From c98b1f1cd43b3e109bcaf6324ef2d1f449b34099 Mon Sep 17 00:00:00 2001 From: Christian Lohmaier Date: Fri, 31 May 2019 11:57:16 +0200 Subject: macOS: enable hardened runtime when signing hardened runtime is prerequisite for notarizing apps, which in turn is required for new developer IDs with 10.14.5 already and will be required for all software to run in future versions of macOS https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution Change-Id: Ifdf73fb5901be5dd0b62e1a51dee6e57c9816e5f Reviewed-on: https://gerrit.libreoffice.org/73246 Tested-by: Jenkins Reviewed-by: Christian Lohmaier --- hardened_runtime.xcent | 15 +++++++++++++++ solenv/bin/macosx-codesign-app-bundle | 14 +++++++++----- solenv/gbuild/platform/macosx.mk | 2 +- 3 files changed, 25 insertions(+), 6 deletions(-) create mode 100644 hardened_runtime.xcent diff --git a/hardened_runtime.xcent b/hardened_runtime.xcent new file mode 100644 index 000000000000..72abb432afc6 --- /dev/null +++ b/hardened_runtime.xcent @@ -0,0 +1,15 @@ + + + + + + com.apple.security.automation.apple-events + + + com.apple.security.cs.disable-executable-page-protection + + + com.apple.security.cs.disable-library-validation + + + diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle index 85d74514585c..db2f6ffc55d2 100755 --- a/solenv/bin/macosx-codesign-app-bundle +++ b/solenv/bin/macosx-codesign-app-bundle @@ -36,7 +36,7 @@ if test -n "$ENABLE_MACOSX_SANDBOX"; then other_files='' else # We then want to sign data files, too, hmm. - entitlements='' + entitlements="--entitlements $SRCDIR/hardened_runtime.xcent" other_files="\ -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \ -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \ @@ -83,7 +83,7 @@ while read app; do fn=${fn%.*} # Assume the app has a XML (and not binary) Info.plist id=`grep -A 1 'CFBundleIdentifier' $app/Contents/Info.plist | tail -1 | sed -e 's,.*,,' -e 's,.*,,'` - codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1 + codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$app" > "/tmp/codesign_${fn}.log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi @@ -100,7 +100,11 @@ while read framework; do if test ! -L "$version" -a -d "$version"; then # Assume the framework has a XML (and not binary) Info.plist id=`grep -A 1 'CFBundleIdentifier' $version/Resources/Info.plist | tail -1 | sed -e 's,.*,,' -e 's,.*,,'` - codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" > "/tmp/codesign_${fn}.log" 2>&1 + # files in bin are not covered by signing the framework... + for scriptorexecutable in $(find $version/bin/ -type f); do + codesign --verbose --options=runtime --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$scriptorexecutable" >> "/tmp/codesign_${fn}.log" 2>&1 + done + codesign --verbose --force --identifier=$id --sign "$MACOSX_CODESIGNING_IDENTITY" "$version" >> "/tmp/codesign_${fn}.log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi @@ -129,7 +133,7 @@ while read file; do ;; *) id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` - codesign --force --verbose --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1 + codesign --force --verbose --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.${id}.log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi @@ -152,7 +156,7 @@ done id=`echo ${PRODUCTNAME} | tr ' ' '-'` -codesign --force --verbose --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1 +codesign --force --verbose --options=runtime --identifier="${MACOSX_BUNDLE_IDENTIFIER}" --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$APP_BUNDLE" > "/tmp/codesign_${MACOSX_BUNDLE_IDENTIFIER}.log" 2>&1 if [ "$?" != "0" ] ; then exit 1 fi diff --git a/solenv/gbuild/platform/macosx.mk b/solenv/gbuild/platform/macosx.mk index b3e451bfcd74..eec2b052cb7e 100644 --- a/solenv/gbuild/platform/macosx.mk +++ b/solenv/gbuild/platform/macosx.mk @@ -132,7 +132,7 @@ $(call gb_Helper_abbreviate_dirs,\ $(if $(MACOSX_CODESIGNING_IDENTITY), \ $(if $(filter Executable,$(TARGETTYPE)), \ $(if $(filter-out $(call gb_Executable_get_target,soffice_bin),$(1)), \ - codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --force $(1) &&))) \ + codesign --identifier=$(MACOSX_BUNDLE_IDENTIFIER).$(notdir $(1)) --sign $(MACOSX_CODESIGNING_IDENTITY) --options=runtime --force $(1) &&))) \ $(if $(filter Library,$(TARGETTYPE)),\ otool -l $(1) | grep -A 5 LC_ID_DYLIB \ > $(WORKDIR)/LinkTarget/$(2).exports.tmp && \ -- cgit v1.2.3