Branch: refs/heads/master Author: Jiří Techet techet@gmail.com Committer: Jiří Techet techet@gmail.com Date: Sun, 09 Jun 2019 09:34:43 UTC Commit: 92fba7de40b0f437bc6c49d164d1235788994d26 https://github.com/geany/geany-osx/commit/92fba7de40b0f437bc6c49d164d1235788...
Log Message: ----------- Properly sign Geany bundle and allow it to be notarized by Apple
This patch makes sure that all binaries inside the bundle are signed, the bundle is "hardened" and allows the bundle to be notarized by Apple. For details, see
https://developer.apple.com/documentation/security/notarizing_your_app_befor...
Modified Paths: -------------- README.md create_dmg.sh geany.entitlements notarize.sh sign.sh
Modified: README.md 15 lines changed, 13 insertions(+), 2 deletions(-) =================================================================== @@ -199,10 +199,10 @@ Bundling checking for "Developer ID Application" - the whole name in apostrophes is the certificate name.
- Then run + Then, run
``` - codesign -s "$SIGN_CERTIFICATE" --deep --force ./Geany.app + ./sign.sh ```
@@ -223,6 +223,17 @@ Distribution from within the `geany-osx` directory. If the `SIGN_CERTIFICATE` variable is defined, the image gets signed by the specified certificate.
+3. Optionally, to get the image notarized by + [Apple notary service](https://developer.apple.com/documentation/security/notarizing_your_app_befor...), + run + ``` + ./notarize.sh <dmg_file> <apple_id> <pwd_file> + ``` + where `<dmg_file>` is the dmg file generated above, `<apple_id>` is + the Apple ID used for your developer account, and `<pwd_file>` is + a file containing an [app-specific password](https://support.apple.com/en-us/HT204397) + generated for your Apple ID. + Maintenance ----------- This section describes some maintenance-related activities which do not
Modified: create_dmg.sh 4 lines changed, 2 insertions(+), 2 deletions(-) =================================================================== @@ -27,7 +27,7 @@ create-dmg \
rm -rf "${TMPDIR}"
-if [ -n "$APPLICATION_CERT" ] +if [ -n "$SIGN_CERTIFICATE" ] then - codesign -s "$SIGN_CERTIFICATE" "$DMGNAME" + codesign -s "$SIGN_CERTIFICATE" --options runtime "$DMGNAME" fi
Modified: geany.entitlements 6 lines changed, 6 insertions(+), 0 deletions(-) =================================================================== @@ -0,0 +1,6 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> +</dict> +</plist>
Modified: notarize.sh 33 lines changed, 33 insertions(+), 0 deletions(-) =================================================================== @@ -0,0 +1,33 @@ +#!/bin/sh +# +# Modified version of +# https://github.com/thommcgrath/Beacon/blob/master/Installers/Mac/Build.sh + +DMGFILE="${1}" +APPLEID="${2}" +# file containing app-specific password, see https://support.apple.com/en-us/HT204397 +PASSWORD=`cat ${3}` +BUNDLEID="org.geany.geany" + +echo "Uploading disk image for notarization. This can take a while."; +xcrun altool --notarize-app -f "${DMGFILE}" --primary-bundle-id "${BUNDLEID}" -u "${APPLEID}" -p "${PASSWORD}" > ${TMPDIR}notarize_output 2>&1 || { cat ${TMPDIR}notarize_output; rm -f ${TMPDIR}notarize_output; exit $?; }; +cat ${TMPDIR}notarize_output; +REQUESTUUID=$(sed -n 's/RequestUUID = (.*)/\1/p' ${TMPDIR}notarize_output); +echo "Disk image has been uploaded. Request UUID is ${REQUESTUUID}. Checking status every 10 seconds:"; +STATUS="in progress"; +while [ "${STATUS}" = "in progress" ]; do + sleep 10s; + xcrun altool --notarization-info "${REQUESTUUID}" -u "${APPLEID}" -p "${PASSWORD}" > ${TMPDIR}notarize_output 2>&1 || { cat ${TMPDIR}notarize_output; rm -f ${TMPDIR}notarize_output; echo "Failed to check on notarization status."; exit $?; }; + STATUS=$(sed -ne 's/^[[:space:]]*Status: (.*)$/\1/p' ${TMPDIR}notarize_output); + echo "Status: ${STATUS}" +done; +if [ "${STATUS}" = "success" ]; then + echo "Stapling file."; + xcrun stapler staple "${DMGFILE}"; +else + cat ${TMPDIR}notarize_output; + rm -f ${TMPDIR}notarize_output; + echo "Disk image WAS NOT NOTARIZED, status is ${STATUS}."; + exit 1; +fi; +rm -f ${TMPDIR}notarize_output;
Modified: sign.sh 11 lines changed, 11 insertions(+), 0 deletions(-) =================================================================== @@ -0,0 +1,11 @@ +#!/bin/sh + +sign() { + codesign -s "$SIGN_CERTIFICATE" --entitlements geany.entitlements --deep --force --strict=all --options runtime -vvv $1 +} +export -f sign + +sign "./Geany.app/Contents/MacOS/geany-bin" +sign "./Geany.app/Contents/Resources/libexec/gnome-pty-helper" +find . -name "*.dylib" -o -name "*.so" -exec sh -c 'sign "$0"' {} ; +sign "./Geany.app"
-------------- This E-Mail was brought to you by github_commit_mail.py (Source: https://github.com/geany/infrastructure).