annotate deploy/osx/paths.sh @ 2265:d33dff02b39b sandbox-notarize

Work on sandboxing (possibly) and using the hardened runtime for notarization. Supply appropriate bundle ID for helpers as well as main application, and request inherited sandbox entitlements. Currently works with sandboxing (apparently) but not yet with the hardened runtime, where we can't load plugins signed by third parties even with the com.apple.security.cs.disable-library-validation entitlement because their team IDs don't match the host. Possibly that exception is supposed to be requested some other way?
author Chris Cannam
date Thu, 25 Apr 2019 16:46:02 +0100
parents 2d48532a074b
children
rev   line source
Chris@409 1 #!/bin/bash
Chris@409 2
Chris@1077 3 set -e
Chris@1077 4
Chris@409 5 app="$1"
Chris@409 6 if [ -z "$app" ]; then
Chris@409 7 echo "Usage: $0 <appname>"
Chris@409 8 echo "Provide appname without the .app extension, please"
Chris@409 9 exit 2
Chris@409 10 fi
Chris@409 11
Chris@1077 12 set -u
Chris@1077 13
Chris@1082 14 frameworks="QtCore QtNetwork QtGui QtXml QtSvg QtWidgets QtPrintSupport QtDBus"
Chris@742 15
Chris@409 16 echo
Chris@742 17 echo "I expect you to have already copied these frameworks from the Qt installation to"
Chris@742 18 echo "$app.app/Contents/Frameworks -- expect errors to follow if they're missing:"
Chris@742 19 echo "$frameworks"
Chris@409 20 echo
Chris@409 21
Chris@409 22 echo "Fixing up loader paths in binaries..."
Chris@409 23
Chris@742 24 for fwk in $frameworks; do
Chris@742 25 install_name_tool -id $fwk "$app.app/Contents/Frameworks/$fwk"
Chris@742 26 done
Chris@409 27
Chris@509 28 find "$app.app" -name \*.dylib -print | while read x; do
Chris@509 29 install_name_tool -id "`basename \"$x\"`" "$x"
Chris@509 30 done
Chris@509 31
Chris@742 32 for fwk in $frameworks; do
cannam@1286 33 find "$app.app" -type f -print | while read x; do
cannam@1286 34 if [ -x "$x" ]; then
cannam@1286 35 current=$(otool -L "$x" | grep "$fwk" | grep amework | grep -v ':$' | awk '{ print $1; }')
cannam@1286 36 [ -z "$current" ] && continue
cannam@1286 37 echo "$x has $current"
cannam@1286 38 relative=$(echo "$x" | sed -e "s,$app.app/Contents/,," \
cannam@1286 39 -e 's,[^/]*/,../,g' \
cannam@1286 40 -e 's,/[^/]*$,/Frameworks/'"$fwk"',' )
cannam@1286 41 echo "replacing with relative path $relative"
cannam@1286 42 install_name_tool -change "$current" "@loader_path/$relative" "$x"
cannam@1286 43 fi
cannam@1286 44 done
Chris@409 45 done
Chris@409 46
Chris@1077 47 find "$app.app" -type f -print | while read x; do
cannam@1286 48 if [ -x "$x" ]; then
cannam@1286 49 qtdep=$(otool -L "$x" | grep Qt | grep amework | grep -v ':$' | grep -v '@loader_path' | awk '{ print $1; }')
cannam@1286 50 if [ -n "$qtdep" ]; then
cannam@1286 51 echo
cannam@1286 52 echo "ERROR: File $x depends on Qt framework(s) not apparently present in the bundle:"
cannam@1286 53 echo $qtdep
cannam@1286 54 exit 1
cannam@1286 55 fi
Chris@1077 56 fi
Chris@1077 57 done
Chris@1077 58
Chris@409 59 echo "Done: be sure to run the app and see that it works!"
Chris@409 60
Chris@409 61