From 3264c552a4fe29835a10f38ca92244253f305bb0 Mon Sep 17 00:00:00 2001 From: Ben Soares Date: Sat, 17 Aug 2024 01:57:55 +0100 Subject: [PATCH] JAL-4428 Added in stapling into (now) sign_and_staple_dmg.sh. Some other small improvements to the script. --- .../{sign_dmg.sh => sign_and_staple_dmg.sh} | 89 +++++++++++++------- 1 file changed, 58 insertions(+), 31 deletions(-) rename utils/osx_signing/{sign_dmg.sh => sign_and_staple_dmg.sh} (79%) diff --git a/utils/osx_signing/sign_dmg.sh b/utils/osx_signing/sign_and_staple_dmg.sh similarity index 79% rename from utils/osx_signing/sign_dmg.sh rename to utils/osx_signing/sign_and_staple_dmg.sh index dd98944..5609d5e 100755 --- a/utils/osx_signing/sign_dmg.sh +++ b/utils/osx_signing/sign_and_staple_dmg.sh @@ -11,12 +11,14 @@ YES=0 CLEANUP=0 GITENTITLEMENTSPATH="utils/osx_signing/entitlements.txt" NOCODESIGNING=0 +STAPLE=0 NOVOLUMEICON=0 VOLUMEICONPATH="utils/channels/release/images/jalview-VolumeIcon.icns" DEFAULTVOLUMEICONFILE=".VolumeIcon.icns" +HDIUTILV="-quiet" usage() { - echo "Usage: $( basename $0 ) [-h] [[-g gitdir] | [-e entfile]] [-d devid] [[-a appname] [-v appver ] [-j arch] [-w jver] | [-i dmgfile]] [-O] [-o outputdmg] [-t tmpdir] [-s signingdmg] [-S] [-z icnsfile] [-Z] [-y] [-C]" + echo "Usage: $( basename $0 ) [-h] [[-g gitdir] | [-e entfile]] [-d devid] [[-a appname] [-v appver ] [-j arch] [-w jver] | [-i dmgfile]] [-O] [-o outputdmg] [-t tmpdir] [-s signingdmg] [-S] [-p] [-z icnsfile] [-Z] [-y] [-C] [-v]" echo " " echo " This script is used in the signing process of DMG disk image files for macOS." echo " Either -g GITDIR or -e ENTFILE should be given." @@ -34,17 +36,23 @@ usage() { echo " -w jver Assume java version jver (also uses JVER env variable. Defaults to '1.8')." echo " -i dmgfile Sign DMGFILE (also uses DMGFILE env variable. Defaults to a combination of GITDIR, APPNAME, APPVER, ARCH and JVER)." echo " -t tmpdir Use temp directory tmpdir (default '/tmp')." - echo " -s signingdmg Use signingdmg as the temporary signing folder name (default 'signingDMG')." - echo " -S Don't perform any code signing." + echo " -s signingdmg Use signingdmg as the temporary signing folder name in the temporary directory (default 'signingDMG')." + echo " -S Don't perform any code signing (default is to codesign)." + echo " -p Run stapling on the APP bundle (default is to NOT staple)." echo " -z icnsfile Use icnsfile as the volume icon file (defaults to using existing '$DEFAULTVOLUMEICONFILE' file or 'GITDIR/${VOLUMEICONPATH}'." echo " -Z Don't set the volume icon, even if it already exists." echo " -O Overwrite the output DMG file if it already exists." echo " -o outputdmg Output DMG file (defaults to existing dmgfile in a 'signed' sub-directory)." echo " -y Assume 'yes' to all confirmation