[gimp-macos-build/wip/Benitoite/tests: 3/4] Add hardened runtime build

From: Jehan <jehanp src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp-macos-build/wip/Benitoite/tests: 3/4] Add hardened runtime build
Date: Thu, 21 May 2020 16:27:18 +0000 (UTC)

commit bc7caf2bb56458325525a1adc678f25707077476
Author: Oleksii Samorukov <oleksii_samorukov mckinsey com>
Date:   Sun Oct 27 14:51:03 2019 +0000

    Add hardened runtime build
    
    
    (cherry picked from commit 988a5236543c56310f3c5ecdf28d8bc78879e1e1)

 package/build.sh                    | 15 +++++++++++++--
 package/gimp-hardening.entitlements | 14 ++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)
---
diff --git a/package/build.sh b/package/build.sh
index 5859867..077e4e3 100755
--- a/package/build.sh
+++ b/package/build.sh
@@ -109,9 +109,16 @@ then
   find  ${PACKAGE_DIR}/GIMP-2.10.app/Contents/Resources/lib/ -type f -perm +111 \
      | xargs file \
      | grep ' Mach-O '|awk -F ':' '{print $1}' \
-     | xargs /usr/bin/codesign -s "${codesign_subject}"
+     | xargs /usr/bin/codesign -s "${codesign_subject}" \
+       --options runtime \
+       --entitlements ${HOME}/project/package/gimp-hardening.entitlements
   echo "Signing app"
-  /usr/bin/codesign -s "${codesign_subject}" --deep ${PACKAGE_DIR}/GIMP-2.10.app
+  /usr/bin/codesign -s "${codesign_subject}" \
+    --timestamp \
+    --deep \
+    --options runtime \
+    --entitlements ${HOME}/project/package/gimp-hardening.entitlements \
+    ${PACKAGE_DIR}/GIMP-2.10.app
 fi
 
 echo "Building DMG"
@@ -151,4 +158,8 @@ then
   /usr/bin/codesign  -s "${codesign_subject}" "/tmp/artifacts/${DMGNAME}"
 fi
 
+echo "Notarizing app"
+xcrun altool --notarize-app --file "/tmp/artifacts/${DMGNAME}" \
+  -u "${notarization_login}" --primary-bundle-id -p "${notarization_password}"
+
 echo "Done"
diff --git a/package/gimp-hardening.entitlements b/package/gimp-hardening.entitlements
new file mode 100644
index 0000000..6994864
--- /dev/null
+++ b/package/gimp-hardening.entitlements
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
+<plist version="1.0">
+<dict>
+       <key>com.apple.security.automation.apple-events</key>
+       <true/>
+  <!-- Allow loading of libraries signed by different Team IDs -->
+       <key>com.apple.security.cs.disable-library-validation</key>
+       <true/>
+       <!-- Allow app to be debugged -->
+       <!-- <key>com.apple.security.get-task-allow</key>
+       <true/> -->
+</dict>
+</plist>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]