[gimp-macos-build/hardened-runtime] Add hardened runtime build

From: Alex Samorukov <asamorukov src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp-macos-build/hardened-runtime] Add hardened runtime build
Date: Sun, 27 Oct 2019 14:51:33 +0000 (UTC)

commit 536aed63e5eaf7db97b26ee994f20fcf145cce81
Author: Oleksii Samorukov <oleksii_samorukov mckinsey com>
Date:   Sun Oct 27 15:51:03 2019 +0100

    Add hardened runtime build

 package/build.sh                    | 15 +++++++++++++--
 package/gimp-hardening.entitlements | 14 ++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)
---
diff --git a/package/build.sh b/package/build.sh
index 96328bd..8251e52 100755
--- a/package/build.sh
+++ b/package/build.sh
@@ -105,9 +105,16 @@ then
   find  ${PACKAGE_DIR}/GIMP-2.10.app/Contents/Resources/lib/ -type f -perm +111 \
      | xargs file \
      | grep ' Mach-O '|awk -F ':' '{print $1}' \
-     | xargs /usr/bin/codesign -s "${codesign_subject}"
+     | xargs /usr/bin/codesign -s "${codesign_subject}" \
+       --options runtime \
+       --entitlements ${HOME}/project/package/gimp-hardening.entitlements
   echo "Signing app"
-  /usr/bin/codesign -s "${codesign_subject}" --deep ${PACKAGE_DIR}/GIMP-2.10.app
+  /usr/bin/codesign -s "${codesign_subject}" \
+    --timestamp \
+    --deep \
+    --options runtime \
+    --entitlements ${HOME}/project/package/gimp-hardening.entitlements \
+    ${PACKAGE_DIR}/GIMP-2.10.app
 fi
 
 echo "Building DMG"
@@ -130,4 +137,8 @@ then
   /usr/bin/codesign  -s "${codesign_subject}" "/tmp/artifacts/${DMGNAME}"
 fi
 
+echo "Notarizing app"
+xcrun altool --notarize-app --file "/tmp/artifacts/${DMGNAME}" \
+  -u "${notarization_login}" --primary-bundle-id -p "${notarization_password}"
+
 echo "Done"
diff --git a/package/gimp-hardening.entitlements b/package/gimp-hardening.entitlements
new file mode 100644
index 0000000..6994864
--- /dev/null
+++ b/package/gimp-hardening.entitlements
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
+<plist version="1.0">
+<dict>
+       <key>com.apple.security.automation.apple-events</key>
+       <true/>
+  <!-- Allow loading of libraries signed by different Team IDs -->
+       <key>com.apple.security.cs.disable-library-validation</key>
+       <true/>
+       <!-- Allow app to be debugged -->
+       <!-- <key>com.apple.security.get-task-allow</key>
+       <true/> -->
+</dict>
+</plist>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]