macOS: enable hardened runtime when signing

hardened runtime is prerequisite for notarizing apps, which in turn is required for new developer IDs with 10.14.5 already and will be required for all software to run in future versions of macOS https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution Change-Id: Ifdf73fb5901be5dd0b62e1a51dee6e57c9816e5f Reviewed-on: https://gerrit.libreoffice.org/73246 Tested-by: Jenkins Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>

macOS: enable hardened runtime when signing
hardened runtime is prerequisite for notarizing apps, which in turn is required for new developer IDs with 10.14.5 already and will be required for all software to run in future versions of macOS https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution Change-Id: Ifdf73fb5901be5dd0b62e1a51dee6e57c9816e5f Reviewed-on: https://gerrit.libreoffice.org/73246 Tested-by: Jenkins Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
c98b1f1c · Christian Lohmaier · 1ee64eb3 · c98b1f1c · c98b1f1c · c98b1f1c
Kaydet (Commit) c98b1f1c authored May 31, 2019 tarafından Christian Lohmaier
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 6 deletions

hardened_runtime.xcent hardened_runtime.xcent +15 -0

macosx-codesign-app-bundle solenv/bin/macosx-codesign-app-bundle +9 -5

macosx.mk solenv/gbuild/platform/macosx.mk +1 -1

No files found.
--- a/hardened_runtime.xcent
+++ b/hardened_runtime.xcent
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <!-- AppleScript support -->
+        <key>com.apple.security.automation.apple-events</key>
+        <true/>
+        <!-- for extension manager, "exception in synchronize" -->
+        <key>com.apple.security.cs.disable-executable-page-protection</key>
+        <true/>
+        <!-- allow use of third-party plugins/frameworks (aka Java) -->
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+    </dict>
+</plist>
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -36,7 +36,7 @@ if test -n "$ENABLE_MACOSX_SANDBOX"; then
    other_files=''
 else
    # We then want to sign data files, too, hmm.
-    entitlements=''
+    entitlements="--entitlements $SRCDIR/hardened_runtime.xcent"
    other_files="\
 -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
 -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
@@ -83,7 +83,7 @@ while read app; do
    fn=${fn%.*}
    # Assume the app has a XML (and not binary) Info.plist
    id=`grep -A 1 '<key>CFBundleIdentifier</key>' $app/Contents/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
-    codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1
+    codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1
    if [ "$?" != "0" ] ; then
 	exit 1
    fi
@@ -100,7 +100,11 @@ while read framework; do
        if test ! -L "$version" -a -d "$version"; then
 	    # Assume the framework has a XML (and not binary) Info.plist
 	    id=`grep -A 1 '<key>CFBundleIdentifier</key>' $version/Resources/Info.plist | tail -1 | sed -e 's,.*<string>,,' -e 's,</string>.*,,'`
-            codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" > "/tmp/codesign_${fn}.log" 2>&1
+            # files in bin are not covered by signing the framework...
+            for scriptorexecutable in $(find $version/bin/ -type f); do
+                codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" >> "/tmp/codesign_${fn}.log" 2>&1
+            done
+            codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" >> "/tmp/codesign_${fn}.log" 2>&1
 	    if [ "$?" != "0" ] ; then
 		exit 1
 	    fi
@@ -129,7 +133,7 @@ while read file; do
 	    ;;
 	*)
 	    id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
-	    codesign --force --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file"  > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1
+	    codesign --force --verbose --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file"  > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1
 	    if [ "$?" != "0" ] ; then
 		exit 1
 	    fi
@@ -152,7 +156,7 @@ done
 id=`echo ${PRODUCTNAME} | tr ' ' '-'`
-codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1
+codesign --force --verbose --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1
 if [ "$?" != "0" ] ; then
    exit 1
 fi

--- a/solenv/gbuild/platform/macosx.mk
+++ b/solenv/gbuild/platform/macosx.mk
@@ -132,7 +132,7 @@ $(call gb_Helper_abbreviate_dirs,\
 	$(if $(MACOSX_CODESIGNING_IDENTITY), \
 		$(if $(filter Executable,$(TARGETTYPE)), \
 			$(if $(filter-out $(call gb_Executable_get_target,soffice_bin),$(1)), \
-				codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --force $(1) &&))) \
+				codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --options=runtime --force $(1) &&))) \
 	$(if $(filter Library,$(TARGETTYPE)),\
 		otool -l $(1) | grep -A 5 LC_ID_DYLIB \
 			> $(WORKDIR)/LinkTarget/$(2).exports.tmp && \