diff options
author | Patrik Teivonen <patrik.teivonen@qt.io> | 2023-03-24 15:56:17 +0200 |
---|---|---|
committer | Patrik Teivonen <patrik.teivonen@qt.io> | 2023-04-05 12:45:39 +0000 |
commit | 812fc07a1063eefb12e4ff2cbb66fdba4fb4ce51 (patch) | |
tree | fe0740a4e60f9b89685a033231b302d6224ad723 | |
parent | 840ce567456495ba8560ee9250724f125780760e (diff) |
sign_installer: Adjust what counts as signable macOS payload content
Remove unreliable file suffix checks, For example, ".so" files can
contain non-native code, so they don't have to be always signed.
Non-Mach-O executables and libraries seem to be treated as other data
by macOS code signing and notarization systems so we should ignore
those.
Change-Id: Ib203a25ab7fd321e182033f4eb5e97b0656dddbd
Reviewed-by: Antti Kokko <antti.kokko@qt.io>
-rwxr-xr-x | packaging-tools/sign_installer.py | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/packaging-tools/sign_installer.py b/packaging-tools/sign_installer.py index c41493b36..c70205bff 100755 --- a/packaging-tools/sign_installer.py +++ b/packaging-tools/sign_installer.py @@ -65,9 +65,9 @@ def _is_app_bundle(path: Path) -> bool: return path.joinpath("Contents", "Info.plist").exists() -def _is_mach_o_executable(path: Path) -> bool: +def _is_mach_o_file(path: Path) -> bool: """ - Determine whether a file is a Mach-O executable + Determine whether a file is a Mach-O image containing native code Args: path: A file system path to a file @@ -132,11 +132,8 @@ def _find_signable_content(pkg_dir: Path) -> Tuple[List[Path], List[Path]]: if path.suffix in (".pkg", ".dmg"): sign_list.append(path) staple_list.append(path) - # Known suffixes for libs, modules, ... - elif path.suffix in (".dylib", ".so", ".bundle"): - sign_list.append(path) - # Mach-O files by header, exec bit - elif os.access(path, os.X_OK) and _is_mach_o_executable(path): + # Mach-O images (executables, libraries, modules) + if _is_mach_o_file(path): sign_list.append(path) return sign_list, staple_list |