macOS: enable hardened runtime when signing
hardened runtime is prerequisite for notarizing apps, which in turn is
required for new developer IDs with 10.14.5 already and will be required
for all software to run in future versions of macOS
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
Change-Id: Ifdf73fb5901be5dd0b62e1a51dee6e57c9816e5f
Reviewed-on: https://gerrit.libreoffice.org/73246
Tested-by: Jenkins
Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
diff --git a/hardened_runtime.xcent b/hardened_runtime.xcent
new file mode 100644
index 0000000..72abb43
--- /dev/null
+++ b/hardened_runtime.xcent
@@ -0,0 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- AppleScript support -->
<key>com.apple.security.automation.apple-events</key>
<true/>
<!-- for extension manager, "exception in synchronize" -->
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
<!-- allow use of third-party plugins/frameworks (aka Java) -->
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>
diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle
index 85d7451..db2f6ff 100755
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -36,7 +36,7 @@ if test -n "$ENABLE_MACOSX_SANDBOX"; then
other_files=''
else
# We then want to sign data files, too, hmm.
entitlements=''
entitlements="--entitlements $SRCDIR/hardened_runtime.xcent"
other_files="\
-or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
-or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
@@ -83,7 +83,7 @@ while read app; do
fn=${fn%.*}
# Assume the app has a XML (and not binary) Info.plist
id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1
codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1
if [ "$?" != "0" ] ; then
exit 1
fi
@@ -100,7 +100,11 @@ while read framework; do
if test ! -L "$version" -a -d "$version"; then
# Assume the framework has a XML (and not binary) Info.plist
id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" > "/tmp/codesign_${fn}.log" 2>&1
# files in bin are not covered by signing the framework...
for scriptorexecutable in $(find $version/bin/ -type f); do
codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" >> "/tmp/codesign_${fn}.log" 2>&1
done
codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" >> "/tmp/codesign_${fn}.log" 2>&1
if [ "$?" != "0" ] ; then
exit 1
fi
@@ -129,7 +133,7 @@ while read file; do
;;
*)
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
codesign --force --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1
codesign --force --verbose --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1
if [ "$?" != "0" ] ; then
exit 1
fi
@@ -152,7 +156,7 @@ done
id=`echo ${PRODUCTNAME} | tr ' ' '-'`
codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1
codesign --force --verbose --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1
if [ "$?" != "0" ] ; then
exit 1
fi
diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk
index b3e451b..eec2b05 100644
--- a/solenv/gbuild/platform/macosx.mk
+++ b/solenv/gbuild/platform/macosx.mk
@@ -132,7 +132,7 @@ $(call gb_Helper_abbreviate_dirs,\
$(if $(MACOSX_CODESIGNING_IDENTITY), \
$(if $(filter Executable,$(TARGETTYPE)), \
$(if $(filter-out $(call gb_Executable_get_target,soffice_bin),$(1)), \
codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --force $(1) &&))) \
codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --options=runtime --force $(1) &&))) \
$(if $(filter Library,$(TARGETTYPE)),\
otool -l $(1) | grep -A 5 LC_ID_DYLIB \
> $(WORKDIR)/LinkTarget/$(2).exports.tmp && \
