macos: prepare for notarization

With the public release of macOS 10.14.5, all new and updated kernel
extensions must be notarized by Apple. To be taken into consideration,
all executables must be signed and the Hardened Runtime capability must
be enabled.

This patch adds the missing prerequisites mentioned above.

Change-Id: I2d3ad66cb7ce062b91d0616955f3bc2b06ca5822
Reviewed-on: https://gerrit.openafs.org/13670
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

diff --git a/src/packaging/MacOS/pkgbuild.sh.in b/src/packaging/MacOS/pkgbuild.sh.in
index 8d97cbf..4c4d629 100644 (file)
--- a/src/packaging/MacOS/pkgbuild.sh.in
+++ b/src/packaging/MacOS/pkgbuild.sh.in
@@ -33,6 +33,8 @@ INST_KEY=
 DEST_DIR=
 CSDB=
 
+CODESIGN_OPTS=
+
 while [ x"$#" != x0 ] ; do
     key="$1"
     shift
@@ -152,6 +154,11 @@ else
     exit 1
 fi
 
+if [ $THISREL -ge 14 ]; then
+    # Enable the Hardened Runtime capability, required as of 10.14.5.
+    CODESIGN_OPTS="--options runtime"
+fi
+
 SEP=:
 
 PKGROOT="$CURDIR"/pkgroot
@@ -326,9 +333,13 @@ if [ x"$PASS1" = x1 ]; then
                   "$PKGROOT"/Library/OpenAFS/Tools/tools/aklog.bundle \
                   "$PLUGINS"/afscell.bundle
        do
-           codesign --verbose --force --timestamp --sign "$APP_KEY" "$obj"
+           codesign --verbose --force --timestamp --sign "$APP_KEY" $CODESIGN_OPTS "$obj"
        done
 
+       # To be notarized by Apple, all files must be signed.
+       find "$PKGROOT" -type f -exec codesign --verbose --force \
+           --timestamp --sign "$APP_KEY" $CODESIGN_OPTS {} \;
+
        # Check if our signatures for our kexts are valid. 'kextutil' will exit
        # with an error and print out a message if something is wrong with the
        # signature. Note that a code signing cert must have the