# HG changeset patch
# User Chris Cannam
# Date 1556207162 -3600
# Node ID d33dff02b39b5dee68e6b7cf48f885684af5787e
# Parent  03b2b059fa03b4a174320f2053c8d9e7d4233ef3
Work on sandboxing (possibly) and using the hardened runtime for notarization. Supply appropriate bundle ID for helpers as well as main application, and request inherited sandbox entitlements. Currently works with sandboxing (apparently) but not yet with the hardened runtime, where we can't load plugins signed by third parties even with the com.apple.security.cs.disable-library-validation entitlement because their team IDs don't match the host. Possibly that exception is supposed to be requested some other way?

diff -r 03b2b059fa03 -r d33dff02b39b deploy/osx/Entitlements-helpers.plist
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/deploy/osx/Entitlements-helpers.plist	Thu Apr 25 16:46:02 2019 +0100
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<plist version="1.0">
+    <dict>
+
+        <key>com.apple.security.app-sandbox</key>
+        <true/>
+
+        <key>com.apple.security.inherit</key>
+        <true/>
+
+    </dict>
+</plist>
diff -r 03b2b059fa03 -r d33dff02b39b deploy/osx/Entitlements.plist
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/deploy/osx/Entitlements.plist	Thu Apr 25 16:46:02 2019 +0100
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<plist version="1.0">
+    <dict>
+
+        <key>com.apple.security.app-sandbox</key>
+        <true/>
+
+        <key>com.apple.security.files.user-selected.read-write</key>
+        <true/>
+
+	<!-- to load plugins signed by other authorities: -->
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+
+        <key>com.apple.security.device.microphone</key>
+        <true/>
+
+        <key>com.apple.security.network.client</key>
+        <true/>
+
+	<!-- for osc server: -->
+        <key>com.apple.security.network.server</key>
+        <true/>
+
+    </dict>
+</plist>
diff -r 03b2b059fa03 -r d33dff02b39b deploy/osx/Info-helpers.plist
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/deploy/osx/Info-helpers.plist	Thu Apr 25 16:46:02 2019 +0100
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
+<plist version="0.9">
+  <dict>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleName</key>
+	<string>Sonic Visualiser</string>
+	<key>CFBundleExecutable</key>
+	<string>Sonic Visualiser</string>
+	<key>CFBundleIconFile</key>
+	<string>sv-macicon.icns</string>
+	<key>CFBundleIdentifier</key>
+	<string>org.sonicvisualiser.SonicVisualiser</string>
+  </dict>
+</plist>
diff -r 03b2b059fa03 -r d33dff02b39b deploy/osx/deploy-and-run.sh
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/deploy/osx/deploy-and-run.sh	Thu Apr 25 16:46:02 2019 +0100
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+# WARNING: Destructive, makes some assumptions about layout
+
+source="Sonic Visualiser.app"
+dmg="Sonic Visualiser"
+
+app=`basename "$source" .app`
+
+set -u
+
+version=`perl -p -e 's/^[^"]*"([^"]*)".*$/$1/' version.h`
+
+rm -rf "$source" "$app-$version" "$app-$version.dmg"
+
+umount "/Volumes/$app-$version"
+
+make
+deploy/osx/deploy.sh "$source" "$dmg"
+
+open "$app-$version.dmg"
+sleep 5
+open "/Volumes/$app-$version/$app.app"
+
diff -r 03b2b059fa03 -r d33dff02b39b deploy/osx/deploy.sh
--- a/deploy/osx/deploy.sh	Thu Apr 25 11:30:27 2019 +0100
+++ b/deploy/osx/deploy.sh	Thu Apr 25 16:46:02 2019 +0100
@@ -47,11 +47,11 @@
 
 echo
 echo "Copying in plugin load checker."
-cp checker/vamp-plugin-load-checker "$source"/Contents/MacOS/
+cp checker/vamp-plugin-load-checker "$source"/Contents/Resources/
 
 echo
 echo "Copying in plugin server."
-cp piper-vamp-simple-server "$source"/Contents/MacOS/
+cp piper-vamp-simple-server "$source"/Contents/Resources/
 
 echo
 echo "Writing version $bundleVersion in to bundle."
@@ -104,6 +104,6 @@
 echo
 echo "Signing dmg..."
 
