From 5dca2e4f38106fa855c44ee636dbc283f30a85a6 Mon Sep 17 00:00:00 2001 From: bruvzg <7645683+bruvzg@users.noreply.github.com> Date: Wed, 2 Oct 2019 21:00:16 +0300 Subject: [PATCH] macOS code signing improvements (timestamp and hardened runtime options, entitlements property hint, remove excessive codesign calls, suppress "file not found" error on first export) --- platform/osx/export/export.cpp | 35 ++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/platform/osx/export/export.cpp b/platform/osx/export/export.cpp index 94090bcdc1d..c8ecbd5a2da 100644 --- a/platform/osx/export/export.cpp +++ b/platform/osx/export/export.cpp @@ -133,7 +133,9 @@ void EditorExportPlatformOSX::get_export_options(List *r_options) #ifdef OSX_ENABLED r_options->push_back(ExportOption(PropertyInfo(Variant::STRING, "codesign/identity"), "")); - r_options->push_back(ExportOption(PropertyInfo(Variant::STRING, "codesign/entitlements"), "")); + r_options->push_back(ExportOption(PropertyInfo(Variant::BOOL, "codesign/timestamp"), true)); + r_options->push_back(ExportOption(PropertyInfo(Variant::BOOL, "codesign/hardened_runtime"), true)); + r_options->push_back(ExportOption(PropertyInfo(Variant::STRING, "codesign/entitlements", PROPERTY_HINT_GLOBAL_FILE, "*.plist"), "")); #endif r_options->push_back(ExportOption(PropertyInfo(Variant::BOOL, "texture_format/s3tc"), true)); @@ -360,9 +362,17 @@ void EditorExportPlatformOSX::_fix_plist(const Ref &p_preset Error EditorExportPlatformOSX::_code_sign(const Ref &p_preset, const String &p_path) { List args; + if (p_preset->get("codesign/timestamp")) { + args.push_back("--timestamp"); + } + if (p_preset->get("codesign/hardened_runtime")) { + args.push_back("--options"); + args.push_back("runtime"); + } + if (p_preset->get("codesign/entitlements") != "") { /* this should point to our entitlements.plist file that sandboxes our application, I don't know if this should also be placed in our app bundle */ - args.push_back("-entitlements"); + args.push_back("--entitlements"); args.push_back(p_preset->get("codesign/entitlements")); } args.push_back("-s"); @@ -379,6 +389,10 @@ Error EditorExportPlatformOSX::_code_sign(const Ref &p_prese EditorNode::add_io_error("codesign: no identity found"); return FAILED; } + if ((str.find("unrecognized blob type") != -1) || (str.find("cannot read entitlement data") != -1)) { + EditorNode::add_io_error("codesign: invalid entitlements file"); + return FAILED; + } return OK; } @@ -386,7 +400,9 @@ Error EditorExportPlatformOSX::_code_sign(const Ref &p_prese Error EditorExportPlatformOSX::_create_dmg(const String &p_dmg_path, const String &p_pkg_name, const String &p_app_path_name) { List args; - OS::get_singleton()->move_to_trash(p_dmg_path); + if (FileAccess::exists(p_dmg_path)) { + OS::get_singleton()->move_to_trash(p_dmg_path); + } args.push_back("create"); args.push_back(p_dmg_path); @@ -673,19 +689,6 @@ Error EditorExportPlatformOSX::export_project(const Ref &p_p ///@TODO we should check the contents of /Contents/Frameworks for frameworks to sign } - if (err == OK && identity != "") { - // we should probably loop through all resources and sign them? - err = _code_sign(p_preset, tmp_app_path_name + "/Contents/Resources/icon.icns"); - } - - if (err == OK && identity != "") { - err = _code_sign(p_preset, pack_path); - } - - if (err == OK && identity != "") { - err = _code_sign(p_preset, tmp_app_path_name + "/Contents/Info.plist"); - } - // and finally create a DMG if (err == OK) { if (ep.step("Making DMG", 3)) {