(${TOPSHELF_EXTENSION_NAME} "-framework TVServices" "-framework Foundation")
 
+  add_custom_command(TARGET ${TOPSHELF_EXTENSION_NAME} POST_BUILD
+    COMMAND "NATIVEPREFIX=${NATIVEPREFIX}"
+            ${CMAKE_SOURCE_DIR}/tools/darwin/Support/Codesign-topshelf.command
+  )
+
   add_dependencies(${APP_NAME_LC} ${TOPSHELF_EXTENSION_NAME})
 endif()
diff --git a/tools/darwin/Support/Codesign-topshelf.command b/tools/darwin/Support/Codesign-topshelf.command
new file mode 100755
index 0000000000..8b9a3ffe83
--- /dev/null
+++ b/tools/darwin/Support/Codesign-topshelf.command
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -x
+
+LDID="$NATIVEPREFIX/bin/ldid"
+
+# Delete existing codesign and provisioning file
+rm -f "${CODESIGNING_FOLDER_PATH}/embedded.mobileprovision"
+rm -rf "${CODESIGNING_FOLDER_PATH}/_CodeSignature"
+
+# If user has not set a code_sign_identity we do a fake sign
+if [ -z "${CODE_SIGN_IDENTITY}" ]; then
+  # Do fake sign - needed for iOS >=5.1 and tvOS >=10.2 jailbroken devices
+  # See http://www.saurik.com/id/8
+  echo "Doing a fake sign of Top Shelf binary using ldid for jailbroken devices"
+  "${LDID}" -S "${CODESIGNING_FOLDER_PATH}/${EXECUTABLE_NAME}"
+fi
diff --git a/tools/darwin/Support/Codesign.command b/tools/darwin/Support/Codesign.command
index 44486e6956..e75410d4ef 100755
--- a/tools/darwin/Support/Codesign.command
+++ b/tools/darwin/Support/Codesign.command
@@ -2,10 +2,9 @@
 
 set -x
 
-#this is the list of binaries we have to sign for being able to run un-jailbroken
+# This is the list of binaries we have to sign for being able to run un-jailbroken
 LIST_BINARY_EXTENSIONS="dylib so app"
 
-GEN_ENTITLEMENTS="$NATIVEPREFIX/bin/gen_entitlements.py"
 DARWIN_EMBEDDED_ENTITLEMENTS="$XBMC_DEPENDS/share/darwin_embedded_entitlements.xml"
 LDID="$NATIVEPREFIX/bin/ldid"
 
@@ -13,26 +12,15 @@ if [ "${PLATFORM_NAME}" == "macosx" ]; then
   MACOS=1
 fi
 
-if [[ ! "$MACOS" && ! -f ${GEN_ENTITLEMENTS} ]]; then
-  echo "error: $GEN_ENTITLEMENTS not found. Codesign won't work."
-  exit -1
-fi
-
 if [ "$MACOS" ]; then
   CONTENTS_PATH="${CODESIGNING_FOLDER_PATH}/Contents"
 else
   CONTENTS_PATH="${CODESIGNING_FOLDER_PATH}"
 fi
 
-if [ ! "$MACOS" ]; then
-  # do fake sign - needed for iOS >=5.1 and tvOS >=10.2 jailbroken devices
-  # see http://www.saurik.com/id/8
-  "${LDID}" -S"${DARWIN_EMBEDDED_ENTITLEMENTS}" "${BUILT_PRODUCTS_DIR}/${EXECUTABLE_FOLDER_PATH}/${EXECUTABLE_NAME}"
-fi
-
-# pull the CFBundleIdentifier out of the built xxx.app
+# Pull the CFBundleIdentifier out of the built xxx.app
 BUNDLEID=$(/usr/libexec/PlistBuddy -c 'Print :CFBundleIdentifier' "${CONTENTS_PATH}/Info.plist")
-echo "CFBundleIdentifier is ${BUNDLEID}"
+echo "CFBundleIdentifier is '${BUNDLEID}'"
 
