From: Marcio Barbosa <mbarbosa@sinenomine.net>
Date: Tue, 26 Nov 2019 19:41:36 +0000 (-0800)
Subject: macos: prepare for notarization
X-Git-Tag: upstream/1.8.6_pre1^2~6
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=48520140344a05abf4fc18636a66e8dc67880a26;p=packages%2Fo%2Fopenafs.git

macos: prepare for notarization

With the public release of macOS 10.14.5, all new and updated kernel
extensions must be notarized by Apple. To be taken into consideration,
all executables must be signed and the Hardened Runtime capability must
be enabled.

This patch adds the missing prerequisites mentioned above.

Reviewed-on: https://gerrit.openafs.org/13670
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 63fd13bf9e6af21136007c9980816875ebea5f7c)

Change-Id: If0c27732f667945f430fd2c5698e8f58a84e3bde
Reviewed-on: https://gerrit.openafs.org/14035
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
---

diff --git a/src/packaging/MacOS/pkgbuild.sh.in b/src/packaging/MacOS/pkgbuild.sh.in
index 8d97cbf73..4c4d629bb 100644
--- a/src/packaging/MacOS/pkgbuild.sh.in
+++ b/src/packaging/MacOS/pkgbuild.sh.in
@@ -33,6 +33,8 @@ INST_KEY=
 DEST_DIR=
 CSDB=
 
+CODESIGN_OPTS=
+
 while [ x"$#" != x0 ] ; do
     key="$1"
     shift
@@ -152,6 +154,11 @@ else
     exit 1
 fi
 
+if [ $THISREL -ge 14 ]; then
+    # Enable the Hardened Runtime capability, required as of 10.14.5.
+    CODESIGN_OPTS="--options runtime"
+fi
+
 SEP=:
 
 PKGROOT="$CURDIR"/pkgroot
@@ -326,9 +333,13 @@ if [ x"$PASS1" = x1 ]; then
 		   "$PKGROOT"/Library/OpenAFS/Tools/tools/aklog.bundle \
 		   "$PLUGINS"/afscell.bundle
 	do
-	    codesign --verbose --force --timestamp --sign "$APP_KEY" "$obj"
+	    codesign --verbose --force --timestamp --sign "$APP_KEY" $CODESIGN_OPTS "$obj"
 	done
 
+	# To be notarized by Apple, all files must be signed.
+	find "$PKGROOT" -type f -exec codesign --verbose --force \
+	    --timestamp --sign "$APP_KEY" $CODESIGN_OPTS {} \;
+
 	# Check if our signatures for our kexts are valid. 'kextutil' will exit
 	# with an error and print out a message if something is wrong with the
 	# signature. Note that a code signing cert must have the