From 0aa7a681449e07b9d0438f0c3094e24df23f9509 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Br=C3=BCning?= Date: Thu, 16 Jan 2020 15:24:58 +0100 Subject: [macdeployqt] Use entitlements from file for signing if present MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add the option to place a file with the suffix .entitlements into the Contents/Resources subdirectory of an application bundle. The entitlements listed in the file will be used for signing. Bundles that are depoloyed as part of another bundle (e.g. Helpers) can specify a separate set of entitlements from the main bundle by including an entitlements file of their own. Only the first entitlement file per bundle will be used for signing as the codesign tool will only use one entitlements file even when multple are specified. Task-number: QTBUG-77442 Change-Id: Iea356c1a70713f3a4b07281245a17fd7c87f6b11 Reviewed-by: Simon Hausmann Reviewed-by: Tor Arne Vestbø --- src/macdeployqt/shared/shared.cpp | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'src/macdeployqt/shared/shared.cpp') diff --git a/src/macdeployqt/shared/shared.cpp b/src/macdeployqt/shared/shared.cpp index dd7b8359d..ae1176590 100644 --- a/src/macdeployqt/shared/shared.cpp +++ b/src/macdeployqt/shared/shared.cpp @@ -53,6 +53,7 @@ bool alwaysOwerwriteEnabled = false; bool runCodesign = false; QStringList librarySearchPath; QString codesignIdentiy; +QString extraEntitlements; bool hardenedRuntime = false; bool appstoreCompliant = false; int logLevel = 1; @@ -473,6 +474,23 @@ QStringList findAppBundleFiles(const QString &appBundlePath, bool absolutePath = return result; } +QString findEntitlementsFile(const QString& path) +{ + QDirIterator iter(path, QStringList() << QString::fromLatin1("*.entitlements"), + QDir::Files, QDirIterator::Subdirectories); + + while (iter.hasNext()) { + iter.next(); + if (iter.fileInfo().isSymLink()) + continue; + + //return the first entitlements file - only one is used for signing anyway + return iter.fileInfo().absoluteFilePath(); + } + + return QString(); +} + QList getQtFrameworks(const QList &dependencies, const QString &appBundlePath, const QSet &rpaths, bool useDebugLibs) { QList libraries; @@ -1382,6 +1400,9 @@ void codesignFile(const QString &identity, const QString &filePath) if (hardenedRuntime) codeSignOptions << "-o" << "runtime"; + if (!extraEntitlements.isEmpty()) + codeSignOptions << "--entitlements" << extraEntitlements; + QProcess codesign; codesign.start("codesign", codeSignOptions); codesign.waitForFinished(-1); @@ -1503,6 +1524,9 @@ QSet codesignBundle(const QString &identity, } } + // Look for an entitlements file in the bundle to include when signing + extraEntitlements = findEntitlementsFile(appBundleAbsolutePath + "/Contents/Resources/"); + // All dependencies are signed, now sign this binary. codesignFile(identity, binary); signedBinaries.insert(binary); -- cgit v1.2.3