 # Prefer the expanded name, if available.
 CODE_SIGN_IDENTITY_FOR_ITEMS="${EXPANDED_CODE_SIGN_IDENTITY_NAME}"
@@ -40,28 +28,21 @@ if [ "${CODE_SIGN_IDENTITY_FOR_ITEMS}" = "" ] ; then
   # Fall back to old behavior.
   CODE_SIGN_IDENTITY_FOR_ITEMS="${CODE_SIGN_IDENTITY}"
 fi
-echo "${CODE_SIGN_IDENTITY_FOR_ITEMS}"
-
-if [ ! "$MACOS" ]; then
-  ${GEN_ENTITLEMENTS} "${BUNDLEID}" "${BUILT_PRODUCTS_DIR}/${EXECUTABLE_FOLDER_PATH}/${EXECUTABLE_NAME}.xcent"
-  if [ -f "${CONTENTS_PATH}/embedded.mobileprovision" ]; then
-    rm -f "${CONTENTS_PATH}/embedded.mobileprovision"
-  fi
-fi
+echo "Code sign identity is '${CODE_SIGN_IDENTITY_FOR_ITEMS}'"
 
-# delete existing codesigning
-if [ -d "${CONTENTS_PATH}/_CodeSignature" ]; then
-  rm -r "${CONTENTS_PATH}/_CodeSignature"
-fi
+# Delete existing codesign and provisioning file
+rm -f "${CONTENTS_PATH}/embedded.mobileprovision"
+rm -rf "${CONTENTS_PATH}/_CodeSignature"
 
-#if user has set a code_sign_identity different from iPhone Developer we do a real codesign (for deployment on non-jailbroken devices)
+# If user has set a code_sign_identity we do a real codesign (for deployment on non-jailbroken devices)
 if ! [ -z "${CODE_SIGN_IDENTITY_FOR_ITEMS}" ]; then
   if egrep -q --max-count=1 -e '^iPhone (Developer|Distribution): ' -e '^Apple (Development|Distribution): ' -e '^[[:xdigit:]]+$' -e '^Developer ID Application: ' <<<"${CODE_SIGN_IDENTITY_FOR_ITEMS}"; then
-    echo "Doing a full bundle sign using genuine identity ${CODE_SIGN_IDENTITY_FOR_ITEMS}"
+    echo "Doing a full bundle sign using genuine identity '${CODE_SIGN_IDENTITY_FOR_ITEMS}'"
+
     for binext in $LIST_BINARY_EXTENSIONS
     do
-      echo "Signing binary: $binext"
-      # check if at least 1 file with the extension exists to sign, otherwise do nothing
+      echo "Signing binaries with '$binext' extension"
+      # Check if at least 1 file with the extension exists to sign, otherwise do nothing
       FINDOUTPUT=$(find "${CONTENTS_PATH}" -iname "*.$binext" -type f)
       if [ `echo $FINDOUTPUT | wc -l` != 0 ]; then
         for singlefile in $FINDOUTPUT; do
@@ -80,7 +61,7 @@ if ! [ -z "${CODE_SIGN_IDENTITY_FOR_ITEMS}" ]; then
     done
 
