Mercurial > hg > sonic-visualiser
comparison deploy/osx/sign.sh @ 2265:d33dff02b39b sandbox-notarize
Work on sandboxing (possibly) and using the hardened runtime for notarization. Supply appropriate bundle ID for helpers as well as main application, and request inherited sandbox entitlements. Currently works with sandboxing (apparently) but not yet with the hardened runtime, where we can't load plugins signed by third parties even with the com.apple.security.cs.disable-library-validation entitlement because their team IDs don't match the host. Possibly that exception is supposed to be requested some other way?
| author | Chris Cannam |
|---|---|
| date | Thu, 25 Apr 2019 16:46:02 +0100 |
| parents | 4f4eb416fcb4 |
| children |
comparison
equal
deleted
inserted
replaced
| 2264:03b2b059fa03 | 2265:d33dff02b39b |
|---|---|
| 1 #!/bin/bash | 1 #!/bin/bash -x |
| 2 | 2 |
| 3 set -eu | 3 set -eu |
| 4 | 4 |
| 5 # Execute this from the top-level directory of the project (the one | 5 # Execute this from the top-level directory of the project (the one |
| 6 # that contains the .app bundle). Supply the name of the .app bundle | 6 # that contains the .app bundle). Supply the name of the .app bundle |
| 15 | 15 |
| 16 # NB at some point we are going to have to include "--options runtime" | 16 # NB at some point we are going to have to include "--options runtime" |
| 17 # in all of these codesign invocations, and figure out what to do | 17 # in all of these codesign invocations, and figure out what to do |
| 18 # about signing plugins... | 18 # about signing plugins... |
| 19 | 19 |
| 20 id="Developer ID Application: Chris Cannam" | |
| 21 opts="-fv --deep --options runtime -i org.sonicvisualiser.SonicVisualiser" | |
| 22 eopts="--entitlements deploy/osx/Entitlements.plist" | |
| 23 hopts="--entitlements deploy/osx/Entitlements-helpers.plist" | |
| 24 | |
| 20 for app in "$dir"/*.app; do | 25 for app in "$dir"/*.app; do |
| 21 find "$app" -name \*.dylib -print | while read fr; do | 26 find "$app" -name \*.dylib -print | while read fr; do |
| 22 codesign -s "Developer ID Application: Chris Cannam" -fv --deep "$fr" | 27 codesign -s "$id" $opts "$fr" |
| 23 done | 28 done |
| 24 codesign -s "Developer ID Application: Chris Cannam" -fv --deep "$app/Contents/MacOS/Sonic Visualiser" | 29 codesign -s "$id" $opts $hopts "$app/Contents/Resources/vamp-plugin-load-checker" |
| 25 codesign -s "Developer ID Application: Chris Cannam" -fv --deep "$app" | 30 codesign -s "$id" $opts $hopts "$app/Contents/Resources/piper-vamp-simple-server" |
| 26 # codesign -s "Developer ID Application: Chris Cannam" -fv --deep \ | 31 codesign -s "$id" $opts $eopts "$app/Contents/MacOS/Sonic Visualiser" |
| 27 # --requirements '=designated => identifier "org.sonicvisualiser.SonicVisualiser" and ( (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] ) or (anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "M2H8666U82"))' \ | |
| 28 # "$app" | |
| 29 done | 32 done |
| 30 | 33 |