sign_installer: Adjust what counts as signable macOS payload content

Remove unreliable file suffix checks, For example, ".so" files can
contain non-native code, so they don't have to be always signed.

Non-Mach-O executables and libraries seem to be treated as other data
by macOS code signing and notarization systems so we should ignore
those.

Change-Id: Ib203a25ab7fd321e182033f4eb5e97b0656dddbd
Reviewed-by: Antti Kokko <antti.kokko@qt.io>

1 files changed, 4 insertions, 7 deletions

diff --git a/packaging-tools/sign_installer.py b/packaging-tools/sign_installer.py
index c41493b36..c70205bff 100755
--- a/packaging-tools/sign_installer.py
+++ b/packaging-tools/sign_installer.py
@@ -65,9 +65,9 @@ def _is_app_bundle(path: Path) -> bool:
     return path.joinpath("Contents", "Info.plist").exists()
 
 
-def _is_mach_o_executable(path: Path) -> bool:
+def _is_mach_o_file(path: Path) -> bool:
     """
-    Determine whether a file is a Mach-O executable
+    Determine whether a file is a Mach-O image containing native code
 
     Args:
         path: A file system path to a file
@@ -132,11 +132,8 @@ def _find_signable_content(pkg_dir: Path) -> Tuple[List[Path], List[Path]]:
             if path.suffix in (".pkg", ".dmg"):
                 sign_list.append(path)
                 staple_list.append(path)
-            # Known suffixes for libs, modules, ...
-            elif path.suffix in (".dylib", ".so", ".bundle"):
-                sign_list.append(path)
-            # Mach-O files by header, exec bit
-            elif os.access(path, os.X_OK) and _is_mach_o_executable(path):
+            # Mach-O images (executables, libraries, modules)
+            if _is_mach_o_file(path):
                 sign_list.append(path)
     return sign_list, staple_list