# HG changeset patch # User Chris Cannam # Date 1556207162 -3600 # Node ID d33dff02b39b5dee68e6b7cf48f885684af5787e # Parent 03b2b059fa03b4a174320f2053c8d9e7d4233ef3 Work on sandboxing (possibly) and using the hardened runtime for notarization. Supply appropriate bundle ID for helpers as well as main application, and request inherited sandbox entitlements. Currently works with sandboxing (apparently) but not yet with the hardened runtime, where we can't load plugins signed by third parties even with the com.apple.security.cs.disable-library-validation entitlement because their team IDs don't match the host. Possibly that exception is supposed to be requested some other way? diff -r 03b2b059fa03 -r d33dff02b39b deploy/osx/Entitlements-helpers.plist --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/deploy/osx/Entitlements-helpers.plist Thu Apr 25 16:46:02 2019 +0100 @@ -0,0 +1,12 @@ + + + + + com.apple.security.app-sandbox + + + com.apple.security.inherit + + + + diff -r 03b2b059fa03 -r d33dff02b39b deploy/osx/Entitlements.plist --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/deploy/osx/Entitlements.plist Thu Apr 25 16:46:02 2019 +0100 @@ -0,0 +1,26 @@ + + + + + com.apple.security.app-sandbox + + + com.apple.security.files.user-selected.read-write + + + + com.apple.security.cs.disable-library-validation + + + com.apple.security.device.microphone + + + com.apple.security.network.client + + + + com.apple.security.network.server + + + + diff -r 03b2b059fa03 -r d33dff02b39b deploy/osx/Info-helpers.plist --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/deploy/osx/Info-helpers.plist Thu Apr 25 16:46:02 2019 +0100 @@ -0,0 +1,16 @@ + + + + + CFBundlePackageType + APPL + CFBundleName + Sonic Visualiser + CFBundleExecutable + Sonic Visualiser + CFBundleIconFile + sv-macicon.icns + CFBundleIdentifier + org.sonicvisualiser.SonicVisualiser + + diff -r 03b2b059fa03 -r d33dff02b39b deploy/osx/deploy-and-run.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/deploy/osx/deploy-and-run.sh Thu Apr 25 16:46:02 2019 +0100 @@ -0,0 +1,26 @@ +#!/bin/bash + +set -e + +# WARNING: Destructive, makes some assumptions about layout + +source="Sonic Visualiser.app" +dmg="Sonic Visualiser" + +app=`basename "$source" .app` + +set -u + +version=`perl -p -e 's/^[^"]*"([^"]*)".*$/$1/' version.h` + +rm -rf "$source" "$app-$version" "$app-$version.dmg" + +umount "/Volumes/$app-$version" + +make +deploy/osx/deploy.sh "$source" "$dmg" + +open "$app-$version.dmg" +sleep 5 +open "/Volumes/$app-$version/$app.app" + diff -r 03b2b059fa03 -r d33dff02b39b deploy/osx/deploy.sh --- a/deploy/osx/deploy.sh Thu Apr 25 11:30:27 2019 +0100 +++ b/deploy/osx/deploy.sh Thu Apr 25 16:46:02 2019 +0100 @@ -47,11 +47,11 @@ echo echo "Copying in plugin load checker." -cp checker/vamp-plugin-load-checker "$source"/Contents/MacOS/ +cp checker/vamp-plugin-load-checker "$source"/Contents/Resources/ echo echo "Copying in plugin server." -cp piper-vamp-simple-server "$source"/Contents/MacOS/ +cp piper-vamp-simple-server "$source"/Contents/Resources/ echo echo "Writing version $bundleVersion in to bundle." @@ -104,6 +104,6 @@ echo echo "Signing dmg..." -codesign -s "Developer ID Application: Chris Cannam" -fv "$dmg" +codesign -s "Developer ID Application: Chris Cannam" -fv "$dmg" -i "org.sonicvisualiser.SonicVisualiser" echo "Done" diff -r 03b2b059fa03 -r d33dff02b39b deploy/osx/sign.sh --- a/deploy/osx/sign.sh Thu Apr 25 11:30:27 2019 +0100 +++ b/deploy/osx/sign.sh Thu Apr 25 16:46:02 2019 +0100 @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/bash -x set -eu @@ -17,14 +17,17 @@ # in all of these codesign invocations, and figure out what to do # about signing plugins... +id="Developer ID Application: Chris Cannam" +opts="-fv --deep --options runtime -i org.sonicvisualiser.SonicVisualiser" +eopts="--entitlements deploy/osx/Entitlements.plist" +hopts="--entitlements deploy/osx/Entitlements-helpers.plist" + for app in "$dir"/*.app; do find "$app" -name \*.dylib -print | while read fr; do - codesign -s "Developer ID Application: Chris Cannam" -fv --deep "$fr" + codesign -s "$id" $opts "$fr" done - codesign -s "Developer ID Application: Chris Cannam" -fv --deep "$app/Contents/MacOS/Sonic Visualiser" - codesign -s "Developer ID Application: Chris Cannam" -fv --deep "$app" -# codesign -s "Developer ID Application: Chris Cannam" -fv --deep \ -# --requirements '=designated => identifier "org.sonicvisualiser.SonicVisualiser" and ( (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] ) or (anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "M2H8666U82"))' \ -# "$app" + codesign -s "$id" $opts $hopts "$app/Contents/Resources/vamp-plugin-load-checker" + codesign -s "$id" $opts $hopts "$app/Contents/Resources/piper-vamp-simple-server" + codesign -s "$id" $opts $eopts "$app/Contents/MacOS/Sonic Visualiser" done diff -r 03b2b059fa03 -r d33dff02b39b platform-helpers.pri --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/platform-helpers.pri Thu Apr 25 16:46:02 2019 +0100 @@ -0,0 +1,4 @@ + +macx* { + QMAKE_LFLAGS += -sectcreate __TEXT __info_plist $$shell_quote($$PWD/deploy/osx/Info-helpers.plist) +} diff -r 03b2b059fa03 -r d33dff02b39b repoint-lock.json --- a/repoint-lock.json Thu Apr 25 11:30:27 2019 +0100 +++ b/repoint-lock.json Thu Apr 25 16:46:02 2019 +0100 @@ -4,16 +4,16 @@ "pin": "b650289c47b4" }, "svcore": { - "pin": "d7b04b0ed056" + "pin": "a9d0b5a2c242" }, "svgui": { - "pin": "b22a4df37095" + "pin": "089afbbe1253" }, "svapp": { - "pin": "06db8f3ceb95" + "pin": "21673429dba5" }, "checker": { - "pin": "5c60e26e16ca" + "pin": "c8c17e51aab0" }, "piper": { "pin": "f5a04ffe4d5a0ae01e77018a86a59b48a425e674" diff -r 03b2b059fa03 -r d33dff02b39b server.pro --- a/server.pro Thu Apr 25 11:30:27 2019 +0100 +++ b/server.pro Thu Apr 25 16:46:02 2019 +0100 @@ -45,3 +45,5 @@ piper-vamp-cpp/vamp-capnp/piper-capnp.cpp \ piper-vamp-cpp/ext/json11/json11.cpp \ piper-vamp-cpp/vamp-server/simple-server.cpp + +include(platform-helpers.pri)