Tools: Add script to codesign a macOS bundle or executable
With our current setup, we use the --deep option, which should be avoided. This tool signs bundles in the "correct" way as recommended by Apple (each Mach-O individually, from the inside-out).
This commit is contained in:
parent
f74f748ff6
commit
4883889e23
|
@ -0,0 +1,74 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# This script signs a specific object with the specified identity, entitlements,
|
||||||
|
# and optional flags. If the target is a bundle, it will also sign all frameworks
|
||||||
|
# and dylibs within the bundle.
|
||||||
|
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
function usage() {
|
||||||
|
echo "Usage: $0 [-t] [-e <entitlements file or "preserve">] <identity> <target to codesign>"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
USE_SECURE_TIMESTAMP=0
|
||||||
|
ENTITLEMENTS_FILE=""
|
||||||
|
|
||||||
|
while getopts ":te:" opt; do
|
||||||
|
case $opt in
|
||||||
|
t)
|
||||||
|
USE_SECURE_TIMESTAMP=1
|
||||||
|
;;
|
||||||
|
e)
|
||||||
|
ENTITLEMENTS_FILE=$OPTARG
|
||||||
|
;;
|
||||||
|
\?)
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $USE_SECURE_TIMESTAMP -eq 1 ]; then
|
||||||
|
TIMESTAMP_FLAG="--timestamp"
|
||||||
|
else
|
||||||
|
TIMESTAMP_FLAG="--timestamp=none"
|
||||||
|
fi
|
||||||
|
|
||||||
|
shift $((OPTIND - 1))
|
||||||
|
|
||||||
|
if [ $# -ne 2 ]; then
|
||||||
|
usage
|
||||||
|
fi
|
||||||
|
|
||||||
|
IDENTITY=$1
|
||||||
|
TARGET_PATH=$2
|
||||||
|
|
||||||
|
# Signs the given target with the specified identity and optional flags.
|
||||||
|
function sign() {
|
||||||
|
/usr/bin/codesign -f -s "$IDENTITY" $TIMESTAMP_FLAG ${2:-} "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ -d "$TARGET_PATH" ]; then
|
||||||
|
# Newlines are the only valid separator character in find's output.
|
||||||
|
IFS=$'\n'
|
||||||
|
|
||||||
|
for framework in $(find "$TARGET_PATH" -not -path "*/Helpers/*" -name '*.dylib' -or -name '*.framework'); do
|
||||||
|
sign "$framework"
|
||||||
|
done
|
||||||
|
|
||||||
|
unset IFS
|
||||||
|
fi
|
||||||
|
|
||||||
|
TARGET_EXTRA_CODESIGN_FLAGS="-o runtime"
|
||||||
|
|
||||||
|
if [ -n "$ENTITLEMENTS_FILE" ]; then
|
||||||
|
# "preserve" is a special keyword which tells us we should preserve the
|
||||||
|
# existing entitlements in the target.
|
||||||
|
if [ "$ENTITLEMENTS_FILE" == "preserve" ]; then
|
||||||
|
TARGET_EXTRA_CODESIGN_FLAGS+=" --preserve-metadata=entitlements"
|
||||||
|
else
|
||||||
|
TARGET_EXTRA_CODESIGN_FLAGS+=" --entitlements $ENTITLEMENTS_FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
sign "$TARGET_PATH" "$TARGET_EXTRA_CODESIGN_FLAGS"
|
Loading…
Reference in New Issue