From aa4b9290fefa24aa86e468f55809b017b83f534f Mon Sep 17 00:00:00 2001 From: Elliot Saba Date: Thu, 24 Feb 2022 14:52:14 -0800 Subject: [PATCH] [macOS] Codesign binary-dist tarballs (#44305) Because we're starting to distribute macOS tarballs as well, let's codesign them by default, when possible. (cherry picked from commit 6b29ebda35b6c844198c5d1533587711a6700df2) --- Makefile | 12 ++++++++++++ contrib/mac/app/Makefile | 3 +++ 2 files changed, 15 insertions(+) diff --git a/Makefile b/Makefile index a6def422f9938..c76517d92c761 100644 --- a/Makefile +++ b/Makefile @@ -431,9 +431,21 @@ ifeq ($(OS), Linux) endif ifeq ($(OS), WINNT) cd $(BUILDROOT)/julia-$(JULIA_COMMIT)/bin && rm -f llvm* llc.exe lli.exe opt.exe LTO.dll bugpoint.exe macho-dump.exe +endif + # If we're on macOS, and we have a codesigning identity, then codesign the binary-dist tarball! +ifeq ($(OS),Darwin) +ifneq ($(MACOS_CODESIGN_IDENTITY),) + echo "Codesigning with identity $(MACOS_CODESIGN_IDENTITY)"; \ + MACHO_FILES=$$(find "$(BUILDROOT)/julia-$(JULIA_COMMIT)" -type f -perm -0111 | cut -d: -f1); \ + for f in $${MACHO_FILES}; do \ + echo "Codesigning $${f}..."; \ + codesign -s "$(MACOS_CODESIGN_IDENTITY)" --option=runtime --entitlements $(JULIAHOME)/contrib/mac/app/Entitlements.plist -vvv --timestamp --deep --force "$${f}"; \ + done +endif endif cd $(BUILDROOT) && $(TAR) zcvf $(JULIA_BINARYDIST_FILENAME).tar.gz julia-$(JULIA_COMMIT) + exe: # run Inno Setup to compile installer $(call spawn,$(JULIAHOME)/dist-extras/inno/iscc.exe /DAppVersion=$(JULIA_VERSION) /DSourceDir="$(call cygpath_w,$(BUILDROOT)/julia-$(JULIA_COMMIT))" /DRepoDir="$(call cygpath_w,$(JULIAHOME))" /F"$(JULIA_BINARYDIST_FILENAME)" /O"$(call cygpath_w,$(BUILDROOT))" $(INNO_ARGS) $(call cygpath_w,$(JULIAHOME)/contrib/windows/build-installer.iss)) diff --git a/contrib/mac/app/Makefile b/contrib/mac/app/Makefile index edb6f868c9486..81b7e47cdf2cf 100644 --- a/contrib/mac/app/Makefile +++ b/contrib/mac/app/Makefile @@ -50,6 +50,9 @@ dmg/$(APP_NAME): startup.applescript julia.icns make -C $(JULIAHOME) binary-dist tar zxf $(JULIAHOME)/$(JULIA_BINARYDIST_FILENAME).tar.gz -C $@/Contents/Resources/julia --strip-components 1 find $@/Contents/Resources/julia -type f -exec chmod -w {} \; + # Even though the tarball may already be signed, we re-sign here to make it easier to add + # unsigned executables (like the app launcher) and whatnot, without needing to maintain lists + # of what is or is not signed. Codesigning is cheap, so might as well do it early and often. if [ -n "$$MACOS_CODESIGN_IDENTITY" ]; then \ echo "Codesigning with identity $$MACOS_CODESIGN_IDENTITY"; \ MACHO_FILES=$$(find "$@" -type f -perm -0111 | cut -d: -f1); \