Merge pull request #980 from ychin/hardened-runtime-entitlement-scrip…

…ting-language Fix hardened runtime entitlement for scripting languages and add app signing scripts
macvim-dev · Oct 30, 2019 · 919fd33 · 919fd33
2 parents 047b3e2 + c088f64
commit 919fd33
Show file tree

Hide file tree

Showing 4 changed files with 130 additions and 1 deletion.
diff --git a/src/MacVim/MacVim.entitlements b/src/MacVim/MacVim.entitlements
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.automation.apple-events</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.get-task-allow</key>
+    <true/>
+</dict>
+</plist>
diff --git a/src/MacVim/scripts/notarize-dmg b/src/MacVim/scripts/notarize-dmg
@@ -0,0 +1,74 @@
+#!/bin/zsh
+
+# Utility script to submit an app for notarization by Apple. It will wait for
+# the notarization to succeed, and then staple the results to the target DMG
+# file.
+
+if [[ $# == 0 ]]; then
+    echo "Usage: sign-developer-id <MacVim_dmg> <entitlements_file>"
+    exit -1
+fi
+
+set -e
+
+if [[ $ALTOOL_USERNAME == '' || $ALTOOL_PASSWORD == '' ]]; then
+    echo 'Need to set ALTOOL_USERNAME and ALTOOL_PASSWORD in environment variables'
+    exit -1
+fi
+
+set -e
+
+macvim_dmg=$1
+
+# Step 1: Submit app to Apple's servers for notarization
+set -x
+notarize_submit_uuid=$(xcrun altool --notarize-app --primary-bundle-id "org.vim.macvim" --file ${macvim_dmg} --username "${ALTOOL_USERNAME}" --password "${ALTOOL_PASSWORD}" | grep "RequestUUID" | sed -E "s/RequestUUID = (.*)/\1/")
+set +x
+
+if [[ ${notarize_submit_uuid} == "" ]]; then
+    echo "Failed to submit for notarization!"
+    exit -1
+fi
+if ! [[ ${notarize_submit_uuid} =~ "^[a-f0-9\-]*$" ]]; then
+    echo "Request UUID format error!"
+    exit -1
+fi
+
+# Step 2: Wait for notarization to success or fail by continuously querying
+# Apple's servers for status updates
+echo "Notarization request UUID: ${notarize_submit_uuid}"
+printf "Waiting for notarization results..."
+
+counter=0
+while sleep 30; do
+    notarize_results=$(xcrun altool --notarization-info ${notarize_submit_uuid} --username "${ALTOOL_USERNAME}" --password "${ALTOOL_PASSWORD}")
+    notarize_status=$(echo $notarize_results | grep "Status:" | sed -E "s/^.*Status: (.*)/\1/")
+
+    if ((++counter > 60)); then
+        echo "Notarization timeout!"
+        exit -1
+    fi
+
+    if [[ $notarize_status == "in progress" ]]; then
+        printf "."
+        continue
+    elif [[ $notarize_status == "success" ]]; then
+        printf "\n"
+        echo "Notarization Success!\n"
+        echo $notarize_results
+        break
+    else
+        printf "\n"
+        exit -1
+    fi
+done
+
+# Step 3: Staple the notarization info to the DMG so that an offline user can
+# verify that it is notarized.
+set -x
+xcrun stapler staple ${macvim_dmg}
+
+# Just print out extra info for reference
+echo "--------------------"
+codesign -d --verbose=2 ${macvim_dmg}
+spctl -a -t open --context context:primary-signature -v ${macvim_dmg}
diff --git a/src/MacVim/scripts/sign-developer-id b/src/MacVim/scripts/sign-developer-id
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Utility script to sign MacVim with a valid Developer ID with hardened runtime
+# along with a provided entitlments file. This script requires a Developer ID
+# cert already installed on the computer.
+
+# Use the following to verify:
+#     codesign -d --verbose=4 --entitlements - <MacVim_app>
+
+if [[ $# == 0 || $# == 1 ]]; then
+    echo "Usage: sign-developer-id <MacVim_app> <entitlements_file>"
+    exit -1
+fi
+
+set -e
+
+macvim_path=$1
+entitlements=$2
+
+if [[ $macvim_path =~ dmg ]]; then
+    set -x
+    codesign -f -s "Developer ID Application" -o runtime --timestamp $macvim_path
+else
+    # Sign bottom-up to make sure everything is signed. Note: --deep doesn't
+    # catch certain edge cases like the files in Resources, hence the need to
+    # manually sign them before signing the main app.
+    set -x
+    codesign -f -s "Developer ID Application" -o runtime --deep --timestamp $macvim_path/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app
+    codesign -f -s "Developer ID Application" -o runtime --deep --timestamp $macvim_path/Contents/Library/QuickLook/QLStephen.qlgenerator/Contents/MacOS/QLStephen
+    codesign -f -s "Developer ID Application" -o runtime --deep --timestamp --entitlements $entitlements $macvim_path
+fi
diff --git a/src/Makefile b/src/Makefile
@@ -3620,16 +3620,21 @@ $(APPDIR)/Contents:
 
 ##############################################################################
 ### MacVim GUI
-.PHONY: macvim macvim-dmg macvimclean
+.PHONY: macvim macvim-dmg macvimclean macvim-signed macvim-dmg-release
 
 RELEASEDIR = MacVim/build/Release
 DMGDIR = MacVim/build/dmg
 DMGFILE = MacVim.dmg
+ENTITLEMENTS = MacVim/MacVim.entitlements
 
 macvim: $(VIMTARGET)
 	xcodebuild -project MacVim/MacVim.xcodeproj $(XCODEFLAGS)
 
+macvim-signed:
+	MacVim/scripts/sign-developer-id $(RELEASEDIR)/MacVim.app $(ENTITLEMENTS)
+
 macvim-dmg:
+	rm -rf $(DMGDIR)
 	mkdir -p $(DMGDIR)
 	cp -a $(RELEASEDIR)/MacVim.app $(DMGDIR)/
 	rm -rf $(RELEASEDIR)/$(DMGFILE)
@@ -3648,6 +3653,13 @@ macvimclean:
 		rm -rf MacVim/build MacVim/qlstephen/build xxd/xxd.dSYM; \
 	fi
 
+# Create a release DMG image that is signed and notaraized
+macvim-dmg-release: macvim-signed macvim-dmg
+	MacVim/scripts/sign-developer-id $(RELEASEDIR)/MacVim.dmg $(ENTITLEMENTS)
+	MacVim/scripts/notarize-dmg $(RELEASEDIR)/MacVim.dmg
+	echo "--------------------"
+	echo "Release MacVim built!"
+
 
 ###############################################################################
 ### (automatically generated by 'make depend')