[macdeployqt] Add option to include secure timestamp when signing

Apple now requires the developer to include a secure timestamp in the
application's signature in order for notarization to succeed.

Add an option to do this to macdeployqt.

Change-Id: Ia884de80822661abcf65a287e4dc8429ec24b766
Reviewed-by: Morten Johan Sørvig <morten.sorvig@qt.io>

2 files changed, 12 insertions, 1 deletions

diff --git a/src/macdeployqt/macdeployqt/main.cpp b/src/macdeployqt/macdeployqt/main.cpp
index 3c13a6693..074b4a82f 100644
--- a/src/macdeployqt/macdeployqt/main.cpp
+++ b/src/macdeployqt/macdeployqt/main.cpp
@@ -53,6 +53,7 @@ int main(int argc, char **argv)
         qDebug() << "   -always-overwrite  : Copy files even if the target file exists";
         qDebug() << "   -codesign=<ident>  : Run codesign with the given identity on all executables";
         qDebug() << "   -hardened-runtime  : Enable Hardened Runtime when code signing";
+        qDebug() << "   -timestamp         : Include a secure timestamp when code signing (requires internet connection)";
         qDebug() << "   -appstore-compliant: Skip deployment of components that use private API";
         qDebug() << "   -libpath=<path>    : Add the given path to the library search path";
         qDebug() << "   -fs=<filesystem>   : Set the filesystem used for the .dmg disk image (defaults to HFS+)";
@@ -100,6 +101,7 @@ int main(int argc, char **argv)
     extern bool hardenedRuntime;
     extern bool appstoreCompliant;
     extern bool deployFramework;
+    extern bool secureTimestamp;
 
     for (int i = 2; i < argc; ++i) {
         QByteArray argument = QByteArray(argv[i]);
@@ -169,6 +171,9 @@ int main(int argc, char **argv)
         } else if (argument.startsWith(QByteArray("-hardened-runtime"))) {
             LogDebug() << "Argument found:" << argument;
             hardenedRuntime = true;
+        } else if (argument.startsWith(QByteArray("-timestamp"))) {
+            LogDebug() << "Argument found:" << argument;
+            secureTimestamp = true;
         } else if (argument == QByteArray("-appstore-compliant")) {
             LogDebug() << "Argument found:" << argument;
             appstoreCompliant = true;
diff --git a/src/macdeployqt/shared/shared.cpp b/src/macdeployqt/shared/shared.cpp
index cc3b2607b..607dce880 100644
--- a/src/macdeployqt/shared/shared.cpp
+++ b/src/macdeployqt/shared/shared.cpp
@@ -55,6 +55,7 @@ QStringList librarySearchPath;
 QString codesignIdentiy;
 QString extraEntitlements;
 bool hardenedRuntime = false;
+bool secureTimestamp = false;
 bool appstoreCompliant = false;
 int logLevel = 1;
 bool deployFramework = false;
@@ -1392,7 +1393,9 @@ void codesignFile(const QString &identity, const QString &filePath)
 
     QString codeSignLogMessage = "codesign";
     if (hardenedRuntime)
-        codeSignLogMessage += ", enable hardned runtime";
+        codeSignLogMessage += ", enable hardened runtime";
+    if (secureTimestamp)
+        codeSignLogMessage += ", include secure timestamp";
     LogNormal() << codeSignLogMessage << filePath;
 
     QStringList codeSignOptions = { "--preserve-metadata=identifier,entitlements", "--force", "-s",
@@ -1400,6 +1403,9 @@ void codesignFile(const QString &identity, const QString &filePath)
     if (hardenedRuntime)
         codeSignOptions << "-o" << "runtime";
 
+    if (secureTimestamp)
+        codeSignOptions << "--timestamp";
+
     if (!extraEntitlements.isEmpty())
         codeSignOptions << "--entitlements" << extraEntitlements;