From f4a5d86f8802fb9dfc1adf4b2f76504a986a0b8e Mon Sep 17 00:00:00 2001 From: Vicki Pfau Date: Mon, 11 Dec 2023 00:14:04 -0800 Subject: [PATCH] Qt: Do codesigning on macOS --- res/{entitlements.xml => entitlements.plist} | 0 src/platform/qt/CMakeLists.txt | 7 +++++++ tools/deploy-mac.py | 8 ++++++++ 3 files changed, 15 insertions(+) rename res/{entitlements.xml => entitlements.plist} (100%) diff --git a/res/entitlements.xml b/res/entitlements.plist similarity index 100% rename from res/entitlements.xml rename to res/entitlements.plist diff --git a/src/platform/qt/CMakeLists.txt b/src/platform/qt/CMakeLists.txt index ece61ec6d..2e334ab9d 100644 --- a/src/platform/qt/CMakeLists.txt +++ b/src/platform/qt/CMakeLists.txt @@ -450,6 +450,10 @@ if(APPLE) file(GLOB_RECURSE PLUGINS \"${BUNDLE_PATH}/Contents/PlugIns/*${CMAKE_SHARED_LIBRARY_SUFFIX}\") fixup_bundle(\"${BUNDLE_PATH}\" \"${PLUGINS}\" \"\") " COMPONENT ${BINARY_NAME}-qt) + if(CODESIGN_IDENTITY) + install(CODE "execute_process(COMMAND codesign -s \"${CODESIGN_IDENTITY}\" -vf -o runtime --timestamp --entitlements \"${CMAKE_SOURCE_DIR}/res/entitlements.plist\" \"${BUNDLE_PATH}\")" + COMPONENT ${BINARY_NAME}-qt) + endif() else() set(DEPLOY_OPTIONS -p platforms/libqcocoa.dylib,audio/libqtaudio_coreaudio.dylib,mediaservice/libqavfcamera.dylib) if(NOT CMAKE_INSTALL_NAME_TOOL EQUAL "install_name_tool") @@ -461,6 +465,9 @@ if(APPLE) if(DEFINED CROSS_ROOT) set(DEPLOY_OPTIONS ${DEPLOY_OPTIONS} -R "${CROSS_ROOT}") endif() + if($ENV{CODESIGN_IDENTITY}) + set(DEPLOY_OPTIONS ${DEPLOY_OPTIONS} -s "$ENV{CODESIGN_IDENTITY}" -E "${CMAKE_SOURCE_DIR}/res/entitlements.xml") + endif() install(CODE "execute_process(COMMAND \"${CMAKE_SOURCE_DIR}/tools/deploy-mac.py\" -v ${DEPLOY_OPTIONS} \"\$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${APPDIR}/${PROJECT_NAME}.app\")") endif() elseif(WIN32) diff --git a/tools/deploy-mac.py b/tools/deploy-mac.py index 82b8df4f2..89369d163 100755 --- a/tools/deploy-mac.py +++ b/tools/deploy-mac.py @@ -130,6 +130,8 @@ if __name__ == '__main__': parser.add_argument('-I', '--install-name-tool', metavar='INSTALL_NAME_TOOL', default='install_name_tool', help='path to install_name_tool') parser.add_argument('-O', '--otool', metavar='OTOOL', default='otool', help='path to otool') parser.add_argument('-p', '--qt-plugins', metavar='PLUGINS', default='', help='Qt plugins to include (comma-separated)') + parser.add_argument('-s', '--sign', metavar='IDENTITY', help='sign with a given identity') + parser.add_argument('-E', '--entitlements', metavar='ENTITLEMENTS', help='use a given file for entitlements when signing') parser.add_argument('-v', '--verbose', action='store_true', default=False, help='output more information') parser.add_argument('bundle', help='application bundle to deploy') args = parser.parse_args() @@ -168,3 +170,9 @@ if __name__ == '__main__': newPath = os.path.join(newDir, plug) shutil.copy2(os.path.join(qtPath, 'plugins', plugin), newPath) updateMachO(newPath, splitPath(os.path.join(args.bundle, 'Contents/MacOS')), splitPath(args.root)) + if args.sign: + args = ['codesign', '-s', args.sign, '-vf', '-o', 'runtime'] + if args.entitlements: + args.extend(['--entitlements', args.entitlements]) + args.append(args.bundle) + subprocess.check_call(args)