diff options
author | Michael Brüning <michael.bruning@qt.io> | 2020-01-16 15:24:58 +0100 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-01-28 10:34:13 +0100 |
commit | 0aa7a681449e07b9d0438f0c3094e24df23f9509 (patch) | |
tree | 0edfc5ef30e453aafbed38c60bcf818778c60077 /src/macdeployqt/shared/shared.cpp | |
parent | eac773c8dfd0e2166db53c88f5aa0c1e85933cac (diff) |
[macdeployqt] Use entitlements from file for signing if present
Add the option to place a file with the suffix .entitlements into the
Contents/Resources subdirectory of an application bundle. The
entitlements listed in the file will be used for signing.
Bundles that are depoloyed as part of another bundle (e.g. Helpers)
can specify a separate set of entitlements from the main bundle by
including an entitlements file of their own.
Only the first entitlement file per bundle will be used for signing as
the codesign tool will only use one entitlements file even when multple
are specified.
Task-number: QTBUG-77442
Change-Id: Iea356c1a70713f3a4b07281245a17fd7c87f6b11
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
Reviewed-by: Tor Arne Vestbø <tor.arne.vestbo@qt.io>
Diffstat (limited to 'src/macdeployqt/shared/shared.cpp')
-rw-r--r-- | src/macdeployqt/shared/shared.cpp | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/src/macdeployqt/shared/shared.cpp b/src/macdeployqt/shared/shared.cpp index dd7b8359d..ae1176590 100644 --- a/src/macdeployqt/shared/shared.cpp +++ b/src/macdeployqt/shared/shared.cpp @@ -53,6 +53,7 @@ bool alwaysOwerwriteEnabled = false; bool runCodesign = false; QStringList librarySearchPath; QString codesignIdentiy; +QString extraEntitlements; bool hardenedRuntime = false; bool appstoreCompliant = false; int logLevel = 1; @@ -473,6 +474,23 @@ QStringList findAppBundleFiles(const QString &appBundlePath, bool absolutePath = return result; } +QString findEntitlementsFile(const QString& path) +{ + QDirIterator iter(path, QStringList() << QString::fromLatin1("*.entitlements"), + QDir::Files, QDirIterator::Subdirectories); + + while (iter.hasNext()) { + iter.next(); + if (iter.fileInfo().isSymLink()) + continue; + + //return the first entitlements file - only one is used for signing anyway + return iter.fileInfo().absoluteFilePath(); + } + + return QString(); +} + QList<FrameworkInfo> getQtFrameworks(const QList<DylibInfo> &dependencies, const QString &appBundlePath, const QSet<QString> &rpaths, bool useDebugLibs) { QList<FrameworkInfo> libraries; @@ -1382,6 +1400,9 @@ void codesignFile(const QString &identity, const QString &filePath) if (hardenedRuntime) codeSignOptions << "-o" << "runtime"; + if (!extraEntitlements.isEmpty()) + codeSignOptions << "--entitlements" << extraEntitlements; + QProcess codesign; codesign.start("codesign", codeSignOptions); codesign.waitForFinished(-1); @@ -1503,6 +1524,9 @@ QSet<QString> codesignBundle(const QString &identity, } } + // Look for an entitlements file in the bundle to include when signing + extraEntitlements = findEntitlementsFile(appBundleAbsolutePath + "/Contents/Resources/"); + // All dependencies are signed, now sign this binary. codesignFile(identity, binary); signedBinaries.insert(binary); |