requests." echo " -C Cleanup temporary folders for the given dmgfile (Prevents all other activities. Cleanup can be narrowed down with either -i or some/all of -a -v -j -w." + echo " -v Allow tools such as hdiutil to be more verbose." + echo " " + echo " EXAMPLE:" + echo " $( basename $0 ) -g ~/work/git/jalview -i build/install4j/11/Jalview_Develop-2_11_4_0-d20240816-macos-aarch64-java_11.dmg -t -z utils/channels/develop/images/jalview_develop-VolumeIcon.icns" + echo " will use entitlements.txt from the gitdir (-g), and output a signed and stapled (-t) DMG file in build/install4j/11/stapled with a volume icon for Jalview Develop (-z)." } -while getopts "hg:e:d:a:v:j:w:i:t:s:Sz:ZyCOo:" opt; do +while getopts "hg:e:d:a:v:j:w:i:t:s:Spz:ZyCOo:v" opt; do case ${opt} in h) usage @@ -90,6 +98,9 @@ while getopts "hg:e:d:a:v:j:w:i:t:s:Sz:ZyCOo:" opt; do S) NOCODESIGNING=1 ;; + p) + STAPLE=1 + ;; z) VOLUMEICON="${OPTARG}" ;; @@ -102,6 +113,9 @@ while getopts "hg:e:d:a:v:j:w:i:t:s:Sz:ZyCOo:" opt; do C) CLEANUP=1 ;; + v) + HDIUTILV="" + ;; *) echo "Unrecognised option. Run with -h for help." exit 1 @@ -256,7 +270,7 @@ mydetachexit() { CODE=$2 if [ ! -z "$VOLDIR" ]; then echo "* First detaching '${VOLDIR}'" - hdiutil detach "$VOLDIR" + hdiutil detach $HDIUTILV "$VOLDIR" fi echo "$MSG" exit $CODE @@ -279,7 +293,7 @@ myparanoidrm() { MOUNT=$( hdiutil info | grep "Apple_HFS" | grep "$REALPATH" 2>/dev/null | head -1 | sed -e 's/^[^[:space:]]*[[:space:]]*Apple_HFS[[:space:]]*//' ) if [ ! -z "$MOUNT" -a -d "$MOUNT" ]; then echo "* First detaching '${MOUNT}'" - hdiutil detach "$MOUNT" + hdiutil detach $HDIUTILV "$MOUNT" fi rm -Rf "${REMOVE}" @@ -299,8 +313,7 @@ MOUNTROOT="${TEMPDIR}/Volume" mkdir -p "$MOUNTROOT" echo "* Mounting disk image '${DMGFILE}' in '${MOUNTROOT}'" -echo "hdiutil attach -mountroot \"${MOUNTROOT}\" \"${DMGFILE}\"" -hdiutil attach -mountroot "${MOUNTROOT}" "${DMGFILE}" || myexit "Could not mount '${DMGFILE}' in '${MOUNTROOT}'. Aborting." 10 +hdiutil attach $HDIUTILV -mountroot "${MOUNTROOT}" "${DMGFILE}" || myexit "Could not mount '${DMGFILE}' in '${MOUNTROOT}'. Aborting." 10 VOLDIR=$(ls -1d "${MOUNTROOT%/}"/* | head -1) VOLDIR="${VOLDIR%/}" # remove trailing slash if [ -z "$VOLDIR" ]; then @@ -353,15 +366,15 @@ echo "* Copying '${VOLDIR}' to '${TEMPDMGDIR}'" ditto "$VOLDIR" "$TEMPDMGDIR" echo "* Unmounting '${VOLDIR}' and removing '${TEMPDIR}/Volume'" -hdiutil detach "$VOLDIR" +hdiutil detach $HDIUTILV "$VOLDIR" rmdir "${TEMPDIR}/Volume" TRUE="" -RUNNING="RUNNING: " +RUNNING="RUNNING:" if [ "$NOCODESIGNING" = 1 ]; then echo "* NO actual code signing due to -S flag" TRUE="true" - RUNNING="NOT RUNNING: " + RUNNING="NOT RUNNING:" fi @@ -371,24 +384,36 @@ echo "* Code signing in '${TEMPDMGDIR}'" FILE="${TEMPDMGDIR}/${APPNAME}.app/Contents/Resources/app/jre/Contents/MacOS/libjli.dylib" echo "* + '$FILE'" -echo "${RUNNING}codesign --remove-signature --force --deep -vvvv -s \"$DEVELOPERID\" --options runtime --entitlements \"$ENTITLEMENTSFILE\" \"$FILE\"" +echo "${RUNNING} codesign --remove-signature --force --deep -vvvv -s \"$DEVELOPERID\" --options runtime --entitlements \"$ENTITLEMENTSFILE\" \"$FILE\"" $TRUE codesign --remove-signature --force --deep -vvvv -s "$DEVELOPERID" --options runtime --entitlements "$ENTITLEMENTSFILE" "$FILE" -echo "${RUNNING}codesign --verify --deep -v \"$FILE\"" +echo "${RUNNING} codesign --verify --deep -v \"$FILE\"" $TRUE codesign --verify --deep -v "$FILE" - -FILE="${TEMPDMGDIR}/${APPNAME}.app/Contents/MacOS/JavaApplicationStub" +APPPATH="${TEMPDMGDIR}/${APPNAME}.app" +FILE="${APPPATH}/Contents/MacOS/JavaApplicationStub" echo "* + '$FILE'" -echo "${RUNNING}codesign --remove-signature --force --deep -vvvv -s \"$DEVELOPERID\" --options runtime --entitlements \"$ENTITLEMENTSFILE\" \"$FILE\"" +echo "${RUNNING} codesign --remove-signature --force --deep -vvvv -s \"$DEVELOPERID\" --options runtime --entitlements \"$ENTITLEMENTSFILE\" \"$FILE\"" $TRUE codesign --remove-signature --force --deep -vvvv -s "$DEVELOPERID" --options runtime --entitlements "$ENTITLEMENTSFILE" "$FILE" +# stapling +SIGNEDDIRNAME="signed" +if [ "$STAPLE" = 1 ]; then + + SIGNEDDIRNAME="stapled" + + echo "* Stapling '${APPNAME}.app'" + + echo "${RUNNING} xcrun stapler staple \"${APPPATH}\"" + $TRUE xcrun stapler staple "${APPPATH}" + +fi if [ ! -z "$OUTPUTDMGFILE" ]; then NEWDMGFILE="$OUTPUTDMGFILE" else - SIGNEDDIR="${DMGDIR%/}/signed" + SIGNEDDIR="${DMGDIR%/}/${SIGNEDDIRNAME}" NEWDMGFILE="${SIGNEDDIR}/${DMGNAME}" echo "* Creating folder '${SIGNEDDIR}' for new DMG file '${DMGNAME}'" mkdir -p "$SIGNEDDIR" @@ -404,14 +429,15 @@ fi if [ "$NOVOLUMEICON" = 1 ]; then + echo "* NOT setting a volume icon" # without volume icon echo "* Creating new DMG file '${NEWDMGFILE}' to sign" - echo "hdiutil create -megabytes 260 -srcfolder \"$TEMPDMGDIR\" -volname \"$VOLNAME\" \"$NEWDMGFILE\"" - hdiutil create -megabytes 260 -srcfolder "$TEMPDMGDIR" -volname "$VOLNAME" "$NEWDMGFILE" || mydetachexit "Could not create new DMG file '${NEWDMGFILE}'" 15 + echo "hdiutil create $HDIUTILV -megabytes 260 -srcfolder \"$TEMPDMGDIR\" -volname \"$VOLNAME\" \"$NEWDMGFILE\"" + hdiutil create $HDIUTILV -megabytes 260 -srcfolder "$TEMPDMGDIR" -volname "$VOLNAME" "$NEWDMGFILE" || mydetachexit "Could not create new DMG file '${NEWDMGFILE}'" 15 else @@ -422,16 +448,16 @@ else TEMPMOUNTDIR="${TEMP_RW_BASE}_mount" - echo "* Creating temporary RW DMG file '${TMPDMGFILE}' to sign" + echo "* Creating temporary RW DMG file '${TEMPDMGFILE}' to sign" - echo "hdiutil create -format UDRW -megabytes 260 -srcfolder \"$TEMPDMGDIR\" -volname \"$VOLNAME\" \"$TEMPDMGFILE\"" - hdiutil create -format UDRW -megabytes 260 -srcfolder "$TEMPDMGDIR" -volname "$VOLNAME" "$TEMPDMGFILE" || mydetachexit "Could not create temporary DMG file '${TEMPDMGFILE}'" 15 + echo "hdiutil create $HDIUTILV -format UDRW -megabytes 260 -srcfolder \"$TEMPDMGDIR\" -volname \"$VOLNAME\" \"$TEMPDMGFILE\"" + hdiutil create $HDIUTILV -format UDRW -megabytes 260 -srcfolder "$TEMPDMGDIR" -volname "$VOLNAME" "$TEMPDMGFILE" || mydetachexit "Could not create temporary DMG file '${TEMPDMGFILE}'" 15 echo "* Mounting temporary disk image '${TEMPDMGFILE}' on '${TEMPMOUNTDIR}'" - echo "hdiutil attach -mountpoint \"${TEMPMOUNTDIR}\" \"${TEMPDMGFILE}\"" - hdiutil attach -mountpoint "${TEMPMOUNTDIR}" "${TEMPDMGFILE}" || myexit "Could not mount '${TEMPDMGFILE}' on '${TEMPMOUNTDIR}'. Aborting." 16 + echo "hdiutil attach $HDIUTILV -mountpoint \"${TEMPMOUNTDIR}\" \"${TEMPDMGFILE}\"" + hdiutil attach $HDIUTILV -mountpoint "${TEMPMOUNTDIR}" "${TEMPDMGFILE}" || myexit "Could not mount '${TEMPDMGFILE}' on '${TEMPMOUNTDIR}'. Aborting." 16 VOLDIR="$TEMPMOUNTDIR" # for mydetachexit @@ -459,14 +485,14 @@ else echo "* Unmounting '${TEMPMOUNTDIR}'" - echo "hdiutil detach \"$TEMPMOUNTDIR\"" - hdiutil detach "$TEMPMOUNTDIR" + echo "hdiutil detach $HDIUTILV \"$TEMPMOUNTDIR\"" + hdiutil detach $HDIUTILV "$TEMPMOUNTDIR" echo "* Converting temporary DMG file to new DMG file '${NEWDMGFILE}' to sign" - echo "hdiutil convert \"$TEMPDMGFILE\" -format UDZO -o \"$NEWDMGFILE\"" - hdiutil convert "$TEMPDMGFILE" -format UDZO -o "$NEWDMGFILE" || mydetachexit "Could not convert to new DMG file '${NEWDMGFILE}'" 17 + echo "hdiutil convert $HDIUTILV \"$TEMPDMGFILE\" -format UDZO -o \"$NEWDMGFILE\"" + hdiutil convert $HDIUTILV "$TEMPDMGFILE" -format UDZO -o "$NEWDMGFILE" || mydetachexit "Could not convert to new DMG file '${NEWDMGFILE}'" 17 echo "* Removing temporary DMG file '${TEMPDMGFILE}'" @@ -477,14 +503,15 @@ fi echo "* Code signing '${NEWDMGFILE}'" -echo "${RUNNING}codesign --force --deep -vvvv -s \"$DEVELOPERID\" --options runtime --entitlements \"$ENTITLEMENTSFILE\" \"$NEWDMGFILE\"" +echo "${RUNNING} codesign --force --deep -vvvv -s \"$DEVELOPERID\" --options runtime --entitlements \"$ENTITLEMENTSFILE\" \"$NEWDMGFILE\"" $TRUE codesign --force --deep -vvvv -s "$DEVELOPERID" --options runtime --entitlements "$ENTITLEMENTSFILE" "$NEWDMGFILE" -echo "${RUNNING}codesign --deep -vvvv \"$NEWDMGFILE\"" +echo "${RUNNING} codesign --deep -vvvv \"$NEWDMGFILE\"" $TRUE codesign --deep -vvvv "$NEWDMGFILE" echo "* Removing TEMPDIR '${TEMPDIR}'" myparanoidrm "${TEMPDIR}" -echo "*** Signed DMG file at '${NEWDMGFILE}'" +[ "$STAPLED" = 1 ] && ANDSTAPLED=" and stapled" +echo "*** Signed${ANDSTAPLED} DMG file at '${NEWDMGFILE}'" -- 1.7.10.2