     if [ "$MACOS" ]; then
-      #sign and repackage python eggs for osx
+      # Sign and repackage python eggs for osx
       EGGS=$(find "${CONTENTS_PATH}" -iname "*.egg" -type f)
       echo "Signing Eggs"
       for i in $EGGS; do
@@ -89,7 +70,7 @@ if ! [ -z "${CODE_SIGN_IDENTITY_FOR_ITEMS}" ]; then
         unzip -q $i -d del
         for binext in $LIST_BINARY_EXTENSIONS
         do
-          # check if at least 1 file with the extension exists to sign, otherwise do nothing
+          # Check if at least 1 file with the extension exists to sign, otherwise do nothing
           FINDOUTPUT=$(find ./del/ -iname "*.$binext" -type f)
           if [ `echo $FINDOUTPUT | wc -l` != 0 ]; then
             for singlefile in $FINDOUTPUT; do
@@ -103,4 +84,18 @@ if ! [ -z "${CODE_SIGN_IDENTITY_FOR_ITEMS}" ]; then
       done
     fi
   fi
+elif [ ! "$MACOS" ]; then
+  # Do fake sign - needed for iOS >=5.1 and tvOS >=10.2 jailbroken devices
+  # See http://www.saurik.com/id/8
+  echo "Doing a fake sign using ldid for jailbroken devices (main kodi binary and all Mach-O files)"
+
+  # Main 'kodi' binary
+  "${LDID}" -S"${DARWIN_EMBEDDED_ENTITLEMENTS}" "${CONTENTS_PATH}/${EXECUTABLE_NAME}"
+
+  # All Mach-O files (except TopShelf)
+  for f in $(find "${CONTENTS_PATH}/AppData" "${CONTENTS_PATH}/Frameworks" -type f); do
+    if [[ $(file ${f}) == *"Mach-O"* ]]; then
+      "${LDID}" -S "${f}"
+    fi
+  done
 fi
diff --git a/tools/darwin/packaging/darwin_embedded/mkdeb-darwin_embedded.sh.in b/tools/darwin/packaging/darwin_embedded/mkdeb-darwin_embedded.sh.in
index a1d1121199..78cb87aada 100644
--- a/tools/darwin/packaging/darwin_embedded/mkdeb-darwin_embedded.sh.in
+++ b/tools/darwin/packaging/darwin_embedded/mkdeb-darwin_embedded.sh.in
@@ -109,7 +109,6 @@ cp -r $APP $DIRNAME/$PACKAGE/Applications/
 find $DIRNAME/$PACKAGE/Applications/ -name '.svn' -exec rm -rf {} \;
 find $DIRNAME/$PACKAGE/Applications/ -name '.git*' -exec rm -rf {} \;
 find $DIRNAME/$PACKAGE/Applications/ -name '.DS_Store'  -exec rm -rf {} \;
-find $DIRNAME/$PACKAGE/Applications/ -name '*.xcent'  -exec rm -rf {} \;
 
 echo Packaging $PACKAGE
 # Tell tar, pax, etc. on Mac OS X 10.4+ not to archive
diff --git a/tools/depends/native/Makefile b/tools/depends/native/Makefile
index 7a3966a206..e5aff1f9df 100644
--- a/tools/depends/native/Makefile
+++ b/tools/depends/native/Makefile
@@ -15,7 +15,7 @@ NATIVE= m4 gettext heimdal autoconf automake \
 
 
 ifeq ($(OS),darwin_embedded)
-  NATIVE += dpkg xz tar gen_entitlements ldid
+  NATIVE += dpkg xz tar ldid
 endif
 
 ifeq ($(TARGET_PLATFORM),wayland)
diff --git a/tools/depends/native/gen_entitlements/Makefile b/tools/depends/native/gen_entitlements/Makefile
deleted file mode 100644
index a16b4549f6..0000000000
--- a/tools/depends/native/gen_entitlements/Makefile
+++ /dev/null
@@ -1,14 +0,0 @@
-include ../../Makefile.include
-
-GEBIN=$(NATIVEPREFIX)/bin/gen_entitlements.py
-
-all: $(GEBIN)
-
-$(GEBIN):
-	mkdir -p $(NATIVEPREFIX)/bin
-	cp gen_entitlements.py $(GEBIN)
-	chmod 755 $(GEBIN)
-
-clean:
-distclean::
-	rm -f $(GEBIN)
diff --git a/tools/depends/native/gen_entitlements/gen_entitlements.py b/tools/depends/native/gen_entitlements/gen_entitlements.py
deleted file mode 100755
index d8ae6af3ee..0000000000
--- a/tools/depends/native/gen_entitlements/gen_entitlements.py
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/usr/bin/env python
-
-import sys
-import struct
-
-if len(sys.argv) != 3:
-	print "Usage: %s appname dest_file.xcent" % sys.argv[0]
-	sys.exit(-1)
-
-APPNAME = sys.argv[1]
-DEST = sys.argv[2]
-
-if not DEST.endswith('.xml') and not DEST.endswith('.xcent'):
-	print "Dest must be .xml (for ldid) or .xcent (for codesign)"
-	sys.exit(-1)
-
-entitlements = """
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>application-identifier</key>
-    <string>%s</string>
-    <key>get-task-allow</key>
-    <true/>
-</dict>
-</plist>
-""" % APPNAME
-
-f = open(DEST,'w')
-if DEST.endswith('.xcent'):
-	f.write("\xfa\xde\x71\x71")
-	f.write(struct.pack('>L', len(entitlements) + 8))
-f.write(entitlements)
-f.close()
-