Tools: Add script to codesign a macOS bundle or executable

With our current setup, we use the --deep option, which should be avoided.
This tool signs bundles in the "correct" way as recommended by Apple (each Mach-O individually, from the inside-out).
This commit is contained in:
OatmealDome 2024-07-31 13:31:23 -04:00
parent f74f748ff6
commit 4883889e23

74
Tools/mac-codesign.sh Executable file
View File

@ -0,0 +1,74 @@
#!/bin/bash
# This script signs a specific object with the specified identity, entitlements,
# and optional flags. If the target is a bundle, it will also sign all frameworks
# and dylibs within the bundle.
set -eu
function usage() {
echo "Usage: $0 [-t] [-e <entitlements file or "preserve">] <identity> <target to codesign>"
exit 1
}
USE_SECURE_TIMESTAMP=0
ENTITLEMENTS_FILE=""
while getopts ":te:" opt; do
case $opt in
t)
USE_SECURE_TIMESTAMP=1
;;
e)
ENTITLEMENTS_FILE=$OPTARG
;;
\?)
usage
;;
esac
done
if [ $USE_SECURE_TIMESTAMP -eq 1 ]; then
TIMESTAMP_FLAG="--timestamp"
else
TIMESTAMP_FLAG="--timestamp=none"
fi
shift $((OPTIND - 1))
if [ $# -ne 2 ]; then
usage
fi
IDENTITY=$1
TARGET_PATH=$2
# Signs the given target with the specified identity and optional flags.
function sign() {
/usr/bin/codesign -f -s "$IDENTITY" $TIMESTAMP_FLAG ${2:-} "$1"
}
if [ -d "$TARGET_PATH" ]; then
# Newlines are the only valid separator character in find's output.
IFS=$'\n'
for framework in $(find "$TARGET_PATH" -not -path "*/Helpers/*" -name '*.dylib' -or -name '*.framework'); do
sign "$framework"
done
unset IFS
fi
TARGET_EXTRA_CODESIGN_FLAGS="-o runtime"
if [ -n "$ENTITLEMENTS_FILE" ]; then
# "preserve" is a special keyword which tells us we should preserve the
# existing entitlements in the target.
if [ "$ENTITLEMENTS_FILE" == "preserve" ]; then
TARGET_EXTRA_CODESIGN_FLAGS+=" --preserve-metadata=entitlements"
else
TARGET_EXTRA_CODESIGN_FLAGS+=" --entitlements $ENTITLEMENTS_FILE"
fi
fi
sign "$TARGET_PATH" "$TARGET_EXTRA_CODESIGN_FLAGS"