From 63fd13bf9e6af21136007c9980816875ebea5f7c Mon Sep 17 00:00:00 2001 From: Marcio Barbosa Date: Tue, 26 Nov 2019 11:41:36 -0800 Subject: [PATCH] macos: prepare for notarization With the public release of macOS 10.14.5, all new and updated kernel extensions must be notarized by Apple. To be taken into consideration, all executables must be signed and the Hardened Runtime capability must be enabled. This patch adds the missing prerequisites mentioned above. Change-Id: I2d3ad66cb7ce062b91d0616955f3bc2b06ca5822 Reviewed-on: https://gerrit.openafs.org/13670 Reviewed-by: Cheyenne Wills Reviewed-by: Andrew Deason Tested-by: Andrew Deason Reviewed-by: Benjamin Kaduk --- src/packaging/MacOS/pkgbuild.sh.in | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/packaging/MacOS/pkgbuild.sh.in b/src/packaging/MacOS/pkgbuild.sh.in index 8d97cbf..4c4d629 100644 --- a/src/packaging/MacOS/pkgbuild.sh.in +++ b/src/packaging/MacOS/pkgbuild.sh.in @@ -33,6 +33,8 @@ INST_KEY= DEST_DIR= CSDB= +CODESIGN_OPTS= + while [ x"$#" != x0 ] ; do key="$1" shift @@ -152,6 +154,11 @@ else exit 1 fi +if [ $THISREL -ge 14 ]; then + # Enable the Hardened Runtime capability, required as of 10.14.5. + CODESIGN_OPTS="--options runtime" +fi + SEP=: PKGROOT="$CURDIR"/pkgroot @@ -326,9 +333,13 @@ if [ x"$PASS1" = x1 ]; then "$PKGROOT"/Library/OpenAFS/Tools/tools/aklog.bundle \ "$PLUGINS"/afscell.bundle do - codesign --verbose --force --timestamp --sign "$APP_KEY" "$obj" + codesign --verbose --force --timestamp --sign "$APP_KEY" $CODESIGN_OPTS "$obj" done + # To be notarized by Apple, all files must be signed. + find "$PKGROOT" -type f -exec codesign --verbose --force \ + --timestamp --sign "$APP_KEY" $CODESIGN_OPTS {} \; + # Check if our signatures for our kexts are valid. 'kextutil' will exit # with an error and print out a message if something is wrong with the # signature. Note that a code signing cert must have the -- 1.9.4