[geany/geany-osx] 92fba7: Properly sign Geany bundle and allow it to be notarized by Apple

Sun Jun 9 09:34:43 UTC 2019

Branch:      refs/heads/master
Author:      Jiří Techet <techet at gmail.com>
Committer:   Jiří Techet <techet at gmail.com>
Date:        Sun, 09 Jun 2019 09:34:43 UTC
Commit:      92fba7de40b0f437bc6c49d164d1235788994d26
             https://github.com/geany/geany-osx/commit/92fba7de40b0f437bc6c49d164d1235788994d26

Log Message:
-----------
Properly sign Geany bundle and allow it to be notarized by Apple

This patch makes sure that all binaries inside the bundle are signed,
the bundle is "hardened" and allows the bundle to be notarized by
Apple. For details, see

https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution


Modified Paths:
--------------
    README.md
    create_dmg.sh
    geany.entitlements
    notarize.sh
    sign.sh

Modified: README.md
15 lines changed, 13 insertions(+), 2 deletions(-)
===================================================================
@@ -199,10 +199,10 @@ Bundling
 	checking  for "Developer ID Application" - the whole name in apostrophes is
 	the certificate name.
 
-	Then run
+	Then, run
 
 	```
-	codesign -s "$SIGN_CERTIFICATE" --deep --force ./Geany.app
+	./sign.sh
 	```
 
 
@@ -223,6 +223,17 @@ Distribution
 	from within the `geany-osx` directory. If the `SIGN_CERTIFICATE` variable is
 	defined, the image gets signed by the specified certificate.
 
+3.	Optionally, to get the image notarized by
+	[Apple notary service](https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution),
+	run
+	```
+	./notarize.sh <dmg_file> <apple_id> <pwd_file>
+	```
+	where `<dmg_file>` is the dmg file generated above, `<apple_id>` is
+	the Apple ID used for your developer account, and `<pwd_file>` is
+	a file containing an [app-specific password](https://support.apple.com/en-us/HT204397)
+	generated for your Apple ID.
+
 Maintenance
 -----------
 This section describes some maintenance-related activities which do not


Modified: create_dmg.sh
4 lines changed, 2 insertions(+), 2 deletions(-)
===================================================================
@@ -27,7 +27,7 @@ create-dmg \
 
 rm -rf "${TMPDIR}"
 
-if [ -n "$APPLICATION_CERT" ]
+if [ -n "$SIGN_CERTIFICATE" ]
 then
-	codesign -s "$SIGN_CERTIFICATE" "$DMGNAME"
+	codesign -s "$SIGN_CERTIFICATE" --options runtime "$DMGNAME"
 fi


Modified: geany.entitlements
6 lines changed, 6 insertions(+), 0 deletions(-)
===================================================================
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+</dict>
+</plist>


Modified: notarize.sh
33 lines changed, 33 insertions(+), 0 deletions(-)
===================================================================
@@ -0,0 +1,33 @@
+#!/bin/sh
+#
+# Modified version of
+# https://github.com/thommcgrath/Beacon/blob/master/Installers/Mac/Build.sh
+
+DMGFILE="${1}"
+APPLEID="${2}"
+# file containing app-specific password, see https://support.apple.com/en-us/HT204397
+PASSWORD=`cat ${3}`
+BUNDLEID="org.geany.geany"
+
+echo "Uploading disk image for notarization. This can take a while.";
+xcrun altool --notarize-app -f "${DMGFILE}" --primary-bundle-id "${BUNDLEID}" -u "${APPLEID}" -p "${PASSWORD}" > ${TMPDIR}notarize_output 2>&1 || { cat ${TMPDIR}notarize_output; rm -f ${TMPDIR}notarize_output; exit $?; };
+cat ${TMPDIR}notarize_output;
+REQUESTUUID=$(sed -n 's/RequestUUID = \(.*\)/\1/p' ${TMPDIR}notarize_output);
+echo "Disk image has been uploaded. Request UUID is ${REQUESTUUID}. Checking status every 10 seconds:";
+STATUS="in progress";
+while [ "${STATUS}" = "in progress" ]; do
+	sleep 10s;
+	xcrun altool --notarization-info "${REQUESTUUID}" -u "${APPLEID}" -p "${PASSWORD}" > ${TMPDIR}notarize_output 2>&1 || { cat ${TMPDIR}notarize_output; rm -f ${TMPDIR}notarize_output; echo "Failed to check on notarization status."; exit $?; };
+	STATUS=$(sed -ne 's/^[[:space:]]*Status: \(.*\)$/\1/p' ${TMPDIR}notarize_output);
+	echo "Status: ${STATUS}"
+done;
+if [ "${STATUS}" = "success" ]; then
+	echo "Stapling file.";
+	xcrun stapler staple "${DMGFILE}";
+else
+	cat ${TMPDIR}notarize_output;
+	rm -f ${TMPDIR}notarize_output;
+	echo "Disk image WAS NOT NOTARIZED, status is ${STATUS}.";
+	exit 1;
+fi;
+rm -f ${TMPDIR}notarize_output;


Modified: sign.sh
11 lines changed, 11 insertions(+), 0 deletions(-)
===================================================================
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+sign() {
+	codesign -s "$SIGN_CERTIFICATE" --entitlements geany.entitlements --deep --force --strict=all --options runtime -vvv $1
+}
+export -f sign
+
+sign "./Geany.app/Contents/MacOS/geany-bin"
+sign "./Geany.app/Contents/Resources/libexec/gnome-pty-helper"
+find . -name "*.dylib" -o -name "*.so" -exec sh -c 'sign "$0"' {} \;
+sign "./Geany.app"



--------------
This E-Mail was brought to you by github_commit_mail.py (Source: https://github.com/geany/infrastructure).
