Makefile.in | 11 ++++++
Repository.mk | 10 ++++-
configure.ac | 2 -
registry/Module_registry.mk | 6 ++-
solenv/bin/macosx-codesign-app-bundle | 58 +++++++++++++++++++---------------
solenv/gbuild/platform/macosx.mk | 9 -----
svx/Module_svx.mk | 2 +
7 files changed, 59 insertions(+), 39 deletions(-)
New commits:
commit 09f5eed074e6dd8474447bce5ba7ca9bd8198757
Author: Tor Lillqvist <t...@collabora.com>
Date: Sat Sep 20 01:12:17 2014 +0300
This test was the wrong way surely?
Change-Id: I3470fbd2992cd96a772452d75fb2f0320bb529bf
diff --git a/configure.ac b/configure.ac
index e5b4d02..b3bb9ba 100644
--- a/configure.ac
+++ b/configure.ac
@@ -12732,7 +12732,7 @@ if test "$enable_mpl_subset" = "yes"; then
AC_MSG_ERROR([need to --disable-ext-mariadb-connector - mariadb/mysql
support.])
fi
if test -n "$ENABLE_PDFIMPORT"; then
- if test "x$SYSTEM_POPPLER" != "xNO"; then
+ if test "x$SYSTEM_POPPLER" = "xNO"; then
AC_MSG_ERROR([need to disable PDF import via poppler or use system
library])
fi
fi
commit beb30bbd867f9a28878e0d004458c3507f6c0956
Author: Tor Lillqvist <t...@collabora.com>
Date: Sat Sep 20 01:01:09 2014 +0300
Skip some executables in the OS X sandboxed (Mac App Store) case
I doubt end-users will miss gengal.bin, regview, or regmerge.
Change-Id: I353610c0d039f25fa415f35902fe2b9890cd423f
diff --git a/Repository.mk b/Repository.mk
index bebbef4..9976a3c 100644
--- a/Repository.mk
+++ b/Repository.mk
@@ -76,7 +76,9 @@ $(eval $(call
gb_Helper_register_executables_for_install,SDK,sdk, \
))
$(eval $(call gb_Helper_register_executables_for_install,OOO,ooo, \
- gengal \
+ $(if $(ENABLE_MACOSX_SANDBOX),, \
+ gengal \
+ )\
))
$(eval $(call gb_Helper_register_executables,OOO, \
@@ -123,8 +125,10 @@ $(eval $(call gb_Helper_register_executables,OOO, \
$(eval $(call gb_Helper_register_executables_for_install,UREBIN,ure,\
$(if $(and $(ENABLE_JAVA),$(filter-out MACOSX WNT,$(OS)),$(filter
DESKTOP,$(BUILD_TYPE))),javaldx) \
- regmerge \
- regview \
+ $(if $(ENABLE_MACOSX_SANDBOX),, \
+ regmerge \
+ regview \
+ ) \
$(if $(filter DESKTOP,$(BUILD_TYPE)),uno) \
))
diff --git a/registry/Module_registry.mk b/registry/Module_registry.mk
index fb962c6..5f70ed9 100644
--- a/registry/Module_registry.mk
+++ b/registry/Module_registry.mk
@@ -12,8 +12,10 @@ $(eval $(call gb_Module_Module,registry))
$(eval $(call gb_Module_add_targets,registry,\
Library_reg \
$(if $(filter-out $(OS),IOS), \
- Executable_regmerge \
- Executable_regview \
+ $(if $(ENABLE_MACOSX_SANDBOX),, \
+ Executable_regmerge \
+ Executable_regview \
+ ) \
StaticLibrary_registry_helper \
) \
))
diff --git a/svx/Module_svx.mk b/svx/Module_svx.mk
index 80f2bd7..0e63435 100644
--- a/svx/Module_svx.mk
+++ b/svx/Module_svx.mk
@@ -34,11 +34,13 @@ $(eval $(call gb_Module_add_l10n_targets,svx,\
))
ifneq (,$(filter DESKTOP,$(BUILD_TYPE)))
+ifeq (,$(ENABLE_MACOSX_SANDBOX))
$(eval $(call gb_Module_add_targets,svx,\
Executable_gengal.bin \
Package_gengal \
))
endif
+endif
ifneq ($(OOO_JUNIT_JAR),)
$(eval $(call gb_Module_add_subsequentcheck_targets,svx,\
commit 69c2fc6cfb12b939a076856bb82a18812afdfccc
Author: Tor Lillqvist <t...@collabora.com>
Date: Fri Sep 19 22:58:16 2014 +0300
OS X code signing fixes
Remove unnecessary Python executables and stuff that complicates code
signing in the test-install target.
