[gtk-mac-bundler] Provide support for code-signing with entitlements.

From: John Ralls <jralls src gnome org>
To: commits-list gnome org
Cc:
Subject: [gtk-mac-bundler] Provide support for code-signing with entitlements.
Date: Mon, 10 May 2021 22:44:47 +0000 (UTC)
commit 9dffa49f67b00cc3138ecd88e7b1020fa39f8ed6
Author: John Ralls <jralls ceridwen us>
Date:   Thu May 6 17:14:03 2021 -0700

    Provide support for code-signing with entitlements.

 bundler/project.py                 | 15 +++++++++++++--
 examples/python-entitlements.plist |  8 ++++++++
 examples/python-launcher.bundle    | 15 +++++++++++++++
 examples/python-launcher.c         | 11 ++++-------
 4 files changed, 40 insertions(+), 9 deletions(-)
---
diff --git a/bundler/project.py b/bundler/project.py
index 3383906..5517920 100644
--- a/bundler/project.py
+++ b/bundler/project.py
@@ -305,8 +305,13 @@ class Binary(Path):
             return
         cert = os.getenv("APPLICATION_CERT")
         ident = project.get_bundle_id()
-        output = Popen(['codesign', '-s', cert, '-i', ident, '--timestamp',
-                        '--options=runtime', target], stdout=PIPE, stderr=STDOUT)
+        args = ['codesign', '-s', cert, '-i', ident, '--timestamp',
+                '--options=runtime']
+        entfile = project.get_entitlements_path()
+        if entfile:
+            args.extend(['--entitlements', entfile])
+        args.append(target)
+        output = Popen(args, stdout=PIPE, stderr=STDOUT)
         results = output.communicate()[0]
         if results:
             raise SystemError("Warning! Codesigning %s returned error %s."
@@ -594,6 +599,12 @@ class Project(object):
             raise Exception("The 'plist' tag is required")
         return  self.evaluate_path(utils.node_get_string(plist))
 
+    def get_entitlements_path(self):
+        entitlements = utils.node_get_element_by_tag_name(self.root, "entitlements")
+        if not entitlements:
+            return None
+        return self.evaluate_path(utils.node_get_string(entitlements))
+
     def get_launcher_script(self):
         node = utils.node_get_element_by_tag_name(self.root, "launcher-script")
         if node:
diff --git a/examples/python-entitlements.plist b/examples/python-entitlements.plist
new file mode 100644
index 0000000..7547ec7
--- /dev/null
+++ b/examples/python-entitlements.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
+
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+  </dict>
+</plist>
diff --git a/examples/python-launcher.bundle b/examples/python-launcher.bundle
index 4ef9702..11ddaf0 100644
--- a/examples/python-launcher.bundle
+++ b/examples/python-launcher.bundle
@@ -12,6 +12,21 @@
   </meta>
 
   <plist>${project}/Info.plist</plist>
+
+  <!-- macOS security often requires entitlements, see 
https://developer.apple.com/documentation/bundleresources/entitlements. They're applied to an application 
during code-signing. This optional key points to an entitlements plist. Apps using GObject Introspection will 
need it to contain at least
+
+  <?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
+
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+  </dict>
+</plist>
+
+  -->
+  <entitlements>${project}/python-entitlements.plist</entitlements>
+
   <!-- Build gramps-launcher with:
           gcc -L$PREFIX/lib `python-config -\-cflags -\-ldflags` \
               -o $PREFIX/bin/gramps-launcher \
diff --git a/examples/python-launcher.c b/examples/python-launcher.c
index 9d1e305..78cf989 100644
--- a/examples/python-launcher.c
+++ b/examples/python-launcher.c
@@ -87,18 +87,15 @@ set_python_path(void)
     CFStringRef str = make_filesystem_string(bundle_url);
     CFRelease(bundle_url);
     mstr = CFStringCreateMutableCopy(NULL, 5 * PATH_MAX, str);
-    CFStringAppendCString(mstr, "/lib/python36.zip:", kCFStringEncodingUTF8);
+    CFStringAppendCString(mstr, "/lib/python39.zip:", kCFStringEncodingUTF8);
     CFStringAppend(mstr, str);
-    CFStringAppendCString(mstr, "/lib/python3.6:",
+    CFStringAppendCString(mstr, "/lib/python3.9:",
                          kCFStringEncodingUTF8);
     CFStringAppend(mstr, str);
-    CFStringAppendCString(mstr, "/lib/python3.6/plat-darwin:",
+    CFStringAppendCString(mstr, "/lib/python3.9/lib-dynload:",
                          kCFStringEncodingUTF8);
     CFStringAppend(mstr, str);
-    CFStringAppendCString(mstr, "/lib/python3.6/lib-dynload:",
-                         kCFStringEncodingUTF8);
-    CFStringAppend(mstr, str);
-    CFStringAppendCString(mstr, "/lib/python3.6/site-packages",
+    CFStringAppendCString(mstr, "/lib/python3.9/site-packages",
                          kCFStringEncodingUTF8);
     CFRelease(str);
     path = widen_cfstring(mstr);
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]