macos: prepare for notarization

With the public release of macOS 10.14.5, all new and updated kernel
extensions must be notarized by Apple. To be taken into consideration,
all executables must be signed and the Hardened Runtime capability must
be enabled.

This patch adds the missing prerequisites mentioned above.

Reviewed-on: https://gerrit.openafs.org/13670
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 63fd13bf9e6af21136007c9980816875ebea5f7c)

Change-Id: If0c27732f667945f430fd2c5698e8f58a84e3bde
Reviewed-on: https://gerrit.openafs.org/14035
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

diff --git a/src/packaging/MacOS/pkgbuild.sh.in b/src/packaging/MacOS/pkgbuild.sh.in
index 8d97cbf73b718feae34671357e8260628b425f37..4c4d629bb63b8bd4c07b95e5d127d9a65c55a76c 100644 (file)
--- a/src/packaging/MacOS/pkgbuild.sh.in
+++ b/src/packaging/MacOS/pkgbuild.sh.in
@@ -33,6 +33,8 @@ INST_KEY=
 DEST_DIR=
 CSDB=
 
+CODESIGN_OPTS=
+
 while [ x"$#" != x0 ] ; do
     key="$1"
     shift
@@ -152,6 +154,11 @@ else
     exit 1
 fi
 
+if [ $THISREL -ge 14 ]; then
+    # Enable the Hardened Runtime capability, required as of 10.14.5.
+    CODESIGN_OPTS="--options runtime"
+fi
+
 SEP=:
 
 PKGROOT="$CURDIR"/pkgroot
@@ -326,9 +333,13 @@ if [ x"$PASS1" = x1 ]; then
                   "$PKGROOT"/Library/OpenAFS/Tools/tools/aklog.bundle \
                   "$PLUGINS"/afscell.bundle
        do
-           codesign --verbose --force --timestamp --sign "$APP_KEY" "$obj"
+           codesign --verbose --force --timestamp --sign "$APP_KEY" $CODESIGN_OPTS "$obj"
        done
 
+       # To be notarized by Apple, all files must be signed.
+       find "$PKGROOT" -type f -exec codesign --verbose --force \
+           --timestamp --sign "$APP_KEY" $CODESIGN_OPTS {} \;
+
        # Check if our signatures for our kexts are valid. 'kextutil' will exit
        # with an error and print out a message if something is wrong with the
        # signature. Note that a code signing cert must have the