Makefile.in | 11 ++++++ Repository.mk | 10 ++++- configure.ac | 2 - registry/Module_registry.mk | 6 ++- solenv/bin/macosx-codesign-app-bundle | 58 +++++++++++++++++++--------------- solenv/gbuild/platform/macosx.mk | 9 ----- svx/Module_svx.mk | 2 + 7 files changed, 59 insertions(+), 39 deletions(-)
New commits: commit 09f5eed074e6dd8474447bce5ba7ca9bd8198757 Author: Tor Lillqvist <t...@collabora.com> Date: Sat Sep 20 01:12:17 2014 +0300 This test was the wrong way surely? Change-Id: I3470fbd2992cd96a772452d75fb2f0320bb529bf diff --git a/configure.ac b/configure.ac index e5b4d02..b3bb9ba 100644 --- a/configure.ac +++ b/configure.ac @@ -12732,7 +12732,7 @@ if test "$enable_mpl_subset" = "yes"; then AC_MSG_ERROR([need to --disable-ext-mariadb-connector - mariadb/mysql support.]) fi if test -n "$ENABLE_PDFIMPORT"; then - if test "x$SYSTEM_POPPLER" != "xNO"; then + if test "x$SYSTEM_POPPLER" = "xNO"; then AC_MSG_ERROR([need to disable PDF import via poppler or use system library]) fi fi commit beb30bbd867f9a28878e0d004458c3507f6c0956 Author: Tor Lillqvist <t...@collabora.com> Date: Sat Sep 20 01:01:09 2014 +0300 Skip some executables in the OS X sandboxed (Mac App Store) case I doubt end-users will miss gengal.bin, regview, or regmerge. Change-Id: I353610c0d039f25fa415f35902fe2b9890cd423f diff --git a/Repository.mk b/Repository.mk index bebbef4..9976a3c 100644 --- a/Repository.mk +++ b/Repository.mk @@ -76,7 +76,9 @@ $(eval $(call gb_Helper_register_executables_for_install,SDK,sdk, \ )) $(eval $(call gb_Helper_register_executables_for_install,OOO,ooo, \ - gengal \ + $(if $(ENABLE_MACOSX_SANDBOX),, \ + gengal \ + )\ )) $(eval $(call gb_Helper_register_executables,OOO, \ @@ -123,8 +125,10 @@ $(eval $(call gb_Helper_register_executables,OOO, \ $(eval $(call gb_Helper_register_executables_for_install,UREBIN,ure,\ $(if $(and $(ENABLE_JAVA),$(filter-out MACOSX WNT,$(OS)),$(filter DESKTOP,$(BUILD_TYPE))),javaldx) \ - regmerge \ - regview \ + $(if $(ENABLE_MACOSX_SANDBOX),, \ + regmerge \ + regview \ + ) \ $(if $(filter DESKTOP,$(BUILD_TYPE)),uno) \ )) diff --git a/registry/Module_registry.mk b/registry/Module_registry.mk index fb962c6..5f70ed9 100644 --- a/registry/Module_registry.mk +++ b/registry/Module_registry.mk @@ -12,8 +12,10 @@ $(eval $(call gb_Module_Module,registry)) $(eval $(call gb_Module_add_targets,registry,\ Library_reg \ $(if $(filter-out $(OS),IOS), \ - Executable_regmerge \ - Executable_regview \ + $(if $(ENABLE_MACOSX_SANDBOX),, \ + Executable_regmerge \ + Executable_regview \ + ) \ StaticLibrary_registry_helper \ ) \ )) diff --git a/svx/Module_svx.mk b/svx/Module_svx.mk index 80f2bd7..0e63435 100644 --- a/svx/Module_svx.mk +++ b/svx/Module_svx.mk @@ -34,11 +34,13 @@ $(eval $(call gb_Module_add_l10n_targets,svx,\ )) ifneq (,$(filter DESKTOP,$(BUILD_TYPE))) +ifeq (,$(ENABLE_MACOSX_SANDBOX)) $(eval $(call gb_Module_add_targets,svx,\ Executable_gengal.bin \ Package_gengal \ )) endif +endif ifneq ($(OOO_JUNIT_JAR),) $(eval $(call gb_Module_add_subsequentcheck_targets,svx,\ commit 69c2fc6cfb12b939a076856bb82a18812afdfccc Author: Tor Lillqvist <t...