From f5afc5187904bb7ae9e6dac0dc7743045c01156a Mon Sep 17 00:00:00 2001 From: Paresh More Date: Fri, 3 Jan 2020 09:56:45 +0000 Subject: [PATCH] Ensure all binaries are securely signed and linked with the hardened runtime in the macOS bundle. Fixes #5060 Note that this is untested for automated builds, so may require further tweaks. --- docs/en_US/release_notes_4_17.rst | 1 + pkg/mac/build.sh | 17 +++++++++++++ pkg/mac/codesign-binaries.sh | 40 +++++++++++++++++++++++++++++++ pkg/mac/codesign.conf.in | 1 + 4 files changed, 59 insertions(+) create mode 100755 pkg/mac/codesign-binaries.sh diff --git a/docs/en_US/release_notes_4_17.rst b/docs/en_US/release_notes_4_17.rst index 23db4c15c..759642309 100644 --- a/docs/en_US/release_notes_4_17.rst +++ b/docs/en_US/release_notes_4_17.rst @@ -10,6 +10,7 @@ New features ************ | `Issue #4764 `_ - Allow screen-reader to read relationship attributes in nested elements. +| `Issue #5060 `_ - Ensure all binaries are securely signed and linked with the hardened runtime in the macOS bundle Housekeeping ************ diff --git a/pkg/mac/build.sh b/pkg/mac/build.sh index 2e6c574aa..c8b443b70 100755 --- a/pkg/mac/build.sh +++ b/pkg/mac/build.sh @@ -223,6 +223,22 @@ _framework_config() { ./framework-config.sh "${BUILDROOT}/${APP_BUNDLE_NAME}" || { echo "framework-config.sh failed"; exit 1; } } +_codesign_binaries() { + cd ${SOURCEDIR}/pkg/mac + + if [ ! -f codesign.conf ]; then + echo + echo "******************************************************************" + echo "* codesign.conf not found. NOT signing the binaries." + echo "******************************************************************" + echo + sleep 5 + return + fi + + ./codesign-binaries.sh "${BUILDROOT}/${APP_BUNDLE_NAME}" || { echo codesign-binaries.sh failed; exit 1; } +} + _codesign_bundle() { cd ${SOURCEDIR}/pkg/mac @@ -268,6 +284,7 @@ _build_runtime || { echo Runtime build failed; exit 1; } _build_doc _complete_bundle _framework_config +_codesign_binaries _codesign_bundle _create_dmg _codesign_dmg diff --git a/pkg/mac/codesign-binaries.sh b/pkg/mac/codesign-binaries.sh new file mode 100755 index 000000000..2eefd0df5 --- /dev/null +++ b/pkg/mac/codesign-binaries.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +BUNDLE="$1" + +if ! test -d "${BUNDLE}" ; then + echo "${BUNDLE} is no bundle!" >&2 + exit 1 +fi + +# Get the config +source codesign.conf + +if [ -z ${DEVELOPER_ID} ] ; then + echo "Developer ID Application not found in codesign.conf" >&2 + exit 1 +fi + +if [ -z ${DEVELOPER_BUNDLE_ID} ]; then + echo "Developer Bundle Identifier not found in codesign.conf" >&2 +fi + +echo Signing ${BUNDLE} binaries +for i in `find ${BUNDLE} -type f` +do + file ${i} | grep -E "Mach-O executable|Mach-O 64-bit executable|Mach-O 64-bit bundle" + if [ $? -eq 0 ] ; then + # We are using 0x1000 instead of runtimes as it returns following error + # when the signing server is macOS 10.9 and codesign recommends to use + # 10.13 or later and XCode 10 or later. + # error: invalid or inappropriate API flag(s) specified + codesign --deep -f -i "${DEVELOPER_BUNDLE_ID}" -s "${DEVELOPER_ID}" --options runtime ${i} + fi +done + +echo Signing ${BUNDLE} libraries +for i in `find ${BUNDLE} -type f -name "*.dylib*"` +do + codesign --deep -f -i "${DEVELOPER_BUNDLE_ID}" -s "${DEVELOPER_ID}" --options runtime ${i} +done + diff --git a/pkg/mac/codesign.conf.in b/pkg/mac/codesign.conf.in index 9951ee947..a0b2077b3 100644 --- a/pkg/mac/codesign.conf.in +++ b/pkg/mac/codesign.conf.in @@ -2,3 +2,4 @@ # codesign.conf, and edit the value below to reflect your developer ID DEVELOPER_ID="Developer ID Application: My Name (12345ABCD)" +DEVELOPER_BUNDLE_ID="Developer Bundle Identifier (pgadmin4-4)"