Makefile.in | 46 ---------------
solenv/bin/macosx-codesign-app-bundle | 77 ++++++++++++++++++++++++++
solenv/bin/modules/installer/simplepackage.pm | 25 --------
solenv/gbuild/PythonTest.mk | 1
solenv/gbuild/platform/macosx.mk | 6 ++
5 files changed, 86 insertions(+), 69 deletions(-)
New commits:
commit d00e125cbe33da88b881d177cbc09a9045d32349
Author: Tor Lillqvist <t...@iki.fi>
Date: Tue Aug 27 19:26:04 2013 +0300
Factor out the app bundle code signing into a script
Call that script for make dev-install and when creating the .dmg.
Change-Id: Ic468cafe04b2755f371d449fef0b84e2fdc7e197
diff --git a/Makefile.in b/Makefile.in
index 16f18b8..eef1aec 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -262,10 +262,6 @@ install-strip:
endif # !MACOSX
-ifeq ($(ENABLE_MACOSX_SANDBOX),YES)
-entitlements:=--entitlements $(BUILDDIR)/lo.xcent
-endif
-
dev-install: build
@rm -rf $(DEVINSTALLDIR)
@mkdir $(DEVINSTALLDIR)
@@ -275,47 +271,7 @@ else
ifeq ($(DISABLE_LINKOO),TRUE)
@ooinstall $(DEVINSTALLDIR)/opt
ifneq ($(MACOSX_CODESIGNING_IDENTITY),)
-#
-# Sign dylibs
-#
-# Executables get signed right after linking, see
-# solenv/gbuild/platform/macosx.mk. But many of our dylibs are built
-# by ad-hoc or 3rd-party mechanisms, so we can't easily sign them
-# right after linking. So do it here.
-#
-# The dylibs in the Python framework are called *.so. Go figure
-#
- find $(DEVINSTALLDIR)/opt/LibreOffice.app \( -name '*.dylib' -or -name
'*.dylib.*' -or -name '*.so' \) ! -type l | \
- while read dylib; do \
- id=`basename "$$dylib"`; \
- case $$id in \
- *.dylib|*.so) \
- ;; \
- *.dylib.*) \
- id=`echo $$id | sed -e 's/dylib.*/dylib/'`; \
- ;; \
- esac; \
- codesign --verbose --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$$id
--sign $(MACOSX_CODESIGNING_IDENTITY) "$$dylib"; \
- done
-#
-# Sign frameworks.
-#
-# Yeah, we don't bundle any other framework than our Python one, and
-# it has just one version, so this generic search is mostly for
-# completeness.
-#
- for framework in `find $(DEVINSTALLDIR)/opt/LibreOffice.app -name
'*.framework' -type d`; do \
- for version in $$framework/Versions/*; do \
- if test ! -L $$version -a -d $$version; then codesign --force
--verbose --prefix=$(MACOSX_BUNDLE_IDENTIFIER). --sign
$(MACOSX_CODESIGNING_IDENTITY) $$version; fi; \
- done; \
- done
-#
-# Sign the app bundle as a whole (will sign the soffice binary too)
-#
-# At this stage we also attach the entitlements in the sandboxing case
-#
- codesign --force --verbose --sign $(MACOSX_CODESIGNING_IDENTITY)
$(entitlements) $(DEVINSTALLDIR)/opt/LibreOffice.app
-#
+ @macosx-codesign-app-bundle $(DEVINSTALLDIR)/opt/LibreOffice.app
endif
ifneq ($(OS),MACOSX)
@install-gdb-printers -L
diff --git a/solenv/bin/macosx-codesign-app-bundle
b/solenv/bin/macosx-codesign-app-bundle
new file mode 100755
index 0000000..cbe9fa0
--- /dev/null
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# Script to sign dylibs and frameworks in an app bundle plus the
+# bundle itself. Called from
+# installer::simplepackage::create_package() in
+# solenv/bin/modules/installer/simplepackage.pm
+
+test `uname` = Darwin || { echo This is for OS X only; exit 1; }
+
+test $# = 1 || { echo Usage: $0 app-bundle; exit 1; }
+
+for V in \
+ BUILDDIR \
+ MACOSX_BUNDLE_IDENTIFIER \
+ MACOSX_CODESIGNING_IDENTITY; do
+ if test -z `eval echo '$'$V`; then
+ echo No '$'$V "environment variable! This should be run in a build only"
+ exit 1
+ fi
+done
+
+APP_BUNDLE=$1
+
+# Sign dylibs
+#
+# Executables get signed right after linking, see
+# solenv/gbuild/platform/macosx.mk. But many of our dylibs are built
+# by ad-hoc or 3rd-party mechanisms, so we can't easily sign them
+# right after linking. So do it here.
