Tools: Add script to codesign a macOS bundle or executable
With our current setup, we use the --deep option, which should be avoided. This tool signs bundles in the "correct" way as recommended by Apple (each Mach-O individually, from the inside-out).
This commit is contained in:
parent
f74f748ff6
commit
4883889e23
|
@ -0,0 +1,74 @@
|
|||
#!/bin/bash
|
||||
|
||||
# This script signs a specific object with the specified identity, entitlements,
|
||||
# and optional flags. If the target is a bundle, it will also sign all frameworks
|
||||
# and dylibs within the bundle.
|
||||
|
||||
set -eu
|
||||
|
||||
function usage() {
|
||||
echo "Usage: $0 [-t] [-e <entitlements file or "preserve">] <identity> <target to codesign>"
|
||||
exit 1
|
||||
}
|
||||
|
||||
USE_SECURE_TIMESTAMP=0
|
||||
ENTITLEMENTS_FILE=""
|
||||
|
||||
while getopts ":te:" opt; do
|
||||
case $opt in
|
||||
t)
|
||||
USE_SECURE_TIMESTAMP=1
|
||||
;;
|
||||
e)
|
||||
ENTITLEMENTS_FILE=$OPTARG
|
||||
;;
|
||||
\?)
|
||||
usage
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ $USE_SECURE_TIMESTAMP -eq 1 ]; then
|
||||
TIMESTAMP_FLAG="--timestamp"
|
||||
else
|
||||
TIMESTAMP_FLAG="--timestamp=none"
|
||||
fi
|
||||
|
||||
shift $((OPTIND - 1))
|
||||
|
||||
if [ $# -ne 2 ]; then
|
||||
usage
|
||||
fi
|
||||
|
||||
IDENTITY=$1
|
||||
TARGET_PATH=$2
|
||||
|
||||
# Signs the given target with the specified identity and optional flags.
|
||||
function sign() {
|
||||
/usr/bin/codesign -f -s "$IDENTITY" $TIMESTAMP_FLAG ${2:-} "$1"
|
||||
}
|
||||
|
||||
if [ -d "$TARGET_PATH" ]; then
|
||||
# Newlines are the only valid separator character in find's output.
|
||||
IFS=$'\n'
|
||||
|
||||
for framework in $(find "$TARGET_PATH" -not -path "*/Helpers/*" -name '*.dylib' -or -name '*.framework'); do
|
||||
sign "$framework"
|
||||
done
|
||||
|
||||
unset IFS
|
||||
fi
|
||||
|
||||
TARGET_EXTRA_CODESIGN_FLAGS="-o runtime"
|
||||
|
||||
if [ -n "$ENTITLEMENTS_FILE" ]; then
|
||||
# "preserve" is a special keyword which tells us we should preserve the
|
||||
# existing entitlements in the target.
|
||||
if [ "$ENTITLEMENTS_FILE" == "preserve" ]; then
|
||||
TARGET_EXTRA_CODESIGN_FLAGS+=" --preserve-metadata=entitlements"
|
||||
else
|
||||
TARGET_EXTRA_CODESIGN_FLAGS+=" --entitlements $ENTITLEMENTS_FILE"
|
||||
fi
|
||||
fi
|
||||
|
||||
sign "$TARGET_PATH" "$TARGET_EXTRA_CODESIGN_FLAGS"
|
Loading…
Reference in New Issue