Fall back to using ad-hoc signing for macOS when no signing certificate exists (arm64 requirement)
Hecklezz
parent
9328c8e559
commit
dd3175ae81
|
|
@ -1705,52 +1705,56 @@ class Darwin_x86_64_Manifest(ViewerManifest):
|
||||||
if identity == '':
|
if identity == '':
|
||||||
identity = 'Developer ID Application'
|
identity = 'Developer ID Application'
|
||||||
|
|
||||||
|
ad_hoc_sign = False
|
||||||
# Look for an environment variable set via build.sh when running in Team City.
|
# Look for an environment variable set via build.sh when running in Team City.
|
||||||
try:
|
try:
|
||||||
build_secrets_checkout = os.environ['build_secrets_checkout']
|
build_secrets_checkout = os.environ['build_secrets_checkout']
|
||||||
except KeyError:
|
except KeyError:
|
||||||
pass
|
ad_hoc_sign = True # A minimum of ad-hoc signing is a requirement for arm64 builds to behave correctly
|
||||||
else:
|
identity = '-' # Ad-hoc identity
|
||||||
# variable found so use it to unlock keychain followed by codesign
|
finally:
|
||||||
home_path = os.environ['HOME']
|
if not ad_hoc_sign:
|
||||||
keychain_pwd_path = os.path.join(build_secrets_checkout,'code-signing-osx','password.txt')
|
# variable found so use it to unlock keychain followed by codesign
|
||||||
keychain_pwd = open(keychain_pwd_path).read().rstrip()
|
home_path = os.environ['HOME']
|
||||||
|
keychain_pwd_path = os.path.join(build_secrets_checkout,'code-signing-osx','password.txt')
|
||||||
|
keychain_pwd = open(keychain_pwd_path).read().rstrip()
