macOS: Packaging and code signing updates.
Sign our bundle as described in Apple's Code Signing Guide. Enable the Hardened Runtime when signing. Look for packagemaker in our PATH before checking specific locations. Switch from zlib to bzip2 compression for our .dmg. Sign our .dmg. To do: Notarization. Change-Id: Ia6556e67998ff247dd3d77d6f040773e070f66cc Reviewed-on: https://code.wireshark.org/review/32032 Reviewed-by: Gerald Combs <gerald@wireshark.org>
This commit is contained in:
parent
871d16a4de
commit
81338f1664
|
@ -448,27 +448,35 @@ for plugin in "$pkgplugin"/*/*.so ; do
|
|||
done
|
||||
|
||||
codesign_file () {
|
||||
# https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html
|
||||
# https://developer.apple.com/library/archive/technotes/tn2206/_index.html
|
||||
# https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues?language=objc
|
||||
#
|
||||
# XXX do we need to add hardened runtime entitlements or exceptions, e.g.
|
||||
# com.apple.security.cs.allow-unsigned-executable-memory for Lua?
|
||||
# https://developer.apple.com/documentation/security/hardened_runtime_entitlements?language=objc
|
||||
codesign \
|
||||
--sign "Developer ID Application: $CODE_SIGN_IDENTITY" \
|
||||
--options=runtime \
|
||||
--timestamp \
|
||||
--verbose \
|
||||
"$1"
|
||||
codesign --verify --verbose "$1" || exit 1
|
||||
}
|
||||
|
||||
if [ -n "$CODE_SIGN_IDENTITY" ] ; then
|
||||
security find-identity -v -s "$CODE_SIGN_IDENTITY" -p codesigning
|
||||
|
||||
echo "Signing secondary executables"
|
||||
if [ -z "$secondary_binary_list" ] ; then
|
||||
echo "No executables specified for code signing."
|
||||
exit 1
|
||||
fi
|
||||
for binary in $secondary_binary_list ; do
|
||||
if [ -e "$binary" ];then
|
||||
codesign_file "$binary"
|
||||
fi
|
||||
done
|
||||
# The Code Signing Guide says:
|
||||
#
|
||||
# "While you use the --deep option for verification to mimic what Gatekeeper does,
|
||||
# it is not recommended for signing. During signing, if you have nested code, and
|
||||
# if you are signing manually, you sign nested code in stages (as Xcode does
|
||||
# automatically), starting with the most deeply embedded components first. You
|
||||
# then sign code at the next level of hierarchy, and so on. You work your way
|
||||
# outward, finally signing the top level entity that contains all the others.
|
||||
# Signing all the components in one shot with --deep is for emergency repairs and
|
||||
# temporary adjustments only. Note that signing with the combination --deep
|
||||
# --force will forcibly re-sign all code in a bundle."
|
||||
|
||||
echo "Signing frameworks"
|
||||
for framework in "$pkglib"/*.framework/Versions/* ; do
|
||||
|
@ -486,19 +494,26 @@ if [ -n "$CODE_SIGN_IDENTITY" ] ; then
|
|||
codesign_file "$plugin"
|
||||
done
|
||||
|
||||
# Newer versions of codesign appear to require signing the primary
|
||||
# executable last, otherwise it returns the error
|
||||
#
|
||||
# Wireshark.app/Contents/MacOS/Wireshark: code object is not signed at all
|
||||
# In subcomponent: <some bit of unsigned code>
|
||||
echo "Signing secondary executables"
|
||||
if [ -z "$secondary_binary_list" ] ; then
|
||||
echo "No executables specified for code signing."
|
||||
exit 1
|
||||
fi
|
||||
for binary in $secondary_binary_list ; do
|
||||
if [ -e "$binary" ];then
|
||||
codesign_file "$binary"
|
||||
fi
|
||||
done
|
||||
|
||||
echo "Signing primary executable"
|
||||
codesign_file "$pkgexec/Wireshark"
|
||||
|
||||
echo "Signing $bundle"
|
||||
codesign_file "$bundle"
|
||||
|
||||
spctl --assess "$bundle" || exit 1
|
||||
|
||||
# Code Signing Guide, "Testing Conformance with Command Line Tools"
|
||||
codesign --verify --deep --strict --verbose=2 "$bundle" || exit 1
|
||||
spctl --assess --type exec --verbose=2 "$bundle" || exit 1
|
||||
else
|
||||
echo "Code signing not performed (no identity)"
|
||||
fi
|
||||
|
|
|
@ -43,36 +43,40 @@ volume_name="Wireshark"
|
|||
src_dir="."
|
||||
tmp_dir="/tmp/dmg-$$"
|
||||
auto_open_opt=
|
||||
packagemaker=$( type -p packagemaker || type -p PackageMaker )
|
||||
|
||||
if [ -f /Applications/Xcode.app/Contents/Applications/PackageMaker.app/Contents/MacOS/PackageMaker ]
