[gimp-macos-build/wip/Benitoite/tests: 1/2] Update build.sh for hardened runtime codesign and notarize; from 988a5236543c56310f3c5ecdf28d8bc7887

From: Jehan <jehanp src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp-macos-build/wip/Benitoite/tests: 1/2] Update build.sh for hardened runtime codesign and notarize; from 988a5236543c56310f3c5ecdf28d8bc7887
Date: Wed, 20 May 2020 16:54:24 +0000 (UTC)

commit 6c9544f5925d5fe443856e1a64b29d2c541fd178
Author: Benitoite <kd6kxr gmail com>
Date:   Wed May 20 16:54:13 2020 +0000

    Update build.sh for hardened runtime codesign and notarize; from 988a5236543c56310f3c5ecdf28d8bc78879e1e1

 package/build.sh                    | 16 ++++++++++++++--
 package/gimp-hardening.entitlements |  8 ++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)
---
diff --git a/package/build.sh b/package/build.sh
index 5859867..ecc0de8 100755
--- a/package/build.sh
+++ b/package/build.sh
@@ -109,11 +109,19 @@ then
   find  ${PACKAGE_DIR}/GIMP-2.10.app/Contents/Resources/lib/ -type f -perm +111 \
      | xargs file \
      | grep ' Mach-O '|awk -F ':' '{print $1}' \
-     | xargs /usr/bin/codesign -s "${codesign_subject}"
+     | xargs /usr/bin/codesign -s "${codesign_subject}" \
+       --options runtime \
+       --entitlements ${HOME}/project/package/gimp-hardening.entitlements
   echo "Signing app"
-  /usr/bin/codesign -s "${codesign_subject}" --deep ${PACKAGE_DIR}/GIMP-2.10.app
+  /usr/bin/codesign -s "${codesign_subject}" \
+    --timestamp \
+    --deep \
+    --options runtime \
+    --entitlements ${HOME}/project/package/gimp-hardening.entitlements \
+    ${PACKAGE_DIR}/GIMP-2.10.app
 fi
 
+
 echo "Building DMG"
 if [ -z "${CIRCLECI}" ]
 then
@@ -151,4 +159,8 @@ then
   /usr/bin/codesign  -s "${codesign_subject}" "/tmp/artifacts/${DMGNAME}"
 fi
 
+echo "Notarizing app"
+xcrun altool --notarize-app --file "/tmp/artifacts/${DMGNAME}" \
+  -u "${notarization_login}" --primary-bundle-id -p "${notarization_password}"
+
 echo "Done"
diff --git a/package/gimp-hardening.entitlements b/package/gimp-hardening.entitlements
new file mode 100644
index 0000000..ec7ad9e
--- /dev/null
+++ b/package/gimp-hardening.entitlements
@@ -0,0 +1,8 @@
+ <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
+<plist version="1.0">
+<dict>
+       <key>com.apple.security.automation.apple-events</key>
+       <true/>
+</dict>
+</plist>
\ No newline at end of file

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]