diff options
| author | Eike Ziller <[email protected]> | 2020-02-13 14:50:15 +0100 |
|---|---|---|
| committer | Eike Ziller <[email protected]> | 2020-02-18 10:24:45 +0000 |
| commit | cde9f31068bed64bc06fd75fc3fc95418bee9f3d (patch) | |
| tree | 3e6fbef7e5d3180bbdf3991c0aabecd454e1927c /scripts/common.py | |
| parent | e85d6b363bd039c4407bbf5367cce0efdd559945 (diff) | |
macOS: Fix signing issues with notarization
Notarization requires signing with hardened runtime, but this added
requirements to the additional plugins we copy into Qt Creator for the
commercial package.
This patch fixes an issue with an absolute RPATH still being left in
extra plugins, and avoids copying plugins into an already signed
application by not signing the 7zips, but only the contents in the open
source disk image (and the installers are signed by the installer jobs
anyhow).
Change-Id: I8c945a0ad9df610b20a8ee110320875f255c65b4
Reviewed-by: Eike Ziller <[email protected]>
Diffstat (limited to 'scripts/common.py')
| -rw-r--r-- | scripts/common.py | 58 |
1 files changed, 34 insertions, 24 deletions
diff --git a/scripts/common.py b/scripts/common.py index 7c2fb13271d..db97ea35616 100644 --- a/scripts/common.py +++ b/scripts/common.py @@ -91,7 +91,8 @@ def copytree(src, dst, symlinks=False, ignore=None): def get_qt_install_info(qmake_bin): output = subprocess.check_output([qmake_bin, '-query']) - lines = output.decode(encoding).strip().split('\n') + decoded_output = output.decode(encoding) if encoding else output + lines = decoded_output.strip().split('\n') info = {} for line in lines: (var, sep, value) = line.partition(':') @@ -178,28 +179,37 @@ def is_not_debug(path, filenames): files = [fn for fn in filenames if os.path.isfile(os.path.join(path, fn))] return [fn for fn in files if not is_debug_file(os.path.join(path, fn))] -def codesign(app_path): +def codesign_call(): signing_identity = os.environ.get('SIGNING_IDENTITY') - if is_mac_platform() and signing_identity: - codesign_call = ['codesign', '-o', 'runtime', '--force', '-s', signing_identity, - '-v'] - signing_flags = os.environ.get('SIGNING_FLAGS') - if signing_flags: - codesign_call.extend(signing_flags.split()) - - def conditional_sign_recursive(path, filter): - for r, _, fs in os.walk(path): - for f in fs: - ff = os.path.join(r, f) - if filter(ff): - print('codesign "' + ff + '"') - subprocess.check_call(codesign_call + [ff]) - - # sign all executables in Resources - conditional_sign_recursive(os.path.join(app_path, 'Contents', 'Resources'), - lambda ff: os.access(ff, os.X_OK)) - # sign all libraries in Imports - conditional_sign_recursive(os.path.join(app_path, 'Contents', 'Imports'), - lambda ff: ff.endswith('.dylib')) + if not signing_identity: + return None + codesign_call = ['codesign', '-o', 'runtime', '--force', '-s', signing_identity, + '-v'] + signing_flags = os.environ.get('SIGNING_FLAGS') + if signing_flags: + codesign_call.extend(signing_flags.split()) + return codesign_call + +def os_walk(path, filter, function): + for r, _, fs in os.walk(path): + for f in fs: + ff = os.path.join(r, f) + if filter(ff): + function(ff) + +def conditional_sign_recursive(path, filter): + codesign = codesign_call() + if is_mac_platform() and codesign: + os_walk(path, filter, lambda fp: subprocess.check_call(codesign + [fp])) + +def codesign(app_path): + # sign all executables in Resources + conditional_sign_recursive(os.path.join(app_path, 'Contents', 'Resources'), + lambda ff: os.access(ff, os.X_OK)) + # sign all libraries in Imports + conditional_sign_recursive(os.path.join(app_path, 'Contents', 'Imports'), + lambda ff: ff.endswith('.dylib')) + codesign = codesign_call() + if is_mac_platform() and codesign: # sign the whole bundle - subprocess.check_call(codesign_call + ['--deep', app_path]) + subprocess.check_call(codesign + ['--deep', app_path]) |