Merge pull request #4774 from fwcd/adhoc-signing-macos

macOS packaging: Perform ad-hoc signing of macOS bundle by default
mixxxdj · Jun 23, 2022 · 50708ab · 50708ab
2 parents 8facfb6 + e922329
commit 50708ab
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 6 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -2805,6 +2805,14 @@ if(APPLE AND MACOS_BUNDLE)
     set(BUNDLE_DIRS "${CMAKE_PREFIX_PATH}/lib;${Qt5Widgets_DIR}/../..")
     set(APPLE_CODESIGN_ENTITLEMENTS "${CMAKE_CURRENT_SOURCE_DIR}/packaging/macos/entitlements.plist")
 
+    # Starting with arm64 macOS Apple will require ad-hoc code signatures,
+    # which can be generated by setting the identity to a single dash (-).
+    # These only include a checksum for verifying integrity, not an actual
+    # signature.
+    if (NOT APPLE_CODESIGN_IDENTITY)
+      set(APPLE_CODESIGN_IDENTITY -)
+    endif()
+
     configure_file(cmake/modules/BundleInstall.cmake.in "${CMAKE_CURRENT_BINARY_DIR}/BundleInstall.cmake" @ONLY)
     install(SCRIPT "${CMAKE_CURRENT_BINARY_DIR}/BundleInstall.cmake")
 endif()
diff --git a/cmake/modules/BundleInstall.cmake.in b/cmake/modules/BundleInstall.cmake.in
@@ -19,12 +19,21 @@ fixup_bundle("${BUNDLE_PATH}" "${BUNDLE_LIBS}" "${BUNDLE_DIRS}")
 
 if(DEFINED APPLE_CODESIGN_IDENTITY AND DEFINED APPLE_CODESIGN_ENTITLEMENTS)
   foreach(PATH_TO_SIGN IN LISTS BUNDLE_LIBS BUNDLE_PATH)
-    execute_process(COMMAND
-        codesign --verbose=4 --deep --force --options runtime
-        --entitlements "${APPLE_CODESIGN_ENTITLEMENTS}"
-        --sign "${APPLE_CODESIGN_IDENTITY}"
-        "${PATH_TO_SIGN}"
-    )
+    if(APPLE_CODESIGN_IDENTITY STREQUAL "-")
+      message(STATUS "Ad-hoc signing bundle without hardened runtime")
+      execute_process(COMMAND
+          codesign --verbose=4 --deep --force
+          --sign "${APPLE_CODESIGN_IDENTITY}"
+          "${PATH_TO_SIGN}"
+      )
+    else()
+      execute_process(COMMAND
+          codesign --verbose=4 --deep --force --options runtime
+          --entitlements "${APPLE_CODESIGN_ENTITLEMENTS}"
+          --sign "${APPLE_CODESIGN_IDENTITY}"
+          "${PATH_TO_SIGN}"
+      )
+    endif()
   endforeach()
 else()
   message(STATUS "Not signing bundle. Specify -DAPPLE_CODESIGN_IDENTITY and -DAPPLE_CODESIGN_ENTITLEMENTS to cmake before running cpack to sign")