From fce63f9156c244e7d682cc7435a49a3c732610a3 Mon Sep 17 00:00:00 2001 From: bsiegel <96068+bsiegel@users.noreply.github.com> Date: Thu, 19 Mar 2020 12:44:13 -0700 Subject: [PATCH] Correctly codesign Mac app for Catalina (#869) --- build_image.py | 51 ++++++++++++++++++++++-- packaging_files/mac/dmg-background.tiff | Bin 0 -> 17856 bytes packaging_files/mac/dmg_settings.py | 42 +++++++++++++++++++ packaging_files/mac/entitlements.plist | 16 ++++++++ 4 files changed, 105 insertions(+), 4 deletions(-) create mode 100644 packaging_files/mac/dmg-background.tiff create mode 100644 packaging_files/mac/dmg_settings.py create mode 100644 packaging_files/mac/entitlements.plist diff --git a/build_image.py b/build_image.py index 56ab71c9..a5198ba1 100755 --- a/build_image.py +++ b/build_image.py @@ -61,6 +61,7 @@ POLYGLOT_VERSION = '' # set in main for timing reasons POLYGLOT_BUILD = '' # set in main for timing reasons JAVA_HOME = '' # set in main for timing reasons +SIGN_IDENTITY = '' # set in main for timing reasons IS_RELEASE = False CUR_YEAR = str(date.today().year) @@ -74,6 +75,7 @@ def main(args): global POLYGLOT_VERSION global POLYGLOT_BUILD global JAVA_HOME + global SIGN_IDENTITY global IS_RELEASE global JAR_W_DEP global JAR_WO_DEP @@ -97,6 +99,15 @@ def main(args): # remove args after consuming del args[command_index + 1] del args[command_index] + + # allows specifying code signing identity for mac builds + if '-mac-sign-identity' in args: + command_index = args.index('-mac-sign-identity') + SIGN_IDENTITY = args[command_index + 1] + + # remove args after consuming + del args[command_index + 1] + del args[command_index] # allows for override of java home (virtual environments make this necessary at times) if '-java-home-o' in args: @@ -299,7 +310,7 @@ def imageOsx(): '--launcher PolyGlot=org.darisadesigns.polyglotlina.polyglot') def distOsx(): - print('Creating distribution package...') + print('Creating app image...') command = (JAVA_HOME + '/bin/jpackage ' + '--runtime-image build/image ' + '--icon "PolyGlot.app" ' + @@ -307,6 +318,7 @@ def distOsx(): '--module org.darisadesigns.polyglotlina.polyglot/org.darisadesigns.polyglotlina.PolyGlot ' + '--copyright "2014-' + CUR_YEAR + ' Draque Thompson" ' + '--description "PolyGlot is a spoken language construction toolkit." ' + + '--type app-image ' + '--mac-package-name "PolyGlot" ' + '--file-associations packaging_files/mac/file_types_mac.prop ' + '--icon packaging_files/mac/PolyGlot.icns ' + @@ -314,9 +326,38 @@ def distOsx(): '--app-version "' + POLYGLOT_VERSION + '"') os.system(command) - - if copyDestination != "": - copyInstaller('PolyGlot-' + POLYGLOT_VERSION + '.dmg') + + # Remove the extra copy of libjli.dylib which causes notarization to fail + os.remove('PolyGlot.app/Contents/runtime/Contents/MacOS/libjli.dylib') + + if SIGN_IDENTITY: + print('Code signing app image...') + command = ('codesign ' + + '--force ' + # Overwrite existing signature + '--timestamp ' + # Embed secure timestamps + '--options runtime ' + # Enable hardened runtime + '--entitlements packaging_files/mac/entitlements.plist ' + # Add entitlements + '--sign "' + SIGN_IDENTITY + '" ' + + 'PolyGlot.app') + + os.system(command) + else: + print('No code signing identity specified, app image will not be signed') + + if shutil.which('dmgbuild'): + print('Creating distribution package...') + command = ('dmgbuild ' + + '-s packaging_files/mac/dmg_settings.py ' + + 'PolyGlot ' + + 'PolyGlot-' + POLYGLOT_VERSION + '.dmg') + + os.system(command) + + if copyDestination != "": + copyInstaller('PolyGlot-' + POLYGLOT_VERSION + '.dmg') + else: + print('\'dmgbuild\' does not exist in PATH, distribution packaging will be skipped') + print('Run \'pip install dmgbuild\' to install it') ###################################### @@ -525,6 +566,8 @@ def printHelp(): -java-home-o : Overrides JAVA_HOME. Useful for stubborn VMs that will not normally recognize environment variables. + -mac-sign-identity : Sign the Mac app image with the specified code signing identity. + -copyDestination : sets location for the final created installer file to be copied to (ignored if distribution not built) -skip : skips the given step (can be used multiple times) diff --git a/packaging_files/mac/dmg-background.tiff b/packaging_files/mac/dmg-background.tiff new file mode 100644 index 0000000000000000000000000000000000000000..733404cf6ac6d92186f79f549adc401f817e7802 GIT binary patch literal 17856 zcmeI22UHZ8wa~4EE5F|+u5D5}g6cxopP*6Y+ zlps-1Knao*6a(h)s@12?U2|u?H}l=K-hG!^tE&HXYM(l3*EvMG*P24csl21Pe?>@{GuqjqY_$l7%K7 zR!Yb2`YV>0d0I6-dL64?Zti8REX0wif6UU``U+X0blXX59~{W$1=~LR>g6*3; z6nV3{+(WjjR@vbX^>~DCZ<>!Jmi2puIS_>pnVuN-33q7rsCPOy<`=PpST*WjKM@eQ zqj~;K?DeUjC`UCB&dkn7A-f!}c`BCPSqzJIQafQ+GrAlR<8*Byviad^)NW^Wkwd); zucBj}uY1-{K6|@+&rbCdqbqMd?upxZec{c=FD*=TXs9JyoF3WAWWtVa&GzG^YGcX} zqHfDRgQva0)FV%SBYT<1*v?F+%iNwLZpzxhY+}RSk>lsYd6PMV%zZQGjQ_??=ALlg z&Ya~~zAhHJef(Xy;+dOov6$ow-OBYV6}iolaeT||+%q*>yIFcJ6QP?