From 4883889e23ac784e004b4c80ab809920f11a69d3 Mon Sep 17 00:00:00 2001 From: OatmealDome Date: Wed, 31 Jul 2024 13:31:23 -0400 Subject: [PATCH] Tools: Add script to codesign a macOS bundle or executable With our current setup, we use the --deep option, which should be avoided. This tool signs bundles in the "correct" way as recommended by Apple (each Mach-O individually, from the inside-out). --- Tools/mac-codesign.sh | 74 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100755 Tools/mac-codesign.sh diff --git a/Tools/mac-codesign.sh b/Tools/mac-codesign.sh new file mode 100755 index 0000000000..9fb330bc6c --- /dev/null +++ b/Tools/mac-codesign.sh @@ -0,0 +1,74 @@ +#!/bin/bash + +# This script signs a specific object with the specified identity, entitlements, +# and optional flags. If the target is a bundle, it will also sign all frameworks +# and dylibs within the bundle. + +set -eu + +function usage() { + echo "Usage: $0 [-t] [-e ] " + exit 1 +} + +USE_SECURE_TIMESTAMP=0 +ENTITLEMENTS_FILE="" + +while getopts ":te:" opt; do + case $opt in + t) + USE_SECURE_TIMESTAMP=1 + ;; + e) + ENTITLEMENTS_FILE=$OPTARG + ;; + \?) + usage + ;; + esac +done + +if [ $USE_SECURE_TIMESTAMP -eq 1 ]; then + TIMESTAMP_FLAG="--timestamp" +else + TIMESTAMP_FLAG="--timestamp=none" +fi + +shift $((OPTIND - 1)) + +if [ $# -ne 2 ]; then + usage +fi + +IDENTITY=$1 +TARGET_PATH=$2 + +# Signs the given target with the specified identity and optional flags. +function sign() { + /usr/bin/codesign -f -s "$IDENTITY" $TIMESTAMP_FLAG ${2:-} "$1" +} + +if [ -d "$TARGET_PATH" ]; then + # Newlines are the only valid separator character in find's output. + IFS=$'\n' + + for framework in $(find "$TARGET_PATH" -not -path "*/Helpers/*" -name '*.dylib' -or -name '*.framework'); do + sign "$framework" + done + + unset IFS +fi + +TARGET_EXTRA_CODESIGN_FLAGS="-o runtime" + +if [ -n "$ENTITLEMENTS_FILE" ]; then + # "preserve" is a special keyword which tells us we should preserve the + # existing entitlements in the target. + if [ "$ENTITLEMENTS_FILE" == "preserve" ]; then + TARGET_EXTRA_CODESIGN_FLAGS+=" --preserve-metadata=entitlements" + else + TARGET_EXTRA_CODESIGN_FLAGS+=" --entitlements $ENTITLEMENTS_FILE" + fi +fi + +sign "$TARGET_PATH" "$TARGET_EXTRA_CODESIGN_FLAGS"