@collabora.com> Date: Fri Sep 19 22:58:16 2014 +0300 OS X code signing fixes Remove unnecessary Python executables and stuff that complicates code signing in the test-install target. Sign executables in codesign-macosx-app-bundle, not when building them. It is more uniform to do all code signing in just one place. All executables must have the com.apple.security.app-sandbox entitlement. Change-Id: Ic6a640eb03964fe9ce75d3a8fff071971a3e1939 diff --git a/Makefile.in b/Makefile.in index 8fc6f3d..af2096a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -291,6 +291,7 @@ ifeq ($(OS_FOR_BUILD),WNT) else @ooinstall $(TESTINSTALLDIR) ifneq ($(MACOSX_CODESIGNING_IDENTITY),) +# # Unzip bin/InfoPlist_*.zip files into corresponding Resources/*.lproj directories. set -x; for F in $(TESTINSTALLDIR)/LibreOffice$(if $(ENABLE_RELEASE_BUILD),,Dev).app/Contents/bin/InfoPlist_*.zip; do \ bn=`basename $$F .zip`; \ @@ -299,8 +300,18 @@ ifneq ($(MACOSX_CODESIGNING_IDENTITY),) mkdir $$lproj; \ (cd $$lproj; unzip $$F); \ done +# # And remove the "bin" folder which should not be there rm -rf $(TESTINSTALLDIR)/LibreOffice$(if $(ENABLE_RELEASE_BUILD),,Dev).app/Contents/bin +# +# Remove unnecessary executables in the LibreOfficePython framework + rm -rf $(TESTINSTALLDIR)/LibreOffice$(if $(ENABLE_RELEASE_BUILD),,Dev).app/Contents/Frameworks/LibreOfficePython.framework/Versions/[1-9]*/bin +# +# Remove the python.o object file which is weird and interferes with app store uploading +# And with it removed, presumably the other stuff in the Python lib/python3.3/config-3.3m probably does not make sense either. + rm -rf $(TESTINSTALLDIR)/LibreOffice$(if $(ENABLE_RELEASE_BUILD),,Dev).app/Contents/Frameworks/LibreOfficePython.framework/Versions/[1-9]*/lib/python[1-9]*/config-[1-9]* +# +# Then use the macosx-codesign-app-bundle script @macosx-codesign-app-bundle $(TESTINSTALLDIR)/LibreOffice$(if $(ENABLE_RELEASE_BUILD),,Dev).app endif endif diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle index de5ec79..798bf00 100755 --- a/solenv/bin/macosx-codesign-app-bundle +++ b/solenv/bin/macosx-codesign-app-bundle @@ -1,9 +1,8 @@ #!/bin/bash -# Script to sign dylibs and frameworks in an app bundle plus the -# bundle itself. Called from -# installer::simplepackage::create_package() in -# solenv/bin/modules/installer/simplepackage.pm +# Script to sign executables, dylibs and frameworks in an app bundle +# plus the bundle itself. Called from +# the test-install target in Makefile.in test `uname` = Darwin || { echo This is for OS X only; exit 1; } @@ -21,13 +20,26 @@ done APP_BUNDLE="$1" +if test -n "$ENABLE_MACOSX_SANDBOX"; then + # In a sandboxed build executables need the entitlements + entitlements="--entitlements $BUILDDIR/lo.xcent" + # We use --enable-canonical-installation-tree-structure so all + # data files in Resources are included in the app bundle signature + # through that. I think. + other_files='' +else + # In a non-sandboxed build (distributed outside the App Store) + # we traditionally have use --resource-rules. Let's not touch that? + resource_rules="--resource-rules $SRCDIR/setup_native/source/mac/CodesignRules.plist" + # And there we then want to sign data files, too, hmm. + other_files="\ + -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \ + -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \ + -or -name '*.applescript'" +fi + # Sign dylibs # -# Executables get signed right after linking, see -# solenv/gbuild/platform/macosx.mk. But many of our dylibs are built -# by ad-hoc or 3rd-party mechanisms, so we can't easily sign them -# right after linking. So do it here. -# # The dylibs in the Python framework are called *.so. Go figure # # On Mavericks also would like to have data files signed... @@ -35,17 +47,21 @@ APP_BUNDLE="$1" # of e.g. the spotlight plugin before attempting to sign the plugin itself find "$APP_BUNDLE" \( -name '*.dylib' -or -name '*.dylib.