tMerge pull request #4869 from cculianu/add_macos_codesign - electrum - Electrum Bitcoin wallet
HTML git clone https://git.parazyd.org/electrum
DIR Log
DIR Files
DIR Refs
DIR Submodules
---
DIR commit fc2972e977797e6f57908004eddb57f4fca19928
DIR parent 04571d3b20dbb74309c726478bc56ba310063e70
HTML Author: ThomasV <thomasv@electrum.org>
Date: Wed, 28 Nov 2018 14:02:29 +0100
Merge pull request #4869 from cculianu/add_macos_codesign
t[macOS] Added optional code signing capability to the OSX build scripts.
Diffstat:
M contrib/build-osx/base.sh | 23 +++++++++++++++++++++++
M contrib/build-osx/make_osx | 29 +++++++++++++++++++++++++++++
2 files changed, 52 insertions(+), 0 deletions(-)
---
DIR diff --git a/contrib/build-osx/base.sh b/contrib/build-osx/base.sh
t@@ -2,6 +2,7 @@
RED='\033[0;31m'
BLUE='\033[0,34m'
+YELLOW='\033[0;33m'
NC='\033[0m' # No Color
function info {
printf "\r💬 ${BLUE}INFO:${NC} ${1}\n"
t@@ -10,3 +11,25 @@ function fail {
printf "\r🗯 ${RED}ERROR:${NC} ${1}\n"
exit 1
}
+function warn {
+ printf "\r⚠️ ${YELLOW}WARNING:${NC} ${1}\n"
+}
+
+function DoCodeSignMaybe { # ARGS: infoName fileOrDirName codesignIdentity
+ infoName="$1"
+ file="$2"
+ identity="$3"
+ deep=""
+ if [ -z "$identity" ]; then
+ # we are ok with them not passing anything -- master script calls us always even if no identity is specified
+ return
+ fi
+ if [ -d "$file" ]; then
+ deep="--deep"
+ fi
+ if [ -z "$infoName" ] || [ -z "$file" ] || [ -z "$identity" ] || [ ! -e "$file" ]; then
+ fail "Argument error to internal function DoCodeSignMaybe()"
+ fi
+ info "Code signing ${infoName}..."
+ codesign -f -v $deep -s "$identity" "$file" || fail "Could not code sign ${infoName}"
+}
DIR diff --git a/contrib/build-osx/make_osx b/contrib/build-osx/make_osx
t@@ -17,6 +17,24 @@ VERSION=`git describe --tags --dirty --always`
which brew > /dev/null 2>&1 || fail "Please install brew from https://brew.sh/ to continue"
+# Code Signing: See https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html
+APP_SIGN=""
+if [ -n "$1" ]; then
+ # Test the identity is valid for signing by doing this hack. There is no other way to do this.
+ cp -f /bin/ls ./CODESIGN_TEST
+ codesign -s "$1" --dryrun -f ./CODESIGN_TEST > /dev/null 2>&1
+ res=$?
+ rm -f ./CODESIGN_TEST
+ if ((res)); then
+ fail "Code signing identity \"$1\" appears to be invalid."
+ fi
+ unset res
+ APP_SIGN="$1"
+ info "Code signing enabled using identity \"$APP_SIGN\""
+else
+ warn "Code signing DISABLED. Specify a valid macOS Developer identity installed on the system as the first argument to this script to enable signing."
+fi
+
info "Installing Python $PYTHON_VERSION"
export PATH="~/.pyenv/bin:~/.pyenv/shims:~/Library/Python/3.6/bin:$PATH"
if [ -d "~/.pyenv" ]; then
t@@ -54,6 +72,7 @@ info "Downloading libusb..."
curl https://homebrew.bintray.com/bottles/libusb-1.0.22.el_capitan.bottle.tar.gz | \
tar xz --directory $BUILDDIR
cp $BUILDDIR/libusb/1.0.22/lib/libusb-1.0.dylib contrib/build-osx
+DoCodeSignMaybe "libusb" "contrib/build-osx/libusb-1.0.dylib" "$APP_SIGN" # If APP_SIGN is empty will be a noop
info "Building libsecp256k1"
brew install autoconf automake libtool
t@@ -66,6 +85,7 @@ git clean -f -x -q
make
popd
cp $BUILDDIR/secp256k1/.libs/libsecp256k1.0.dylib contrib/build-osx
+DoCodeSignMaybe "libsecp256k1" "contrib/build-osx/libsecp256k1.0.dylib" "$APP_SIGN" # If APP_SIGN is empty will be a noop
info "Installing requirements..."
t@@ -96,5 +116,14 @@ plutil -insert 'CFBundleURLTypes' \
-- dist/$PACKAGE.app/Contents/Info.plist \
|| fail "Could not add keys to Info.plist. Make sure the program 'plutil' exists and is installed."
+DoCodeSignMaybe "app bundle" "dist/${PACKAGE}.app" "$APP_SIGN" # If APP_SIGN is empty will be a noop
+
info "Creating .DMG"
hdiutil create -fs HFS+ -volname $PACKAGE -srcfolder dist/$PACKAGE.app dist/electrum-$VERSION.dmg || fail "Could not create .DMG"
+
+DoCodeSignMaybe ".DMG" "dist/electrum-${VERSION}.dmg" "$APP_SIGN" # If APP_SIGN is empty will be a noop
+
+if [ -z "$APP_SIGN" ]; then
+ warn "App was built successfully but was not code signed. Users may get security warnings from macOS."
+ warn "Specify a valid code signing identity as the first argument to this script to enable code signing."
+fi