Ensure all binaries are securely signed and linked with the hardened runtime in the macOS bundle. Fixes #5060

Note that this is untested for automated builds, so may require further tweaks.
2020-01-03 09:56:45 +00:00 · 2020-01-03 09:56:45 +00:00 · f5afc51879
parent 01c7636c75
commit f5afc51879
4 changed files with 59 additions and 0 deletions
--- a/docs/en_US/release_notes_4_17.rst
+++ b/docs/en_US/release_notes_4_17.rst
@ -10,6 +10,7 @@ New features
 ************

 | `Issue #4764 <https://redmine.postgresql.org/issues/4764>`_ -  Allow screen-reader to read relationship attributes in nested elements.
+| `Issue #5060 <https://redmine.postgresql.org/issues/5060>`_ -  Ensure all binaries are securely signed and linked with the hardened runtime in the macOS bundle

 Housekeeping
 ************
--- a/pkg/mac/build.sh
+++ b/pkg/mac/build.sh
@ -223,6 +223,22 @@ _framework_config() {
    ./framework-config.sh "${BUILDROOT}/${APP_BUNDLE_NAME}" || { echo "framework-config.sh failed"; exit 1; }
 }

+_codesign_binaries() {
+    cd ${SOURCEDIR}/pkg/mac
+
+    if [ ! -f codesign.conf ]; then
+        echo
+        echo "******************************************************************"
+        echo "* codesign.conf not found. NOT signing the binaries."
+        echo "******************************************************************"
+        echo
+        sleep 5
+        return
+    fi
+
+    ./codesign-binaries.sh "${BUILDROOT}/${APP_BUNDLE_NAME}" || { echo codesign-binaries.sh failed; exit 1; }
+}
+
 _codesign_bundle() {
    cd ${SOURCEDIR}/pkg/mac

@ -268,6 +284,7 @@ _build_runtime || { echo Runtime build failed; exit 1; }
 _build_doc
 _complete_bundle
 _framework_config
+_codesign_binaries
 _codesign_bundle
 _create_dmg
 _codesign_dmg
--- a/pkg/mac/codesign-binaries.sh
+++ b/pkg/mac/codesign-binaries.sh
@ -0,0 +1,40 @@
+#!/bin/sh
+
+BUNDLE="$1"
+
+if ! test -d "${BUNDLE}" ; then
+	echo "${BUNDLE} is no bundle!" >&2
+	exit 1
+fi
+
+# Get the config
+source codesign.conf
+
+if [ -z ${DEVELOPER_ID} ] ; then
+	echo "Developer ID Application not found in codesign.conf" >&2
+	exit 1
+fi
+
+if [ -z ${DEVELOPER_BUNDLE_ID} ]; then
+	echo "Developer Bundle Identifier not found in codesign.conf" >&2
+fi
+
+echo Signing ${BUNDLE} binaries
+for i in `find ${BUNDLE} -type f`
+do
+	file ${i} | grep -E "Mach-O executable|Mach-O 64-bit executable|Mach-O 64-bit bundle"
+	if [ $? -eq 0 ] ; then
+		# We are using 0x1000 instead of runtimes as it returns following error 
+		# when the signing server is macOS 10.9 and codesign recommends to use
+		# 10.13 or later and XCode 10 or later.
+		# error: invalid or inappropriate API flag(s) specified
+		codesign --deep -f -i "${DEVELOPER_BUNDLE_ID}" -s "${DEVELOPER_ID}" --options runtime ${i}
+	fi
+done
+
+echo Signing ${BUNDLE} libraries
+for i in `find ${BUNDLE} -type f -name "*.dylib*"`
+do
+	codesign --deep -f -i "${DEVELOPER_BUNDLE_ID}" -s "${DEVELOPER_ID}" --options runtime ${i}
+done
+
--- a/pkg/mac/codesign.conf.in
+++ b/pkg/mac/codesign.conf.in
@ -2,3 +2,4 @@
 # codesign.conf, and edit the value below to reflect your developer ID

 DEVELOPER_ID="Developer ID Application: My Name (12345ABCD)"
+DEVELOPER_BUNDLE_ID="Developer Bundle Identifier (pgadmin4-4)"