|
||||||
|
|
||||||
# Note: As of macOS Sierra, keychains are created with
|
# Note: As of macOS Sierra, keychains are created with
|
||||||
# names postfixed with '-db' so for example, the SL
|
# names postfixed with '-db' so for example, the SL
|
||||||
# Viewer keychain would by default be found in
|
# Viewer keychain would by default be found in
|
||||||
# ~/Library/Keychains/viewer.keychain-db instead of
|
# ~/Library/Keychains/viewer.keychain-db instead of
|
||||||
# just ~/Library/Keychains/viewer.keychain in
|
# just ~/Library/Keychains/viewer.keychain in
|
||||||
# earlier versions.
|
# earlier versions.
|
||||||
#
|
#
|
||||||
# Because we have old OS files from previous
|
# Because we have old OS files from previous
|
||||||
# versions of macOS on the build hosts, the
|
# versions of macOS on the build hosts, the
|
||||||
# configurations are different on each host. Some
|
# configurations are different on each host. Some
|
||||||
# have viewer.keychain, some have viewer.keychain-db
|
# have viewer.keychain, some have viewer.keychain-db
|
||||||
# and some have both. As you can see in the line
|
# and some have both. As you can see in the line
|
||||||
# below, this script expects the Linden Developer
|
# below, this script expects the Linden Developer
|
||||||
# cert/keys to be in viewer.keychain.
|
# cert/keys to be in viewer.keychain.
|
||||||
#
|
#
|
||||||
# To correctly sign builds you need to make sure
|
# To correctly sign builds you need to make sure
|
||||||
# ~/Library/Keychains/viewer.keychain exists on the
|
# ~/Library/Keychains/viewer.keychain exists on the
|
||||||
# host and that it contains the correct cert/key. If
|
# host and that it contains the correct cert/key. If
|
||||||
# a build host is set up with a clean version of
|
# a build host is set up with a clean version of
|
||||||
# macOS Sierra (or later) then you will need to
|
# macOS Sierra (or later) then you will need to
|
||||||
# change this line (and the one for 'codesign'
|
# change this line (and the one for 'codesign'
|
||||||
# command below) to point to right place or else
|
# command below) to point to right place or else
|
||||||
# pull in the cert/key into the default viewer
|
# pull in the cert/key into the default viewer
|
||||||
# keychain 'viewer.keychain-db' and export it to
|
# keychain 'viewer.keychain-db' and export it to
|
||||||
# 'viewer.keychain'
|
# 'viewer.keychain'
|
||||||
viewer_keychain = os.path.join(home_path, 'Library',
|
viewer_keychain = os.path.join(home_path, 'Library',
|
||||||
'Keychains', 'viewer.keychain')
|
'Keychains', 'viewer.keychain')
|
||||||
if not os.path.isfile( viewer_keychain ):
|
if not os.path.isfile( viewer_keychain ):
|
||||||
viewer_keychain += "-db"
|
viewer_keychain += "-db"
|
||||||
|
|
||||||
|
if not os.path.isfile( viewer_keychain ):
|
||||||
|
raise "No keychain named viewer found"
|
||||||
|
|
||||||
|
self.run_command(['security', 'unlock-keychain',
|
||||||
|
'-p', keychain_pwd, viewer_keychain])
|
||||||
|
|
||||||
if not os.path.isfile( viewer_keychain ):
|
|
||||||
raise "No keychain named viewer found"
|
|
||||||
|
|
||||||
self.run_command(['security', 'unlock-keychain',
|
|
||||||
'-p', keychain_pwd, viewer_keychain])
|
|
||||||
sign_retry_wait=15
|
sign_retry_wait=15
|
||||||
resources = app_in_dmg + "/Contents/Resources/"
|
resources = app_in_dmg + "/Contents/Resources/"
|
||||||
plain_sign = glob.glob(resources + "llplugin/*.dylib")
|
plain_sign = glob.glob(resources + "llplugin/*.dylib")
|
||||||
|
|
@ -1779,24 +1783,28 @@ class Darwin_x86_64_Manifest(ViewerManifest):
|
||||||
try:
|
try:
|
||||||
# Note: See blurb above about names of keychains
|
# Note: See blurb above about names of keychains
|
||||||
for signee in plain_sign:
|
for signee in plain_sign:
|
||||||
self.run_command(
|
args = [
|
||||||
['codesign',
|
'codesign',
|
||||||
'--force',
|
'--force',
|
||||||
'--timestamp',
|
'--timestamp'
|
||||||
'--keychain', viewer_keychain,
|
]
|
||||||
'--sign', identity,
|
if not ad_hoc_sign:
|
||||||
signee])
|
args += ['--keychain', viewer_keychain]
|
||||||
|
args += ['--sign', identity, signee]
|
||||||
|
self.run_command(args)
|
||||||
for signee in deep_sign:
|
for signee in deep_sign:
|
||||||
self.run_command(
|
args = [
|
||||||
['codesign',
|
'codesign',
|
||||||
'--verbose',
|
'--verbose',
|
||||||
'--deep',
|
'--deep',
|
||||||
'--force',
|
'--force',
|
||||||
'--entitlements', self.src_path_of("slplugin.entitlements"),
|
'--entitlements', self.src_path_of("slplugin.entitlements"),
|
||||||
'--options', 'runtime',
|
'--options', 'runtime'
|
||||||
'--keychain', viewer_keychain,
|
]
|
||||||
'--sign', identity,
|
if not ad_hoc_sign:
|
||||||
signee])
|
args += ['--keychain', viewer_keychain]
|
||||||
|
args += ['--sign', identity, signee]
|
||||||
|
self.run_command(args)
|
||||||
break # if no exception was raised, the codesign worked
|
break # if no exception was raised, the codesign worked
|
||||||
except ManifestError as err:
|
except ManifestError as err:
|
||||||
# 'err' goes out of scope
|
# 'err' goes out of scope
|
||||||
|
|
@ -1804,10 +1812,12 @@ class Darwin_x86_64_Manifest(ViewerManifest):
|
||||||
else:
|
else:
|
||||||
print("Maximum codesign attempts exceeded; giving up", file=sys.stderr)
|
print("Maximum codesign attempts exceeded; giving up", file=sys.stderr)
|
||||||
raise sign_failed
|
raise sign_failed
|
||||||
# <FS:ND> This fails sometimes and works other times. Even when notarization (down below) is a success
|
|
||||||
# Remove it for now and investigate after we did notarize a few times
|
if not ad_hoc_sign:
|
||||||
#self.run_command(['spctl', '-a', '-texec', '-vvvv', app_in_dmg])
|
# <FS:ND> This fails sometimes and works other times. Even when notarization (down below) is a success
|
||||||
self.run_command([self.src_path_of("installers/darwin/apple-notarize.sh"), app_in_dmg])
|
# Remove it for now and investigate after we did notarize a few times
|
||||||
|
#self.run_command(['spctl', '-a', '-texec', '-vvvv', app_in_dmg])
|
||||||
|
self.run_command([self.src_path_of("installers/darwin/apple-notarize.sh"), app_in_dmg])
|
||||||
|
|
||||||
finally:
|
finally:
|
||||||
# Unmount the image even if exceptions from any of the above
|
# Unmount the image even if exceptions from any of the above
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue