diff options
| author | Andrey Filipenkov <decapitator@ukr.net> | 2020-01-11 18:42:56 +0300 |
|---|---|---|
| committer | Andrey Filipenkov <decapitator@ukr.net> | 2020-07-14 19:53:04 +0300 |
| commit | fb4551fc4725a7d0c879a7e8506d8d0829da40bb (patch) | |
| tree | 066bf1596b51080d1dfcef5ee753233825941760 /tools | |
| parent | 6af6f252c1f8a2fd14b25f8e68f37beeadaae334 (diff) | |
[macos] add ability to codesign app and dmg
Diffstat (limited to 'tools')
| -rwxr-xr-x | tools/darwin/Support/Codesign.command | 50 | ||||
| -rw-r--r-- | tools/darwin/packaging/osx/Kodi.entitlements.in | 10 | ||||
| -rwxr-xr-x | tools/darwin/packaging/osx/mkdmg-osx.sh.in | 20 |
3 files changed, 55 insertions, 25 deletions
diff --git a/tools/darwin/Support/Codesign.command b/tools/darwin/Support/Codesign.command index 06aa51ad2d..1231127eb2 100755 --- a/tools/darwin/Support/Codesign.command +++ b/tools/darwin/Support/Codesign.command @@ -9,14 +9,20 @@ GEN_ENTITLEMENTS="$NATIVEPREFIX/bin/gen_entitlements.py" IOS11_ENTITLEMENTS="$XBMC_DEPENDS/share/ios11_entitlements.xml" LDID="$NATIVEPREFIX/bin/ldid" -if [ ! -f ${GEN_ENTITLEMENTS} ]; then +if [ "${PLATFORM_NAME}" == "macosx" ]; then + MACOS=1 +fi + +if [[ ! "$MACOS" && ! -f ${GEN_ENTITLEMENTS} ]]; then echo "error: $GEN_ENTITLEMENTS not found. Codesign won't work." exit -1 fi -if [ "${PLATFORM_NAME}" == "iphoneos" ] || [ "${PLATFORM_NAME}" == "appletvos" ]; then - if [ -f "/Users/Shared/buildslave/keychain_unlock.sh" ]; then - /Users/Shared/buildslave/keychain_unlock.sh +if [[ "$MACOS" || "${PLATFORM_NAME}" == "iphoneos" || "${PLATFORM_NAME}" == "appletvos" ]]; then + if [ "$MACOS" ]; then + CONTENTS_PATH="${CODESIGNING_FOLDER_PATH}/Contents" + else + CONTENTS_PATH="${CODESIGNING_FOLDER_PATH}" fi # todo: is this required anymore? @@ -28,7 +34,7 @@ if [ "${PLATFORM_NAME}" == "iphoneos" ] || [ "${PLATFORM_NAME}" == "appletvos" ] ${LDID} -S${IOS11_ENTITLEMENTS} ${BUILT_PRODUCTS_DIR}/${EXECUTABLE_FOLDER_PATH}/${EXECUTABLE_NAME} #repackage python eggs - EGGS=`find ${CODESIGNING_FOLDER_PATH} -name "*.egg" -type f` + EGGS=$(find "${CONTENTS_PATH}" -name "*.egg" -type f) for i in $EGGS; do echo $i mkdir del @@ -42,11 +48,7 @@ if [ "${PLATFORM_NAME}" == "iphoneos" ] || [ "${PLATFORM_NAME}" == "appletvos" ] fi # pull the CFBundleIdentifier out of the built xxx.app - BUNDLEID=`mdls -raw -name kMDItemCFBundleIdentifier ${CODESIGNING_FOLDER_PATH}` - if [ "${BUNDLEID}" == "(null)" ] ; then - BUNDLEID=`/usr/libexec/PlistBuddy -c 'Print CFBundleIdentifier' ${CODESIGNING_FOLDER_PATH}/Info.plist` - fi - + BUNDLEID=$(/usr/libexec/PlistBuddy -c 'Print :CFBundleIdentifier' "${CONTENTS_PATH}/Info.plist") echo "CFBundleIdentifier is ${BUNDLEID}" # Prefer the expanded name, if available. @@ -57,25 +59,27 @@ if [ "${PLATFORM_NAME}" == "iphoneos" ] || [ "${PLATFORM_NAME}" == "appletvos" ] fi echo "${CODE_SIGN_IDENTITY_FOR_ITEMS}" - ${GEN_ENTITLEMENTS} "${BUNDLEID}" "${BUILT_PRODUCTS_DIR}/${EXECUTABLE_FOLDER_PATH}/${EXECUTABLE_NAME}.xcent"; + if [ ! "$MACOS" ]; then + ${GEN_ENTITLEMENTS} "${BUNDLEID}" "${BUILT_PRODUCTS_DIR}/${EXECUTABLE_FOLDER_PATH}/${EXECUTABLE_NAME}.xcent" + fi # delete existing codesigning - if [ -d "${CODESIGNING_FOLDER_PATH}/_CodeSignature" ]; then - rm -r ${CODESIGNING_FOLDER_PATH}/_CodeSignature + if [ -d "${CONTENTS_PATH}/_CodeSignature" ]; then + rm -r "${CONTENTS_PATH}/_CodeSignature" fi - if [ -f "${CODESIGNING_FOLDER_PATH}/embedded.mobileprovision" ]; then - rm -f ${CODESIGNING_FOLDER_PATH}/embedded.mobileprovision + if [[ ! "$MACOS" && -f "${CONTENTS_PATH}/embedded.mobileprovision" ]]; then + rm -f "${CONTENTS_PATH}/embedded.mobileprovision" fi #if user has set a code_sign_identity different from iPhone Developer we do a real codesign (for deployment on non-jailbroken devices) - if ! [ -z "${CODE_SIGN_IDENTITY}" ]; then - if egrep -q --max-count=1 -e '^iPhone (Developer|Distribution): ' -e '^Apple (Development|Distribution): ' -e '^[[:xdigit:]]+$' <<<"${CODE_SIGN_IDENTITY}"; then - echo "Doing a full bundle sign using genuine identity ${CODE_SIGN_IDENTITY}" + if ! [ -z "${CODE_SIGN_IDENTITY_FOR_ITEMS}" ]; then + if egrep -q --max-count=1 -e '^iPhone (Developer|Distribution): ' -e '^Apple (Development|Distribution): ' -e '^[[:xdigit:]]+$' -e '^Developer ID Application: ' <<<"${CODE_SIGN_IDENTITY_FOR_ITEMS}"; then + echo "Doing a full bundle sign using genuine identity ${CODE_SIGN_IDENTITY_FOR_ITEMS}" for binext in $LIST_BINARY_EXTENSIONS do echo "Signing binary: $binext" # check if at least 1 file with the extension exists to sign, otherwise do nothing - FINDOUTPUT=`find ${CODESIGNING_FOLDER_PATH} -name "*.$binext" -type f` + FINDOUTPUT=$(find "${CONTENTS_PATH}" -name "*.$binext" -type f) if [ `echo $FINDOUTPUT | wc -l` != 0 ]; then for singlefile in $FINDOUTPUT; do codesign -s "${CODE_SIGN_IDENTITY_FOR_ITEMS}" -fvvv -i "${BUNDLEID}" "${singlefile}" @@ -84,17 +88,17 @@ if [ "${PLATFORM_NAME}" == "iphoneos" ] || [ "${PLATFORM_NAME}" == "appletvos" ] done echo "In case your app crashes with SIG_SIGN check the variable LIST_BINARY_EXTENSIONS in tools/darwin/Support/Codesign.command" - for FRAMEWORK_PATH in `find ${CODESIGNING_FOLDER_PATH} -name "*.framework" -type d` + for FRAMEWORK_PATH in $(find "${CONTENTS_PATH}" -name "*.framework" -type d) do DYLIB_BASENAME=$(basename "${FRAMEWORK_PATH%.framework}") echo "Signing Framework: ${DYLIB_BASENAME}.framework" FRAMEWORKBUNDLEID="${BUNDLEID}.framework.