Sign executables in codesign-macosx-app-bundle, not when building
them. It is more uniform to do all code signing in just one place.
All executables must have the com.apple.security.app-sandbox entitlement.
Change-Id: Ic6a640eb03964fe9ce75d3a8fff071971a3e1939
diff --git a/Makefile.in b/Makefile.in
index 8fc6f3d..af2096a 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -291,6 +291,7 @@ ifeq ($(OS_FOR_BUILD),WNT)
else
@ooinstall $(TESTINSTALLDIR)
ifneq ($(MACOSX_CODESIGNING_IDENTITY),)
+#
# Unzip bin/InfoPlist_*.zip files into corresponding Resources/*.lproj
directories.
set -x; for F in $(TESTINSTALLDIR)/LibreOffice$(if
$(ENABLE_RELEASE_BUILD),,Dev).app/Contents/bin/InfoPlist_*.zip; do \
bn=`basename $$F .zip`; \
@@ -299,8 +300,18 @@ ifneq ($(MACOSX_CODESIGNING_IDENTITY),)
mkdir $$lproj; \
(cd $$lproj; unzip $$F); \
done
+#
# And remove the "bin" folder which should not be there
rm -rf $(TESTINSTALLDIR)/LibreOffice$(if
$(ENABLE_RELEASE_BUILD),,Dev).app/Contents/bin
+#
+# Remove unnecessary executables in the LibreOfficePython framework
+ rm -rf $(TESTINSTALLDIR)/LibreOffice$(if
$(ENABLE_RELEASE_BUILD),,Dev).app/Contents/Frameworks/LibreOfficePython.framework/Versions/[1-9]*/bin
+#
+# Remove the python.o object file which is weird and interferes with app store
uploading
+# And with it removed, presumably the other stuff in the Python
lib/python3.3/config-3.3m probably does not make sense either.
+ rm -rf $(TESTINSTALLDIR)/LibreOffice$(if
$(ENABLE_RELEASE_BUILD),,Dev).app/Contents/Frameworks/LibreOfficePython.framework/Versions/[1-9]*/lib/python[1-9]*/config-[1-9]*
+#
+# Then use the macosx-codesign-app-bundle script
@macosx-codesign-app-bundle $(TESTINSTALLDIR)/LibreOffice$(if
$(ENABLE_RELEASE_BUILD),,Dev).app
endif
endif
diff --git a/solenv/bin/macosx-codesign-app-bundle
b/solenv/bin/macosx-codesign-app-bundle
index de5ec79..798bf00 100755
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -1,9 +1,8 @@
#!/bin/bash
-# Script to sign dylibs and frameworks in an app bundle plus the
-# bundle itself. Called from
-# installer::simplepackage::create_package() in
-# solenv/bin/modules/installer/simplepackage.pm
+# Script to sign executables, dylibs and frameworks in an app bundle
+# plus the bundle itself. Called from
+# the test-install target in Makefile.in
test `uname` = Darwin || { echo This is for OS X only; exit 1; }
@@ -21,13 +20,26 @@ done
APP_BUNDLE="$1"
+if test -n "$ENABLE_MACOSX_SANDBOX"; then
+ # In a sandboxed build executables need the entitlements
+ entitlements="--entitlements $BUILDDIR/lo.xcent"
+ # We use --enable-canonical-installation-tree-structure so all
+ # data files in Resources are included in the app bundle signature
+ # through that. I think.
+ other_files=''
+else
+ # In a non-sandboxed build (distributed outside the App Store)
+ # we traditionally have use --resource-rules. Let's not touch that?
