Makefile: add code signing step for MacOS

vdye · vdye · commit f779fea193e9 · 2023-03-15T15:30:43.000-07:00
Add a new script 'codesign.sh' to sign the contents of a given MacOS directory with the appropriate Apple Developer ID certificate (assumed to already be set up in a keychain). Add a 'codesign' target to the 'make package' workflow that only runs if the 'APPLE_APP_IDENTITY' build variable is set. Additionally, add an '--identity' argument to 'pack.sh' to sign the .pkg generated by 'productbuild' - if 'APPLE_INST_IDENTITY' is not set, the .pkg is not signed. Note that the signing identities for 'codesign.sh' and 'pack.sh' are different variables: 'APPLE_APP_IDENTITY' is the application signing identity, and 'APPLE_INST_IDENTITY' is the installer signing identity. More information on this signing process can be found at [1] and [2]. Finally, change the temporary package name suffix from '.tmp' to '.component' to more clearly indicate that it is a component package. [1] https://developer.apple.com/forums/thread/701514 [2] https://developer.apple.com/forums/thread/701581 Signed-off-by: Victoria Dye <vdye@github.com>
diff --git a/Makefile b/Makefile
@@ -22,6 +22,10 @@ GOARCH := $(shell go env GOARCH)
 SUPPORTED_PACKAGE_GOARCHES := amd64 arm64
 PACKAGE_ARCH := $(GOARCH)
 
+# Guard against environment variables
+APPLE_APP_IDENTITY =
+APPLE_INST_IDENTITY =
+
 # Build targets
 .PHONY: build
 build:
@@ -95,7 +99,8 @@ else ifeq ($(GOOS),darwin)
 # Steps:
 #   1. Layout files in _dist/pkg/payload/ as they'll be installed (including
 #      uninstall.sh script).
-#   2. Create the product archive in _dist/.
+#   2. (Optional) Codesign the package contents in place.
+#   3. Create the product archive in _dist/.
 
 # Platform-specific variables
 PKGDIR := $(DISTDIR)/pkg
@@ -110,11 +115,24 @@ $(PKGDIR)/payload: check-arch build doc
 			    --uninstaller="$(CURDIR)/scripts/uninstall.sh" \
 			    --install-root="$(PKGDIR)/payload"
 
+ifdef APPLE_APP_IDENTITY
+.PHONY: codesign
+codesign: $(PKGDIR)/payload
+	@echo
+	@echo "======== Codesigning package contents ========"
+	@build/package/pkg/codesign.sh --payload="$(PKGDIR)/payload" \
+				       --identity="$(APPLE_APP_IDENTITY)" \
+				       --entitlements="$(CURDIR)/build/package/pkg/entitlements.xml"
+
+$(PKG_FILENAME): codesign
+endif
+
 $(PKG_FILENAME): check-version $(PKGDIR)/payload
 	@echo
 	@echo "======== Creating product archive package ========"
 	@build/package/pkg/pack.sh --version="$(VERSION)" \
 				   --payload="$(PKGDIR)/payload" \
+				   --identity="$(APPLE_INST_IDENTITY)" \
 				   --output="$(PKG_FILENAME)"
 
 .PHONY: package
diff --git a/build/package/pkg/codesign.sh b/build/package/pkg/codesign.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+sign_directory () {
+	(
+	cd $1
+	for f in *
+	do
+		macho=$(file --mime $f | grep mach)
+		# Runtime sign dylibs and Mach-O binaries
+		if [[ $f == *.dylib ]] || [ ! -z "$macho" ];
+		then
+			echo "Runtime Signing $f"
+			codesign -s "$IDENTITY" $f --timestamp --force --options=runtime --entitlements $ENTITLEMENTS_FILE
+		elif [ -d "$f" ];
+		then
+			echo "Signing files in subdirectory $f"
+			sign_directory $f
+
+		else
+			echo "Signing $f"
+			codesign -s "$IDENTITY" $f  --timestamp --force
+		fi
+	done
+	)
+}
+
+for i in "$@"
+do
+case "$i" in
+	--payload=*)
+	SIGN_DIR="${i#*=}"
+	shift # past argument=value
+	;;
+	--identity=*)
+	IDENTITY="${i#*=}"
+	shift # past argument=value
+	;;
+	--entitlements=*)
+	ENTITLEMENTS_FILE="${i#*=}"
+	shift # past argument=value
+	;;
+	*)
+	die "unknown option '$i'"
+	;;
+esac
+done
+
+if [ -z "$SIGN_DIR" ]; then
+    echo "error: missing directory argument"
+    exit 1
+elif [ -z "$IDENTITY" ]; then
+    echo "error: missing signing identity argument"
+    exit 1
+elif [ -z "$ENTITLEMENTS_FILE" ]; then
+    echo "error: missing entitlements file argument"
+    exit 1
+fi
+
+echo "======== INPUTS ========"
+echo "Directory: $SIGN_DIR"
+echo "Signing identity: $IDENTITY"
+echo "Entitlements: $ENTITLEMENTS_FILE"
+echo "======== END INPUTS ========"
+
+sign_directory "$SIGN_DIR"
diff --git a/build/package/pkg/pack.sh b/build/package/pkg/pack.sh
@@ -11,6 +11,9 @@ THISDIR="$( cd "$(dirname "$0")" ; pwd -P )"
 IDENTIFIER="com.github.gitbundleserver"
 INSTALL_LOCATION="/usr/local/git-bundle-server"
 
+# Defaults
+IDENTITY=
+
 # Parse script arguments
 for i in "$@"
 do
@@ -23,6 +26,10 @@ case "$i" in
 	PAYLOAD="${i#*=}"
 	shift # past argument=value
 	;;
+	--identity=*)
+	IDENTITY="${i#*=}"
+	shift # past argument=value
+	;;
 	--output=*)
 	PKGOUT="${i#*=}"
 	shift # past argument=value
@@ -59,7 +66,7 @@ fi
 mkdir -p "$(dirname "$PKGOUT")"
 
 # Build the component package
-PKGTMP="$PKGOUT.tmp"
+PKGTMP="$PKGOUT.component"
 
 # Remove any unwanted .DS_Store files
 echo "Removing unnecessary files..."
@@ -91,6 +98,7 @@ echo "Building product package..."
 	--package "$PKGTMP" \
 	--identifier "$IDENTIFIER" \
 	--version "$VERSION" \
+	${IDENTITY:+"--sign"} ${IDENTITY:+"$IDENTITY"} \
 	"$PKGOUT"
 
 echo "Product build complete."
