diff options
Diffstat (limited to 'src/macdeployqt/shared/shared.cpp')
-rw-r--r-- | src/macdeployqt/shared/shared.cpp | 38 |
1 files changed, 35 insertions, 3 deletions
diff --git a/src/macdeployqt/shared/shared.cpp b/src/macdeployqt/shared/shared.cpp index 69d0ce8ca..ae1176590 100644 --- a/src/macdeployqt/shared/shared.cpp +++ b/src/macdeployqt/shared/shared.cpp @@ -53,6 +53,8 @@ bool alwaysOwerwriteEnabled = false; bool runCodesign = false; QStringList librarySearchPath; QString codesignIdentiy; +QString extraEntitlements; +bool hardenedRuntime = false; bool appstoreCompliant = false; int logLevel = 1; bool deployFramework = false; @@ -472,6 +474,23 @@ QStringList findAppBundleFiles(const QString &appBundlePath, bool absolutePath = return result; } +QString findEntitlementsFile(const QString& path) +{ + QDirIterator iter(path, QStringList() << QString::fromLatin1("*.entitlements"), + QDir::Files, QDirIterator::Subdirectories); + + while (iter.hasNext()) { + iter.next(); + if (iter.fileInfo().isSymLink()) + continue; + + //return the first entitlements file - only one is used for signing anyway + return iter.fileInfo().absoluteFilePath(); + } + + return QString(); +} + QList<FrameworkInfo> getQtFrameworks(const QList<DylibInfo> &dependencies, const QString &appBundlePath, const QSet<QString> &rpaths, bool useDebugLibs) { QList<FrameworkInfo> libraries; @@ -1371,11 +1390,21 @@ void codesignFile(const QString &identity, const QString &filePath) if (!runCodesign) return; - LogNormal() << "codesign" << filePath; + QString codeSignLogMessage = "codesign"; + if (hardenedRuntime) + codeSignLogMessage += ", enable hardned runtime"; + LogNormal() << codeSignLogMessage << filePath; + + QStringList codeSignOptions = { "--preserve-metadata=identifier,entitlements", "--force", "-s", + identity, filePath }; + if (hardenedRuntime) + codeSignOptions << "-o" << "runtime"; + + if (!extraEntitlements.isEmpty()) + codeSignOptions << "--entitlements" << extraEntitlements; QProcess codesign; - codesign.start("codesign", QStringList() << "--preserve-metadata=identifier,entitlements" - << "--force" << "-s" << identity << filePath); + codesign.start("codesign", codeSignOptions); codesign.waitForFinished(-1); QByteArray err = codesign.readAllStandardError(); @@ -1495,6 +1524,9 @@ QSet<QString> codesignBundle(const QString &identity, } } + // Look for an entitlements file in the bundle to include when signing + extraEntitlements = findEntitlementsFile(appBundleAbsolutePath + "/Contents/Resources/"); + // All dependencies are signed, now sign this binary. codesignFile(identity, binary); signedBinaries.insert(binary); |