Tools: Add entitlements to MacOS signing

2023-10-31 16:47:22 -05:00
parent 8f933f509f
commit 62006d89bc
2 changed files with 32 additions and 40 deletions
--- a/src/Tools/entitlements.plist
+++ b/src/Tools/entitlements.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+</dict>
+</plist>
--- a/src/Tools/macos_sign_and_notarize.sh
+++ b/src/Tools/macos_sign_and_notarize.sh
@@ -17,62 +17,46 @@
 # script.

 # CONFIGURATION OPTIONS
-CONTAINING_FOLDER="FreeCAD-0.21-RC1-x86" # Must contain FreeCAD.app and nothing else
-ARCH="intel_x86" # intel_x86 or arm64
+CONTAINING_FOLDER="FreeCAD_0.21.1_arm64" # Must contain FreeCAD.app and nothing else
+ARCH="arm64" # intel_x86 or arm64
 VERSION_MAJOR="0"
 VERSION_MINOR="21"
-VERSION_PATCH="0"
-VERSION_SUFFIX="RC1" # e.g. alpha, beta, RC1, RC2, release
+VERSION_PATCH="1"
+VERSION_SUFFIX="" # e.g. alpha, beta, RC1, RC2, release

+function run_codesign {
+    echo "Signing $1"
+    codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp --entitlements entitlements.plist $1
+}

-# Sign all library files
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp `find ${CONTAINING_FOLDER}/FreeCAD.app -name "*.dylib"`
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp `find ${CONTAINING_FOLDER}/FreeCAD.app -name "*.so"`
+IFS=$'\n'
+dylibs=($(find ${CONTAINING_FOLDER}/FreeCAD.app -name "*.dylib"))
+shared_objects=($(find ${CONTAINING_FOLDER}/FreeCAD.app -name "*.so"))
+executables=($(file `find . -type f -perm +111 -print` | grep "Mach-O 64-bit executable" | sed 's/:.*//g'))
+IFS=$' \t\n' # The default
+
+signed_files=("${dylibs[@]}" "${shared_objects[@]}" "${executables[@]}")

 # This list of files is generated from:
-# file `find . -type f -perm +111 -print` | grep "Mach-O 64-bit executable"
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/bin/freecadcmd
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/bin/python
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/bin/ccx
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/bin/freecad
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/libexec/QtWebEngineProcess
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/libexec/gstreamer-1.0/gst-hotdoc-plugins-scanner
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/libexec/gstreamer-1.0/gst-plugin-scanner
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/libexec/gstreamer-1.0/gst-ptp-helper
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/libexec/p11-kit/p11-kit-server
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/libexec/p11-kit/p11-kit-remote
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/kproplog
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/krb5kdc
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/gss-server
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/sserver
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/kprop
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/kadmin.local
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/kdb5_util
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/kpropd
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/sim_server
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/kadmind
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/sbin/uuserver
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/lib/pgxs/src/test/regress/pg_regress
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/lib/pgxs/src/test/isolation/isolationtester
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/lib/pgxs/src/test/isolation/pg_isolation_regress
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/lib/gettext/urlget
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/lib/gettext/hostname
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Resources/lib/gettext/cldr-plurals
+# file `find . -type f -perm +111 -print` | grep "Mach-O 64-bit executable" | sed 's/:.*//g'
+for exe in ${signed_files}; do
+    run_codesign "${exe}"
+done

 # Two additional files that must be signed that aren't caught by the above searches:
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/packages.txt
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app/Contents/Library/QuickLook/QuicklookFCStd.qlgenerator/Contents/MacOS/QuicklookFCStd
+run_codesign "${CONTAINING_FOLDER}/FreeCAD.app/Contents/packages.txt"
+run_codesign "${CONTAINING_FOLDER}/FreeCAD.app/Contents/Library/QuickLook/QuicklookFCStd.qlgenerator/Contents/MacOS/QuicklookFCStd"

 # Finally, sign the app itself (must be done last)
-codesign --options runtime -f -s ${FREECAD_SIGNING_KEY_ID} --timestamp ${CONTAINING_FOLDER}/FreeCAD.app
+run_codesign "${CONTAINING_FOLDER}/FreeCAD.app"

 # Create a disk image from the folder
-DMG_NAME="FreeCAD-${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}-${VERSION_SUFFIX}-mac-${ARCH}"
+DMG_NAME="FreeCAD-${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}-mac-${ARCH}.dmg"
 echo "Creating disk image ${DMG_NAME}"
 hdiutil create -srcfolder "${CONTAINING_FOLDER}" "${DMG_NAME}"

 # Submit it for notarization (requires that an App Store API Key has been set up in the notarytool)
-xcrun notarytool submit --wait --keychain-profile "FreeCAD" ${DMG_NAME}.dmg
+xcrun notarytool submit --wait --keychain-profile "FreeCAD" ${DMG_NAME}

 # Assuming that notarization succeeded, it's a good practice to staple that notarization to the DMG
 xcrun stapler staple ${DMG_NAME}