${DYLIB_BASENAME}" - codesign -s "${CODE_SIGN_IDENTITY_FOR_ITEMS}" -fvvv -i "${FRAMEWORKBUNDLEID}" ${FRAMEWORK_PATH}/${DYLIB_BASENAME} - codesign -s "${CODE_SIGN_IDENTITY_FOR_ITEMS}" -fvvv -i "${FRAMEWORKBUNDLEID}" ${FRAMEWORK_PATH} + codesign -s "${CODE_SIGN_IDENTITY_FOR_ITEMS}" -fvvv -i "${FRAMEWORKBUNDLEID}" "${FRAMEWORK_PATH}/${DYLIB_BASENAME}" + codesign -s "${CODE_SIGN_IDENTITY_FOR_ITEMS}" -fvvv -i "${FRAMEWORKBUNDLEID}" "${FRAMEWORK_PATH}" done #repackage python eggs - EGGS=`find ${CODESIGNING_FOLDER_PATH} -name "*.egg" -type f` + EGGS=$(find "${CONTENTS_PATH}" -name "*.egg" -type f) echo "Signing Eggs" for i in $EGGS; do echo $i diff --git a/tools/darwin/packaging/osx/Kodi.entitlements.in b/tools/darwin/packaging/osx/Kodi.entitlements.in new file mode 100644 index 0000000000..f65c3581d8 --- /dev/null +++ b/tools/darwin/packaging/osx/Kodi.entitlements.in @@ -0,0 +1,10 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>com.apple.security.cs.disable-library-validation</key> + <true/> + <key>com.apple.security.get-task-allow</key> + <@ALLOW_DEBUGGER@/> +</dict> +</plist> diff --git a/tools/darwin/packaging/osx/mkdmg-osx.sh.in b/tools/darwin/packaging/osx/mkdmg-osx.sh.in index ad9d44e51e..4d7a3e88f0 100755 --- a/tools/darwin/packaging/osx/mkdmg-osx.sh.in +++ b/tools/darwin/packaging/osx/mkdmg-osx.sh.in @@ -2,7 +2,7 @@ # usage: ./mkdmg-osx.sh release/debug (case insensitive) # Allows us to run mkdmg-osx.sh from anywhere in the three, rather than the tools/darwin/packaging/osx folder only -SWITCH=`echo $1 | tr [A-Z] [a-z]` +SWITCH="$1" DIRNAME=`dirname $0` if [ ${SWITCH:-""} = "debug" ]; then @@ -22,6 +22,16 @@ if [ ! -d $APP ]; then fi ARCHITECTURE=`file $APP/Contents/MacOS/@APP_NAME@ | awk '{print $NF}'` +# codesign .app +if [ "$EXPANDED_CODE_SIGN_IDENTITY_NAME" ]; then + # execute codesign script + "$DIRNAME/Codesign.command" + # sign helper tool + codesign --verbose=4 --sign "$EXPANDED_CODE_SIGN_IDENTITY_NAME" --options runtime --timestamp --entitlements Kodi.entitlements "$APP/Contents/Resources/Kodi/tools/darwin/runtime/XBMCHelper" + # perform top-level signing (Xcode does it automatically when signing settings are configured) + codesign --verbose=4 --sign "$EXPANDED_CODE_SIGN_IDENTITY_NAME" --options runtime --timestamp --entitlements Kodi.entitlements "$APP" +fi + PACKAGE=org.xbmc.@APP_NAME_LC@-osx VERSION=@APP_VERSION_MAJOR@.@APP_VERSION_MINOR@ @@ -34,7 +44,8 @@ fi ARCHIVE=${PACKAGE}_${VERSION}-${REVISION}_macosx-intel-${ARCHITECTURE} echo Creating $PACKAGE package version $VERSION revision $REVISION -rm -rf $DIRNAME/$ARCHIVE.dmg +dmgPath="$DIRNAME/$ARCHIVE.dmg" +rm -rf "$dmgPath" if [ -e "/Volumes/@APP_NAME_LC@" ]; then umount /Volumes/@APP_NAME_LC@ @@ -50,3 +61,8 @@ fi $DIRNAME/dmgmaker.pl $APP $ARCHIVE echo "done" + +# codesign dmg +if [ "$EXPANDED_CODE_SIGN_IDENTITY_NAME" ]; then + codesign --verbose=4 --sign "$EXPANDED_CODE_SIGN_IDENTITY_NAME" "$dmgPath" +fi |