-codesign -s "Developer ID Application: Chris Cannam" -fv "$dmg"
+codesign -s "Developer ID Application: Chris Cannam" -fv "$dmg" -i "org.sonicvisualiser.SonicVisualiser"
 
 echo "Done"
diff -r 03b2b059fa03 -r d33dff02b39b deploy/osx/sign.sh
--- a/deploy/osx/sign.sh	Thu Apr 25 11:30:27 2019 +0100
+++ b/deploy/osx/sign.sh	Thu Apr 25 16:46:02 2019 +0100
@@ -1,4 +1,4 @@
-#!/bin/bash 
+#!/bin/bash -x
 
 set -eu
 
@@ -17,14 +17,17 @@
 # in all of these codesign invocations, and figure out what to do
 # about signing plugins...
 
+id="Developer ID Application: Chris Cannam"
+opts="-fv --deep --options runtime -i org.sonicvisualiser.SonicVisualiser"
+eopts="--entitlements deploy/osx/Entitlements.plist"
+hopts="--entitlements deploy/osx/Entitlements-helpers.plist"
+
 for app in "$dir"/*.app; do
     find "$app" -name \*.dylib -print | while read fr; do
-	codesign -s "Developer ID Application: Chris Cannam" -fv --deep "$fr"
+	codesign -s "$id" $opts "$fr"
     done
-    codesign -s "Developer ID Application: Chris Cannam" -fv --deep "$app/Contents/MacOS/Sonic Visualiser"
-    codesign -s "Developer ID Application: Chris Cannam" -fv --deep "$app"
-#    codesign -s "Developer ID Application: Chris Cannam" -fv --deep \
-#         --requirements '=designated =>  identifier "org.sonicvisualiser.SonicVisualiser" and ( (anchor apple generic and    certificate leaf[field.1.2.840.113635.100.6.1.9] ) or (anchor apple generic and    certificate 1[field.1.2.840.113635.100.6.2.6]  and    certificate leaf[field.1.2.840.113635.100.6.1.13] and    certificate leaf[subject.OU] = "M2H8666U82"))' \
-#         "$app"
+    codesign -s "$id" $opts $hopts "$app/Contents/Resources/vamp-plugin-load-checker"
+    codesign -s "$id" $opts $hopts "$app/Contents/Resources/piper-vamp-simple-server"
+    codesign -s "$id" $opts $eopts "$app/Contents/MacOS/Sonic Visualiser"
 done
 
diff -r 03b2b059fa03 -r d33dff02b39b platform-helpers.pri
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/platform-helpers.pri	Thu Apr 25 16:46:02 2019 +0100
@@ -0,0 +1,4 @@
+
+macx* {
+      QMAKE_LFLAGS += -sectcreate __TEXT __info_plist $$shell_quote($$PWD/deploy/osx/Info-helpers.plist)
+}
diff -r 03b2b059fa03 -r d33dff02b39b repoint-lock.json
--- a/repoint-lock.json	Thu Apr 25 11:30:27 2019 +0100
+++ b/repoint-lock.json	Thu Apr 25 16:46:02 2019 +0100
@@ -4,16 +4,16 @@
       "pin": "b650289c47b4"
     },
     "svcore": {
-      "pin": "d7b04b0ed056"
+      "pin": "a9d0b5a2c242"
     },
     "svgui": {
-      "pin": "b22a4df37095"
+      "pin": "089afbbe1253"
     },
     "svapp": {
-      "pin": "06db8f3ceb95"
+      "pin": "21673429dba5"
     },
     "checker": {
-      "pin": "5c60e26e16ca"
+      "pin": "c8c17e51aab0"
     },
     "piper": {
       "pin": "f5a04ffe4d5a0ae01e77018a86a59b48a425e674"
diff -r 03b2b059fa03 -r d33dff02b39b server.pro
--- a/server.pro	Thu Apr 25 11:30:27 2019 +0100
+++ b/server.pro	Thu Apr 25 16:46:02 2019 +0100
@@ -45,3 +45,5 @@
         piper-vamp-cpp/vamp-capnp/piper-capnp.cpp \
         piper-vamp-cpp/ext/json11/json11.cpp \
         piper-vamp-cpp/vamp-server/simple-server.cpp
+
+include(platform-helpers.pri)