+#
+# The dylibs in the Python framework are called *.so. Go figure
+#
+# First sign all files that can use the default identifier in the hope
+# that codesign will contact the timestamp server just once for all
+# mentioned on the command line.
+
+find $APP_BUNDLE \( -name '*.dylib' -or -name '*.so' \) ! -type l | \
+xargs codesign --verbose --prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign
$MACOSX_CODESIGNING_IDENTITY
+
+find $APP_BUNDLE -name '*.dylib.*' ! -type l | \
+while read dylib; do \
+ id=`basename "$dylib"`; \
+ id=`echo $id | sed -e 's/dylib.*/dylib/'`; \
+ codesign --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign
$MACOSX_CODESIGNING_IDENTITY "$dylib"; \
+done
+
+# The executables have already been signed by
+# gb_LinkTarget__command_dynamiclink in
+# solenv/gbuild/platform/macosx.mk.
+
+# Sign frameworks.
+#
+# Yeah, we don't bundle any other framework than our Python one, and
+# it has just one version, so this generic search is mostly for
+# completeness.
+
+for framework in `find $APP_BUNDLE -name '*.framework' -type d`; do \
+ for version in $framework/Versions/*; do \
+ if test ! -L $version -a -d $version; then codesign --verbose
--prefix=$MACOSX_BUNDLE_IDENTIFIER. --sign $MACOSX_CODESIGNING_IDENTITY
$version; fi; \
+ done; \
+done
+
+# Sign the app bundle as a whole which means (re-)signing the
+# CFBundleExecutable from Info.plist, i.e. soffice, plus the contents
+# of the Resources tree (which unless you used
+# --enable-canonical-installation-tree-structure is not much, far from
+# all of our non-code "resources").
+#
+# At this stage we also attach the entitlements in the sandboxing case
+
+if test $ENABLE_MACOSX_SANDBOX = YES; then
+ entitlements="--entitlements $BUILDDIR/lo.xcent"
+fi
+
+codesign --force --verbose --sign $MACOSX_CODESIGNING_IDENTITY $entitlements
$APP_BUNDLE
+
+exit 0
diff --git a/solenv/bin/modules/installer/simplepackage.pm
b/solenv/bin/modules/installer/simplepackage.pm
index 8f8cddd..5f9433f 100644
--- a/solenv/bin/modules/installer/simplepackage.pm
+++ b/solenv/bin/modules/installer/simplepackage.pm
@@ -404,24 +404,7 @@ sub create_package
if (($volume_name_classic_app eq 'LibreOffice' ||
$volume_name_classic_app eq 'LibreOfficeDev') &&
defined($ENV{'MACOSX_CODESIGNING_IDENTITY'}) &&
$ENV{'MACOSX_CODESIGNING_IDENTITY'} ne "" )
{
- # Sign the .app as a whole, which means (re-)signing
- # the CFBundleExecutable from Info.plist, i.e.
- # soffice, plus the contents of the Resources tree
- # (which unless you used
- # --enable-canonical-installation-tree-structure is
- # not much, far from all of our non-code "resources").
-
- # Don't bother yet to sign each individual .dylib. (We
- # do that for "make dev-install", but not here.)
-
- # The executables have already been signed by
- # gb_LinkTarget__command_dynamiclink in
- # solenv/gbuild/platform/macosx.mk.