__tEJ(IlsZhnpb zj#2jBaHrAymDrtQ9Q6BK#|rS7qu%09bRXQMQ)RQY zz?eMvE*_=2l!yWNcS-Z%Do3_?4!uWX_Gwp|w`*{Ua}gl_0q^1W`}B@mowD&6iLx(5 zOebOiKDr~hgLGlL-`yCUOV&_8Yf?N%Y1Lfl6{mpFnD$GKkYDRQz!AHEPHb}x8jC*J zg&0Ys1>#M5`a%b9lSBGjYtctBT)_TaEG9+w=%6i?28SP)7v#DWe*aT)Cs~k>P|D@gTTn~Pw`ALPZAlpco_6W^1GXuLRT#YKO7!<93DM9)l!p=*(9m_=?hg#hagRc ze69J(+7kVby9Bxh34o<+L4c0FZ2nb_=xqzpN>I=xr50CgS<)!c+E$2gz_oIJ z_B9?-?f;m}&+n0lT6lL{uFtBtZ7UE;qhn7xuCt_er_W`-8?JTNXY#gJM5YIcOO;se zvUzz{dK~VLCK6p*vA6t&U2Pd%zcZ1Tn-5*Vu!mk34*ktUg2dOBx}7)5&H6c!9Lg^~ z;Hm4jK9T$zP9*mV{7XIWb7UU(zF$yN<2%mLd)a@yV5K>5f|I@@c;XPgH*}KIbR>N8 zkpE=l1J2C3T@Mb`ti(Lz>|Kj}cxdHQ+!PlBI$^3%fBbYTE*$_&>5q12he zv-tE`=3K-ddEj4L%CvDfzzzX`1OPyYJoo^8(@-`g;hP3nSR=n{G^{b-HJl5g`L5xc zKnwr@--i_d21|$;pkNJKVD%uDUu@Wa(H!6PO*k*-4|`>31At2b@Ex&Y(8eEH2IBc8 zujqFTmk3FJEtdf<*8?K{lCD9~l%`=VA*=7{@Lf|v0Tlpr2C#h?0MhSa16Wha`|n?r zApnTI@VO1V!>vbI0Du`;)s;U+jot>qm&YiQhm655hpPn{1mzQs8nVd81_#yEH8h5YdwW$>ban6DYj0OnG&X+tu(?@I&cb45=JI7HrxPcR9ND$Y%`G|E z*Z21A!ood!GBWn>&&`dDEG;FIYik=DySkK=?%W{~H8p2v_4ImrTwJ83)6&kLhg-3} z{p}uDAOFAIh5yz!SX+DixU@7WskZjjtGPKtLn$dApJ&hf{GLCzvx|s$`I1bIi%Uz3 zj?T+_@gg|5tZa4F%j?vsl@-cUc;SM*y{zojtMl^~777aO?bFjnMoLQE-4hdfdPL&j z;OMA^hL+a7djkWis`~nqlU-c|f{DrOY-_8$yp`3$LSy63ou^M%RK&!%yQil5`}g$~ z7stnEWu>R*=SN4EmwS3%yx82_)1$0BG^D1ct-ZKtV9?+1<|ZSPnR)s0zje3&uc^Gd zzbD?!mE`Lg5*QxfE)f*q2|$>)hevprw;wJ-R+<3Ul+M7!J0K9j1b}})Scs**7S4XV z1CFW>UZJP~21oZ(4(*-TedH zVH--FgWUbyDY_lj`y;~1utu7|Iyu6d90}`TSPS}v`+LLsEv(u6$*!UB3Q9*w4j{8%V9>4*Z%?lY?y6{M9E6!0<Q$`C6p7OclU1Gb$Kfawk!K(6!v6e}%2Iv#QZjYxw%t<8Ka# zEcg@=>g|c6Bx_q*<4EBl5flwS6O;oQ&;Ulj2Drf{uo;K~Jdgp3Km}+3U0?*Z0c)@w zI0F*!0{$QbM1tKQ0VIQTkPY%d5hw%4Ks7iEE`WN_1X{sO&<*;*2p9)bU=BP1tKc>G z06`EHL=Uk-+z=lm1Z{<6AOfTY=|U!uCA1xKfjprAC>+`iB|_;?E>r|nK-JKBs1a&~ zZb1XkJ!l$Qf?h!H5l93bf(^lo5JpHM2nbDtF~S<*gz!WJBcc&Why#d1L?z-3q7KoD z=thhnrVvjMYw+g;Es_JtkHjMhNNwacqyy3e8G_t{OhXnRE0JfBSCE~^A>?J*W&+5$YtW4%LntLQSJqQJ>NDXdd)dv@+TdZIAXuN1~I_ z1?VdDWpoF61U-j-jlp0zFd`U5i~(jl#s?FF$-tCi&S6?G1DILN8Wj~4H`P`uBGoo3 zSE?|oWU9kdXQ-}I4N}cfy~WaE`LHrrJ*)#Z0J|4kfIWr1h8@H%U_VeZQ43KkQ*Wbo zr`|=KMSYC=3iTc8IqDBI%rqi2L>g-vADRT3LYlKQ9W)a(FKKCM1!$FMEoi-I<7o?N zYiYY^r)l5OvCxUpY128npGsH0zGt@B*GCXCZW)x!7WOQbXW-MU5$asfwnTeW7m`R(-m1z%CF;gScDAO7< zE3-87HfDe34CYhJx0n}Ms91zqbXnY4l30$i++dkyMY3*Y)n+BJCbAx5?O>f_!?204 z8M67XrL)zr^|7t8v#`st+pm1hz*L!Xpw=TCYcMf+w_v8lD2C)qm8zMIx+0e0Jc_Z6Km5rp0 zX&WzWyw8K+5#zDsiQzfQ)5EjIyNOqyH;DHz?+xDNO&psvHu-GI+jMQy5+5s{8lN{` z9^ZAo$2fMJCe9C6h-=5K^7HT;@Q3qP@b~e55D*ct5!fqmPGE8~&1S-8kIi|T+cvKX z@(G#>?iM^PcwdNGh#=%8bV#UE=#8+5u$^#96uFXbn7Oln-3McPPuuk;n^7cycpB$;BFVOe@vJ=r+f z2HEFwTjj`dN94xjS>;XTQ{>y^KPf0GgeaU*mQtKj zlhQk71?4d13(C(_@G8D4r&JbIMO4YE$5dyD0z_A01#wCZr{8m}8O^6!Qd%Kem$lw#D{IGUx9A{s^mWp7`gB=zZFGxtALt3_dFq|k zTh*7>kI`>2KpPkv+o$HljA+ zHf^?ywvM*dwr}io>~ig<>?Q4E?Yp;c*zUc(!GX%b)}hK_ZHMlT{2g zqMU9yZ*cZ=Zr;hb({<-X7qp9=%PE(SuG?HIUDw9f$n{wCBzhk7T=G))D)3tN*7h#)e(q!7Q|9x=cbo4C-!Fc4e&_tL{x1HF0W1N& z0qudC0;2*4g0==F2TcVl2j>T`h8Txbg+ifDp$%bd@XJ(BxM=vk@aYJ(h~kL1k+zW+ zqnM)tqI!0T?MmIX5Um$|JO&j*ifP-;zdK>~bgX7<#U5yn+n%<#&2dR_bMgA|ClhEA zd=q;2O6|?v`zp~c@k$bJQhd_vKK*^ClNpjjl1EciQp)zD_IvN|OO;JMoccMSYfJSC|mZ%W-u2ajkRIa|hCmR|P0 z+`D|NLcgM}Qn<3#ljZRI&S^U|Ga~$W=Ye8*z?c?(<=kH!HzR-4&aPjOVp-Ux~Sudy6L3O+8 zR_nd$ry9053^W=wwp~%Va`~#n)e}wpO~uXZ%~{uIt|eXjay|O`T1!yNa;sc29eI&f`JeXw;%XXxgz;c)ke*~q|Mo4aG9j-yj!?qiGh{O&!!A94S~c>Dx< zB5jgsvfu&FgUW|n9-f<0m};KZneLgfni-!Z%|3Y)`sm|a(mefq!2;hx^`gvT(~{m& z|KlBx=bi*T`LLY4!n{)QRP^bkXBy9XR_#~ko`*dD@*?9U_sbKnyz6{#_kQ6+wB?&}`*FY_=L4fR^umoF$}2dWgDyN~+3sh@{JcKE2GuXl;l z>}u_&kR4bq8i*ed5K%XzVY1^|d^{3W0qhYG?G&=3$>o^nKB$FygiD{fCu|9^u$K#4 z#{4Q0COfvq$77sYurN}CrjB>4jryM>HAXiMG?d#TW=i^h7pXbsrM8%stbu=D^N&bP zBh!AwqqLMA1>L_vYR;#6F`KhKgnmV8NR^&+_8RwY{esk(Ym9#y=U}Rni~fPs5Kd|^ zJxj+HeK7rRq(+%wFFKi)3h-tk-;o+(km={OwA5n8YbU-VHOgMZ&+pPwTkw1$-;o;W zcytXr`z5}I>fewWS^|_ryH}J02)m=dBQ-Speby?^Rp(&8BQ=j@c;bb9#L#FxapE_m z<{C7GAPZD9AY3}WAvN6&I9}f(QC=YQD*PK#bGC;C&&ipq^A)K%R*9`*5$B5+>N)WZ zsW~d3xhEZ~d+(i;DFvyyg|LWD$Hr58E0|G`nl=INuypJcHA&T+@@QY3#yan)Y_r&@ zWkEq|>cA?~?aIpSP6k#Kq~^R~&ZEro2C9Sm%l$|_?i>5`xY*6_l33C zjv~np*`Px zSW8TnC1%se<(2(olQ9y~ug4po7N4S36u5nN%hkZ*r!9&Hv9;o%b64Nc-&hPE{`gOzxyTE#I8mGjUYsLD3MWj?*U;Cw$ua?#5=H7>OaY(V^Gcjju0dL z$M4q`kENmYKX06f+C(3N(C8{8U|XFz^XG=ooqn2zo?hBGAAO`|(@P?@+#{~=bA9u( zI}8`k=VOxMT3>!*)ew(6VrC%b604pyCt7#kQdA+QtZeO5m;Y8XUG1RsxNHW5KsgrU z1hLc4h#^|Wc#<`-Uw9tb^QU|9p{LqtQHdGpm|!7{D~exD^O7mEORn6G34wj)XP)j2 zZqbc@`&KIG!Uk=tA_l!+4(g+y+_b%78G9E|H2tqq_d%a837`y9^%_)C5n?<#*{@TB z&BQif9d!|fT^k2%C3J@bSq8mX=n^}^bmvZKX#BsvY!WOk%hQQp+Q4G?2MC^EyV1

0)YrMetf#G1vxaFG6DbF9@DZEzU%* zHzCQ$(C@(y1h4M?p4|!TEp;AO*Acw`-w58{eHHjKa)zrFh9F{OW zILB>flRtMj0G=8n{A^$OlyzXKDvhSgF(*5ge z`G1CoIm5)v526(<3J2f66Rk)btp6I($^n3q^>?C`8pdj*{*-8?P&eO*R*F5{Poh=k z<4>Yh7WL;utCG*}6Ron=zfZI(MN!}Zc*}-&3U~1R7vTou2H$sdHLQ>RJg20CDgZV# z0l>Qn0KRwt_-6nRNe4ho0swLN9uhBLQr3EPbz-8uy|3@dlgpQ_ttBOum6MWYXVcP* zj7CN%)av}ajt+%dJ$u&Nd}by+ef#!+02h~~rQ~EUujS=ar-Fi>KAoCURgI3Ws`By4 z$~t`b=ury`DXE$oX=ypR=H}sH4Gl#_6_wuJ&Q1bBU43w{rA1zTY^Uro)x;MOfArTzO`TN@jDdi3fnNy&*5R#wu|wY4%b^75^%_wH$F5eTZP0|VXNN=h0UqoeKZ3JMbwO--`0 zMn==q7cN*>%+K4~KYmn04=*n} zIvzi6V`FAkU;pr-p`n~yON+L)qT=wdy1JoZZ?Cd)dU{7kb8~;cfx($G$;o^696adY zaP{iU% + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-executable-page-protection + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.cs.disable-library-validation + + +