|
||||
then
|
||||
#
|
||||
# Xcode 4 and later, with the "Auxiliary Tools for Xcode"
|
||||
# download from developer.apple.com. (There are no such
|
||||
# downloads for Mavericks or later, but PackageMaker from
|
||||
# the Late July 2012 download for Mountain Lion appears to
|
||||
# work on Yosemite.)
|
||||
#
|
||||
packagemaker=/Applications/Xcode.app//Contents/Applications/PackageMaker.app/Contents/MacOS/PackageMaker
|
||||
elif [ -f /Applications/Xcode.app/Developer/Tools/packagemaker ]
|
||||
then
|
||||
packagemaker=/Applications/Xcode.app/Developer/Tools/packagemaker
|
||||
elif [ -f /Applications/Xcode.app/Developer/usr/bin/packagemaker ]
|
||||
then
|
||||
packagemaker=/Applications/Xcode.app/Developer/usr/bin/packagemaker
|
||||
elif [ -f /Developer/Tools/packagemaker ]
|
||||
then
|
||||
packagemaker=/Developer/Tools/packagemaker
|
||||
elif [ -f /Developer/usr/bin/packagemaker ]
|
||||
then
|
||||
packagemaker=/Developer/usr/bin/packagemaker
|
||||
elif [ -f /usr/bin/packagemaker ]
|
||||
then
|
||||
packagemaker=/usr/bin/packagemaker
|
||||
elif [ -f /usr/local/bin/packagemaker ]
|
||||
then
|
||||
packagemaker=/usr/local/bin/packagemaker
|
||||
if [ -z "$packagemaker" ] ; then
|
||||
if [ -f /Applications/Xcode.app/Contents/Applications/PackageMaker.app/Contents/MacOS/PackageMaker ]
|
||||
then
|
||||
#
|
||||
# Xcode 4 and later, with the "Auxiliary Tools for Xcode"
|
||||
# download from developer.apple.com. (There are no such
|
||||
# downloads for Mavericks or later, but PackageMaker from
|
||||
# the Late July 2012 download for Mountain Lion appears to
|
||||
# work on Yosemite.)
|
||||
#
|
||||
packagemaker=/Applications/Xcode.app//Contents/Applications/PackageMaker.app/Contents/MacOS/PackageMaker
|
||||
elif [ -f /Applications/Xcode.app/Developer/Tools/packagemaker ]
|
||||
then
|
||||
packagemaker=/Applications/Xcode.app/Developer/Tools/packagemaker
|
||||
elif [ -f /Applications/Xcode.app/Developer/usr/bin/packagemaker ]
|
||||
then
|
||||
packagemaker=/Applications/Xcode.app/Developer/usr/bin/packagemaker
|
||||
elif [ -f /Developer/Tools/packagemaker ]
|
||||
then
|
||||
packagemaker=/Developer/Tools/packagemaker
|
||||
elif [ -f /Developer/usr/bin/packagemaker ]
|
||||
then
|
||||
packagemaker=/Developer/usr/bin/packagemaker
|
||||
elif [ -f /usr/bin/packagemaker ]
|
||||
then
|
||||
packagemaker=/usr/bin/packagemaker
|
||||
elif [ -f /usr/local/bin/packagemaker ]
|
||||
then
|
||||
packagemaker=/usr/local/bin/packagemaker
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$packagemaker" ]
|
||||
then
|
||||
echo "$0: couldn't find PackageMaker" 1>&2
|
||||
|
@ -175,14 +179,19 @@ if [ -n "$CODE_SIGN_IDENTITY" ] ; then
|
|||
--sign "Developer ID Installer: $CODE_SIGN_IDENTITY" \
|
||||
--timestamp \
|
||||
"$pkg_file_unsigned" "$pkg_file" || exit 1
|
||||
# TN2206, "Checking Gatekeeper Conformance"
|
||||
spctl --assess --type install "$pkg_file" || exit 1
|
||||
pkgutil --check-signature "$pkg_file" || exit 1
|
||||
shasum "$pkg_file"
|
||||
shasum -a 256 "$pkg_file"
|
||||
rm -rf "$pkg_file_unsigned"
|
||||
else
|
||||
echo "Code signing not performed (no identity)"
|
||||
fi
|
||||
|
||||
# To do: Notarize our package.
|
||||
# https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow?language=objc
|
||||
|
||||
echo -e "\\nCREATE WIRESHARK DISK IMAGE\\n"
|
||||
img_name="$pkg_title.dmg"
|
||||
|
||||
|
@ -264,13 +273,24 @@ if [ -e "$img_name" ]; then
|
|||
echo "$img_name already exists."
|
||||
rm -i "$img_name"
|
||||
fi
|
||||
/usr/bin/hdiutil convert "$rw_name" -format UDZO -imagekey zlib-level=9 -o "$img_name" || exit 1
|
||||
|
||||
# From the hdiutil man page:
|
||||
# UDZO - UDIF zlib-compressed image
|
||||
# ULFO - UDIF lzfse-compressed image (OS X 10.11+ only)
|
||||
# UDBZ - UDIF bzip2-compressed image (Mac OS X 10.4+ only)
|
||||
|
||||
/usr/bin/hdiutil convert "$rw_name" -format UDBZ -o "$img_name" || exit 1
|
||||
rm -f "$rw_name"
|
||||
|
||||
#if [ -n "$CODE_SIGN_IDENTITY" ] ; then
|
||||
# echo -e "Signing the $img_name"
|
||||
# codesign --sign "$CODE_SIGN_IDENTITY" --verbose "$img_name" || exit 1
|
||||
# codesign --verify --verbose "$img_name" || exit 1
|
||||
#fi
|
||||
# TN2206, "Signing Disk Images"
|
||||
if [ -n "$CODE_SIGN_IDENTITY" ] ; then
|
||||
echo -e "Signing $img_name"
|
||||
codesign \
|
||||
--sign "Developer ID Application: $CODE_SIGN_IDENTITY" \
|
||||
--timestamp \
|
||||
--verbose \
|
||||
"$img_name"
|
||||
spctl --assess --type open --context context:primary-signature --verbose=2 "$img_name" || exit 1
|
||||
fi
|
||||
|
||||
exit 0
|
||||
|
|
Loading…
Reference in New Issue