[vlc-commits] package/macosx: enhanced the codesign script to add a designated signature to enhance its compatibility

Felix Paul Kühne Mon, 02 Jul 2012 05:22:19 -0700

vlc/vlc-2.0 | branch: master | Felix Paul Kühne <[email protected]> | Sun 
Jul  1 20:40:25 2012 +0200| [ec768b24052cda1aecd8db8c35d1f9d224288e27] | 
committer: Felix Paul Kühne


package/macosx: enhanced the codesign script to add a designated signature to 
enhance its compatibility

Note 3 things

 - the included hashes are common knowledge, non-exploitable and hence don't 
constitute a security issue

 - you need a valid Developer ID private key to create GateKeeper compatible 
signatures

 - If you don't use VideoLAN's Dev ID, that's noticable but doesn't limit the 
app's behavior in any detail.

This commit also limits the signing process to the compiled lua scripts and no 
longer signs the entire lua folder since this would limit the usage experience 
and it isn't reasonable either.
(cherry picked from commit 41e20140b3bd4482cb02fe6eede5da471e57859d)

> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.0.git/?a=commit;h=ec768b24052cda1aecd8db8c35d1f9d224288e27
---

 extras/package/macosx/codesign.sh |   38 +++++++++++++++++++++++++++----------
 1 file changed, 28 insertions(+), 10 deletions(-)

diff --git a/extras/package/macosx/codesign.sh 
b/extras/package/macosx/codesign.sh
index ecc19dd..864f3f0 100755
--- a/extras/package/macosx/codesign.sh
+++ b/extras/package/macosx/codesign.sh
@@ -33,11 +33,12 @@ OPTIONS:
    -h            Show this help
    -i            Identity to use
    -t            Entitlements file to use
+   -g            Enable additional magic
 EOF
 
 }
 
-while getopts "hi:t:" OPTION
+while getopts "hi:t:g" OPTION
 do
      case $OPTION in
          h)
@@ -50,6 +51,9 @@ do
          t)
              OPTIONS="--entitlements $OPTARG"
          ;;
+         g)
+             GK="yes"
+         ;;
      esac
 done
 shift $(($OPTIND - 1))
@@ -59,18 +63,32 @@ if [ "x$1" != "x" ]; then
     exit 1
 fi
 
-info "Signing the executable"
+if test -z "$GK"
+then
+    info "Signing the executable"
+    codesign --force --sign "$IDENTITY" $OPTIONS VLC.app/Contents/MacOS/VLC
+
+    info "Signing the modules"
+    find VLC.app/Contents/MacOS/plugins/* -type f -exec codesign --force -s 
"$IDENTITY" $OPTIONS '{}' \;
 
-codesign -s "$IDENTITY" $OPTIONS VLC.app/Contents/MacOS/VLC
+    info "Signing the libraries"
+    find VLC.app/Contents/MacOS/lib/* -type f -exec codesign --force -s 
"$IDENTITY" $OPTIONS '{}' \;
 
-info "Signing the modules"
-find VLC.app/Contents/MacOS/plugins/* -type f -exec codesign -s "$IDENTITY" 
$OPTIONS '{}' \;
+    info "Signing the lua stuff"
+    find VLC.app/Contents/MacOS/share/lua/* -name *luac -type f -exec codesign 
--force -s "$IDENTITY" $OPTIONS '{}' \;
+else
+    info "Signing the executable"
+    codesign --force --sign "$IDENTITY" $OPTIONS --requirements "=designated 
=> anchor apple generic  and identifier \"org.videolan.vlc\" and ((cert 
leaf[field.1.2.840.113635.100.6.1.9] exists) or ( certificate 
1[field.1.2.840.113635.100.6.2.6] exists and certificate 
leaf[field.1.2.840.113635.100.6.1.13] exists  and certificate leaf[subject.OU] 
= \"75GAHG3SZQ\" ))" VLC.app/Contents/MacOS/VLC
 
-info "Signing the libraries"
-find VLC.app/Contents/MacOS/lib/* -type f -exec codesign -s "$IDENTITY" 
$OPTIONS '{}' \;
+    info "Signing the modules"
+    find VLC.app/Contents/MacOS/plugins/* -type f -exec codesign --force -s 
"$IDENTITY" $OPTIONS --requirements "=designated => anchor apple generic  and 
identifier \"org.videolan.vlc\" and ((cert leaf[field.1.2.840.113635.100.6.1.9] 
exists) or ( certificate 1[field.1.2.840.113635.100.6.2.6] exists and 
certificate leaf[field.1.2.840.113635.100.6.1.13] exists  and certificate 
leaf[subject.OU] = \"75GAHG3SZQ\" ))" '{}' \;
 
-info "Signing the lua stuff"
-find VLC.app/Contents/MacOS/share/lua/* -type f -exec codesign -s "$IDENTITY" 
$OPTIONS '{}' \;
+    info "Signing the libraries"
+    find VLC.app/Contents/MacOS/lib/* -type f -exec codesign --force -s 
"$IDENTITY" $OPTIONS --requirements "=designated => anchor apple generic  and 
identifier \"org.videolan.vlc\" and ((cert leaf[field.1.2.840.113635.100.6.1.9] 
exists) or ( certificate 1[field.1.2.840.113635.100.6.2.6] exists and 
certificate leaf[field.1.2.840.113635.100.6.1.13] exists  and certificate 
leaf[subject.OU] = \"75GAHG3SZQ\" ))" '{}' \;
+
+    info "Signing the lua stuff"
+    find VLC.app/Contents/MacOS/share/lua/* -name *luac -type f -exec codesign 
--force -s "$IDENTITY" $OPTIONS --requirements "=designated => anchor apple 
generic  and identifier \"org.videolan.vlc\" and ((cert 
leaf[field.1.2.840.113635.100.6.1.9] exists) or ( certificate 
1[field.1.2.840.113635.100.6.2.6] exists and certificate 
leaf[field.1.2.840.113635.100.6.1.13] exists  and certificate leaf[subject.OU] 
= \"75GAHG3SZQ\" ))" '{}' \;
+fi
 
 info "all items signed, validating..."
 
@@ -84,6 +102,6 @@ info "Validating libraries"
 find VLC.app/Contents/MacOS/lib/* -type f -exec codesign --verify '{}' \;
 
 info "Validating lua stuff"
-find VLC.app/Contents/MacOS/share/lua/* -type f -exec codesign --verify '{}' \;
+find VLC.app/Contents/MacOS/share/lua/* -name *luac -type f -exec codesign 
--verify '{}' \;
 
 info "Validation complete"

_______________________________________________
vlc-commits mailing list
[email protected]
http://mailman.videolan.org/listinfo/vlc-commits

[vlc-commits] package/macosx: enhanced the codesign script to add a designated signature to enhance its compatibility

Reply via email to