+ resource_rules="--resource-rules
$SRCDIR/setup_native/source/mac/CodesignRules.plist"
+ # And there we then want to sign data files, too, hmm.
+ other_files="\
+ -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
+ -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name
'LICENSE.html' \
+ -or -name '*.applescript'"
+fi
+
# Sign dylibs
#
-# Executables get signed right after linking, see
-# solenv/gbuild/platform/macosx.mk. But many of our dylibs are built
-# by ad-hoc or 3rd-party mechanisms, so we can't easily sign them
-# right after linking. So do it here.
-#
# The dylibs in the Python framework are called *.so. Go figure
#
# On Mavericks also would like to have data files signed...
@@ -35,17 +47,21 @@ APP_BUNDLE="$1"
# of e.g. the spotlight plugin before attempting to sign the plugin itself
find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \
- -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
- -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name
'LICENSE.html' \
- -or -name '*.applescript' \) ! -type l | grep -v
"LibreOfficePython\.framework" |
-while read dylib; do
- id=`echo ${dylib#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
- codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign
"$MACOSX_CODESIGNING_IDENTITY" "$dylib"
+ $other_files \) ! -type l |
+while read file; do
+ id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
+ codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign
"$MACOSX_CODESIGNING_IDENTITY" "$file"
done
-# The executables have already been signed by
-# gb_LinkTarget__command_dynamiclink in
-# solenv/gbuild/platform/macosx.mk.
+# Sign executables
+
+find "$APP_BUNDLE/Contents/MacOS" \
+
"$APP_BUNDLE/Contents/Frameworks/LibreOfficePython.framework/Versions/"[1-9]*/Resources/Python.app/Contents/MacOS
\
+ -type f |
+while read file; do
+ id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
+ codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign
"$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file"
+done
# Sign included bundles. First frameworks.
@@ -86,12 +102,6 @@ done
id=`echo ${MACOSX_APP_NAME} | tr ' ' '-'`
-if test -n "$ENABLE_MACOSX_SANDBOX"; then
- entitlements="--entitlements $BUILDDIR/lo.xcent"
-else
- resource_rules="--resource-rules
$SRCDIR/setup_native/source/mac/CodesignRules.plist"
-fi
-
codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id"
$resource_rules --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements
"$APP_BUNDLE"
exit 0
diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk
index cd5c0c3..be631d2 100644
--- a/solenv/gbuild/platform/macosx.mk
+++ b/solenv/gbuild/platform/macosx.mk
@@ -122,12 +122,6 @@ $(if $(filter Executable,$(1)),\
$$(call gb_Library_get_layer,$(2)))
endef
-# We sign executables right after linking below. But not dylibs,
-# because many of them are built by ad-hoc or 3rd-party mechanisms. So
-# as we would need to sign those separately anyway, we do it for the
-# gbuild-built ones, too, after an app bundle has been constructed, in
-# the solenv/bin/macosx-codesign-app-bundle script.
-
define gb_LinkTarget__command_dynamiclink
$(call gb_Helper_abbreviate_dirs,\
$(if
$(CXXOBJECTS)$(OBJCXXOBJECTS)$(GENCXXOBJECTS)$(EXTRAOBJECTLISTS),$(gb_CXX),$(gb_CC))
\
@@ -154,9 +148,6 @@ $(call gb_Helper_abbreviate_dirs,\
$(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl app
$(LAYER) $(1) &&) \
$(if $(filter Library Bundle CppunitTest,$(TARGETTYPE)),\
$(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl shl
$(LAYER) $(1) &&) \
- $(if $(MACOSX_CODESIGNING_IDENTITY), \
- $(if $(filter Executable,$(TARGETTYPE)), \
- (codesign
--identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign
$(MACOSX_CODESIGNING_IDENTITY) --force $(1) || true) &&)) \
$(if $(filter Library,$(TARGETTYPE)),\
otool -l $(1) | grep -A 5 LC_ID_DYLIB \
> $(WORKDIR)/LinkTarget/$(2).exports.tmp && \
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