*' -or -name '*.so' \ - -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \ - -or -name '*.jar' -or -name '*.jnilib' -or -name 'LICENSE' -or -name 'LICENSE.html' \ - -or -name '*.applescript' \) ! -type l | grep -v "LibreOfficePython\.framework" | -while read dylib; do - id=`echo ${dylib#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` - codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$dylib" + $other_files \) ! -type l | +while read file; do + id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` + codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$file" done -# The executables have already been signed by -# gb_LinkTarget__command_dynamiclink in -# solenv/gbuild/platform/macosx.mk. +# Sign executables + +find "$APP_BUNDLE/Contents/MacOS" \ + "$APP_BUNDLE/Contents/Frameworks/LibreOfficePython.framework/Versions/"[1-9]*/Resources/Python.app/Contents/MacOS \ + -type f | +while read file; do + id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` + codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" +done # Sign included bundles. First frameworks. @@ -86,12 +102,6 @@ done id=`echo ${MACOSX_APP_NAME} | tr ' ' '-'` -if test -n "$ENABLE_MACOSX_SANDBOX"; then - entitlements="--entitlements $BUILDDIR/lo.xcent" -else - resource_rules="--resource-rules $SRCDIR/setup_native/source/mac/CodesignRules.plist" -fi - codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}.$id" $resource_rules --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" exit 0 diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk index cd5c0c3..be631d2 100644 --- a/solenv/gbuild/platform/macosx.mk +++ b/solenv/gbuild/platform/macosx.mk @@ -122,12 +122,6 @@ $(if $(filter Executable,$(1)),\ $$(call gb_Library_get_layer,$(2))) endef -# We sign executables right after linking below. But not dylibs, -# because many of them are built by ad-hoc or 3rd-party mechanisms. So -# as we would need to sign those separately anyway, we do it for the -# gbuild-built ones, too, after an app bundle has been constructed, in -# the solenv/bin/macosx-codesign-app-bundle script. - define gb_LinkTarget__command_dynamiclink $(call gb_Helper_abbreviate_dirs,\ $(if $(CXXOBJECTS)$(OBJCXXOBJECTS)$(GENCXXOBJECTS)$(EXTRAOBJECTLISTS),$(gb_CXX),$(gb_CC)) \ @@ -154,9 +148,6 @@ $(call gb_Helper_abbreviate_dirs,\ $(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl app $(LAYER) $(1) &&) \ $(if $(filter Library Bundle CppunitTest,$(TARGETTYPE)),\ $(PERL) $(SRCDIR)/solenv/bin/macosx-change-install-names.pl shl $(LAYER) $(1) &&) \ - $(if $(MACOSX_CODESIGNING_IDENTITY), \ - $(if $(filter Executable,$(TARGETTYPE)), \ - (codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --force $(1) || true) &&)) \ $(if $(filter Library,$(TARGETTYPE)),\ otool -l $(1) | grep -A 5 LC_ID_DYLIB \ > $(WORKDIR)/LinkTarget/$(2).exports.tmp && \ _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits