[PATCH libreoffice-4-0] Add support for codesigning on Mac OS X

"Tor Lillqvist (via Code Review)" <gerrit -AT- gerrit.libreoffice.org>
Thu, 7 Feb 2013 23:24:53 +0000

Hi,

I have submitted a patch for review:

    https://gerrit.libreoffice.org/2031

To pull it, you can do:

    git pull ssh://gerrit.libreoffice.org:29418/core refs/changes/31/2031/1

Add support for codesigning on Mac OS X

Only sign the .app. Presumably that's enough here in the 4.0 branch.

Change-Id: I7a25c6b7bfa2047b1cb6bcb913750b1b476124f6
---
M config_host.mk.in
M configure.ac
M solenv/bin/modules/installer/simplepackage.pm
3 files changed, 73 insertions(+), 0 deletions(-)



diff --git a/config_host.mk.in b/config_host.mk.in
index d7ede5a..7b9834d 100644
--- a/config_host.mk.in
+++ b/config_host.mk.in
@@ -312,6 +312,7 @@
 export LINK_X64_BINARY=@LINK_X64_BINARY@
 @x_Cygwin@ export LS=@WIN_LS@
 export MANDIR=@MANDIR@
+export MACOSX_CODESIGNING_IDENTITY=@MACOSX_CODESIGNING_IDENTITY@
 export MACOSX_DEPLOYMENT_TARGET=@MACOSX_DEPLOYMENT_TARGET@
 export MACOSX_DEPLOYMENT_TARGET_FOR_BUILD=@MACOSX_DEPLOYMENT_TARGET_FOR_BUILD@
 export MACOSX_SDK_PATH=@MACOSX_SDK_PATH@
diff --git a/configure.ac b/configure.ac
index 5bdbd37..e7c06f2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1081,6 +1081,15 @@
         [Enable MSI with LIMITUI=1 (silent install).]),
 ,)
 
+AC_ARG_ENABLE(macosx-code-signing,
+    AS_HELP_STRING([--enable-macosx-code-signing<=identity>],
+        [Sign the app bundle being stored in the disk image. The
+         default is to do signing if there is a suitable certificate
+         in your keychain, so if you don't want that, use the
+         corresponding --disable option. Experimental work in
+         progress, don't use unless you are working on this.]),
+,)
+
 AC_ARG_ENABLE(postgresql-sdbc,
     AS_HELP_STRING([--disable-postgresql-sdbc],
         [Disable the build of the PostgreSQL-SDBC driver.])
@@ -2822,6 +2831,31 @@
     fi
     AC_MSG_NOTICE([MAC_OS_X_VERSION_MIN_REQUIRED=$MAC_OS_X_VERSION_MIN_REQUIRED])
     AC_MSG_NOTICE([MAC_OS_X_VERSION_MAX_ALLOWED=$MAC_OS_X_VERSION_MAX_ALLOWED])
+
+    AC_MSG_CHECKING([whether to do code signing])
+
+    if test -z "$enable_macosx_code_signing" -o "$enable_macosx_code_signing" = yes; then
+        # By default use the first suitable certificate (?).
+
+        # 
http://stackoverflow.com/questions/13196291/difference-between-mac-developer-and-3rd-party-mac-developer-application
+        # says that the "Mac Developer" certificate is useful just for self-testing. For 
distribution
+        # outside the Mac App Store, use the "Developer ID Application" one, and for distribution 
in
+        # the App Store, the "3rd Party Mac Developer" one. I think it works best to the the
+        # "Developer ID Application" one.
+
+        identity=`security find-identity -p codesigning -v 2>/dev/null | grep 'Developer ID 
Application:' | awk '{print $2}' |head -1`
+        if test -n "$identity"; then
+            MACOSX_CODESIGNING_IDENTITY=$identity
+            pretty_name=`security find-identity -p codesigning -v | grep 
$MACOSX_CODESIGNING_IDENTITY | sed -e 's/^[[^"]]*"//' -e 's/"//'`
+            AC_MSG_RESULT([yes, using the identity $MACOSX_CODESIGNING_IDENTITY for $pretty_name])
+        fi
+    elif test -n "$enable_macosx_code_signing"; then
+        MACOSX_CODESIGNING_IDENTITY=$enable_macosx_code_signing
+        pretty_name=`security find-identity -p codesigning -v | grep $MACOSX_CODESIGNING_IDENTITY 
| sed -e 's/^[[^"]]*"//' -e 's/"//'`
+        AC_MSG_RESULT([yes, using the identity $MACOSX_CODESIGNING_IDENTITY for $pretty_name])
+    else
+        AC_MSG_RESULT([no])
+    fi
 fi
 AC_SUBST(FRAMEWORKSHOME)
 AC_SUBST(MACOSX_SDK_PATH)
@@ -2830,6 +2864,7 @@
 AC_SUBST(MAC_OS_X_VERSION_MIN_REQUIRED)
 AC_SUBST(MAC_OS_X_VERSION_MAX_ALLOWED)
 AC_SUBST(XCRUN)
+AC_SUBST(MACOSX_CODESIGNING_IDENTITY)
 
 dnl ===================================================================
 dnl Windows specific tests and stuff
diff --git a/solenv/bin/modules/installer/simplepackage.pm 
b/solenv/bin/modules/installer/simplepackage.pm
index 561b0fe..26911a4 100755
--- a/solenv/bin/modules/installer/simplepackage.pm
+++ b/solenv/bin/modules/installer/simplepackage.pm
@@ -418,6 +418,43 @@
 
             chdir $localfrom;
         }
+       else
+       {
+           if (defined($ENV{'MACOSX_CODESIGNING_IDENTITY'}))
+           {
+               # Just sign the .app as a whole, which means signing
+               # the CFBundleExecutable from Info.plist,
+               # i.e. soffice, plus the contents of the Resources
+               # treee (which is not much, far from all of our
+               # non-code "resources").
+
+               # Don't bother here in the 4.0 branch to sign each
+               # individual .dylib, or each additional binary. See
+               # master for more work plus possibly eventually
+               # re-organising the app bundle structure to be more
+               # Mac-like (the "program" symlink, eek!) and actually
+               # putting all non-code resources (including extension
+               # scripts!)  into Resources so that they participate
+               # in the signing and their validity can be guaranteed.
+
+               $systemcall = "codesign --sign $ENV{'MACOSX_CODESIGNING_IDENTITY'} -v -v -v 
$tempdir/$packagename/$volume_name_classic_app.app";
+               print "... $systemcall ...\n";
+               my $returnvalue = system($systemcall);
+               $infoline = "Systemcall: $systemcall\n";
+               push( @installer::globals::logfileinfo, $infoline);
+
+               if ($returnvalue)
+               {
+                   $infoline = "ERROR: Could not execute \"$systemcall\"!\n";
+                   push( @installer::globals::logfileinfo, $infoline);
+               }
+               else
+               {
+                   $infoline = "Success: Executed \"$systemcall\" successfully!\n";
+                   push( @installer::globals::logfileinfo, $infoline);
+               }
+           }
+       }
 
         $systemcall = "cd $localtempdir && hdiutil makehybrid -hfs -hfs-openfolder $folder $folder 
-hfs-volume-name \"$volume_name\" -ov -o $installdir/tmp && hdiutil convert -ov -format UDBZ 
$installdir/tmp.dmg -o $archive && ";
         if (( $ref ne "" ) && ( $$ref ne "" )) {

-- 
To view, visit https://gerrit.libreoffice.org/2031
To unsubscribe, visit https://gerrit.libreoffice.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I7a25c6b7bfa2047b1cb6bcb913750b1b476124f6
Gerrit-PatchSet: 1
Gerrit-Project: core
Gerrit-Branch: libreoffice-4-0
Gerrit-Owner: Tor Lillqvist <tml@iki.fi>

Context

[PATCH libreoffice-4-0] Add support for codesigning on Mac OS X · Tor Lillqvist (via Code Review)
- [PUSHED libreoffice-4-0] Add support for codesigning on Mac OS X · Norbert Thiebaud (via Code Review)

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.