-
- $entitlements = '';
- $entitlements = "--entitlements $ENV{'BUILDDIR'}/lo.xcent" if
defined($ENV{'ENABLE_MACOSX_SANDBOX'});
-
- $systemcall = "codesign --sign
$ENV{'MACOSX_CODESIGNING_IDENTITY'} --force $entitlements -v -v -v
$localtempdir/$folder/$volume_name_classic_app.app";
+ $systemcall =
"$ENV{'SRCDIR'}/solenv/bin/macosx-codesign-app-bundle
$localtempdir/$folder/$volume_name_classic_app.app";
print "... $systemcall ...\n";
my $returnvalue = system($systemcall);
$infoline = "Systemcall: $systemcall\n";
diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk
index c03efa4..d5d7d48 100644
--- a/solenv/gbuild/platform/macosx.mk
+++ b/solenv/gbuild/platform/macosx.mk
@@ -124,6 +124,12 @@ $(if $(filter Executable,$(1)),\
$$(call gb_Library_get_layer,$(2)))
endef
+# We sign executables right after linking below. But not dylibs,
+# because many of them are built by ad-hoc or 3rd-party mechanisms. So
+# as we would need to sign those separately anyway, we do it for the
+# gbuild-built ones, too, after an app bundle has been constructed, in
+# the solenv/bin/macosx-codesign-app-bundle script.
+
define gb_LinkTarget__command_dynamiclink
$(call gb_Helper_abbreviate_dirs,\
mkdir -p $(dir $(1)) && \
commit 994d2951faedeea55c594dfe0c2516e33fe8910a
Author: Tor Lillqvist <t...@iki.fi>
Date: Tue Aug 27 10:33:38 2013 +0300
Update comments
We now have the --enable-canonical-installation-tree-structure option
which does what was suggested.
Change-Id: I41215275d6d8c8f11b4a45390d44998c967fcc53
diff --git a/solenv/bin/modules/installer/simplepackage.pm
b/solenv/bin/modules/installer/simplepackage.pm
index 3a745ec..8f8cddd 100644
--- a/solenv/bin/modules/installer/simplepackage.pm
+++ b/solenv/bin/modules/installer/simplepackage.pm
@@ -407,8 +407,9 @@ sub create_package
# Sign the .app as a whole, which means (re-)signing
# the CFBundleExecutable from Info.plist, i.e.
# soffice, plus the contents of the Resources tree
- # (which at the moment is not much, far from all of
- # our non-code "resources").
+ # (which unless you used
+ # --enable-canonical-installation-tree-structure is
+ # not much, far from all of our non-code "resources").
# Don't bother yet to sign each individual .dylib. (We
# do that for "make dev-install", but not here.)
@@ -417,13 +418,6 @@ sub create_package
# gb_LinkTarget__command_dynamiclink in
# solenv/gbuild/platform/macosx.mk.
- # Eventually it would be a good idea to re-organise
- # the app bundle structure to be more Mac-like and
- # actually put all non-code resources (including
- # extension scripts!) into Resources so that they
- # participate in the signing and their validity can be
- # guaranteed.
-
$entitlements = '';
$entitlements = "--entitlements $ENV{'BUILDDIR'}/lo.xcent" if
defined($ENV{'ENABLE_MACOSX_SANDBOX'});
commit 1603854be942078e7f2381fad2efbd992eeb86ee
Author: Tor Lillqvist <t...@iki.fi>
Date: Tue Aug 27 10:30:10 2013 +0300
Don't create any (new) Python bytecode files when running a PythonTest
PythonTests are run on a dev-install tree where (when using code
signing on OS X) the Python framework has already been signed, so
scribbling bytecode cache files into it will invalidate the signature.
Change-Id: Ic53043b59c9a59373e2383d8dcca9120457d4ba9
diff --git a/solenv/gbuild/PythonTest.mk b/solenv/gbuild/PythonTest.mk
index f7678dc..f6a94a0 100644
--- a/solenv/gbuild/PythonTest.mk
+++ b/solenv/gbuild/PythonTest.mk
@@ -45,6 +45,7 @@ $(call gb_PythonTest_get_target,%) :
PYTHONPATH="$(PYPATH)" \
UserInstallation=$(call gb_Helper_make_url,$(dir $(call
gb_PythonTest_get_target,$*))user) \
TestUserDir="$(call gb_Helper_make_url,$(dir $(call
gb_PythonTest_get_target,$*)))" \
+ PYTHONDONTWRITEBYTECODE=1 \
$(gb_CppunitTest_GDBTRACE) $(gb_CppunitTest_VALGRINDTOOL)
$(gb_PythonTest_COMMAND) \
$(MODULES) \
$(if $(gb_CppunitTest__interactive),, \
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
