macos: prepare for notarization

[openafs.git] / src / packaging / MacOS / pkgbuild.sh.in

diff --git a/src/packaging/MacOS/pkgbuild.sh.in b/src/packaging/MacOS/pkgbuild.sh.in
index 8d97cbf..4c4d629 100644 (file)
--- a/src/packaging/MacOS/pkgbuild.sh.in
+++ b/src/packaging/MacOS/pkgbuild.sh.in
@@ -33,6 +33,8 @@ INST_KEY=
 DEST_DIR=
 CSDB=
 
+CODESIGN_OPTS=
+
 while [ x"$#" != x0 ] ; do
     key="$1"
     shift
@@ -152,6 +154,11 @@ else
     exit 1
 fi
 
+if [ $THISREL -ge 14 ]; then
+    # Enable the Hardened Runtime capability, required as of 10.14.5.
+    CODESIGN_OPTS="--options runtime"
+fi
+
 SEP=:
 
 PKGROOT="$CURDIR"/pkgroot
@@ -326,9 +333,13 @@ if [ x"$PASS1" = x1 ]; then
                   "$PKGROOT"/Library/OpenAFS/Tools/tools/aklog.bundle \
                   "$PLUGINS"/afscell.bundle
        do
-           codesign --verbose --force --timestamp --sign "$APP_KEY" "$obj"
+           codesign --verbose --force --timestamp --sign "$APP_KEY" $CODESIGN_OPTS "$obj"
        done
 
+       # To be notarized by Apple, all files must be signed.
+       find "$PKGROOT" -type f -exec codesign --verbose --force \
+           --timestamp --sign "$APP_KEY" $CODESIGN_OPTS {} \;
+
        # Check if our signatures for our kexts are valid. 'kextutil' will exit
        # with an error and print out a message if something is wrong with the
        # signature. Note that a code signing cert must have the