osx/codesign.sh: apply linter recommendations

mjcheetham · mjcheetham · commit c09872027012 · 2025-11-13T10:25:37.000Z
Apply linter recommendations to the codesign.sh script used on macOS.
Also always pass the absolute path of the entitlements file to the
codesign command as using relative paths can sometimes fail.

Signed-off-by: Matthew John Cheetham &lt;mjcheetham@outlook.com&gt;
diff --git a/src/osx/Installer.Mac/codesign.sh b/src/osx/Installer.Mac/codesign.sh
@@ -15,37 +15,45 @@ elif [ -z "$ENTITLEMENTS_FILE" ]; then
     exit 1
 fi
 
+# The codesign command needs the entitlements file to be given as an absolute
+# file path; relative paths can cause issues.
+if [[ "${ENTITLEMENTS_FILE}" != /* ]]; then
+  echo "error: entitlements file argument must be an absolute path"
+  exit 1
+fi
+
 echo "======== INPUTS ========"
 echo "Directory: $SIGN_DIR"
 echo "Developer ID: $DEVELOPER_ID"
 echo "Entitlements: $ENTITLEMENTS_FILE"
 echo "======== END INPUTS ========"
 echo
 echo "======== ENTITLEMENTS ========"
-cat $ENTITLEMENTS_FILE
+cat "$ENTITLEMENTS_FILE"
 echo "======== END ENTITLEMENTS ========"
 echo
 
-cd $SIGN_DIR
+cd "$SIGN_DIR" || exit 1
 for f in *
 do
-    macho=$(file --mime $f | grep mach)
+    macho=$(file --mime "$f" | grep mach)
     # Runtime sign dylibs and Mach-O binaries
-    if [[ $f == *.dylib ]] || [ ! -z "$macho" ];
+    if [[ $f == *.dylib ]] || [ -n "$macho" ];
     then
-        echo "Runtime Signing $f"
-        codesign -s "$DEVELOPER_ID" $f --timestamp --force --options=runtime --entitlements $ENTITLEMENTS_FILE
+        echo "Signing with entitlements and hardening: $f"
+        codesign -s "$DEVELOPER_ID" "$f" --timestamp --force --options=runtime --entitlements "$ENTITLEMENTS_FILE"
     elif [ -d "$f" ];
     then
-        echo "Signing files in subdirectory $f"
-        cd $f
-        for i in *
-        do
-            codesign -s "$DEVELOPER_ID" $i --timestamp --force
-        done
-        cd ..
+        echo "Signing files in subdirectory: $f"
+        (
+            cd "$f" || exit 1
+            for i in *
+            do
+                codesign -s "$DEVELOPER_ID" "$i" --timestamp --force
+            done
+        )
     else
-        echo "Signing $f"
-        codesign -s "$DEVELOPER_ID" $f  --timestamp --force
+        echo "Signing: $f"
+        codesign -s "$DEVELOPER_ID" "$f" --timestamp --force
     fi
 done
