Correctly codesign Mac app for Catalina (#869)

build_image.py

@@ -61,6 +61,7 @@
 POLYGLOT_VERSION = '' # set in main for timing reasons
 POLYGLOT_BUILD = '' # set in main for timing reasons
 JAVA_HOME = '' # set in main for timing reasons
+SIGN_IDENTITY = '' # set in main for timing reasons
 IS_RELEASE = False
 CUR_YEAR = str(date.today().year)
 
@@ -74,6 +75,7 @@ def main(args):
     global POLYGLOT_VERSION
     global POLYGLOT_BUILD
     global JAVA_HOME
+    global SIGN_IDENTITY
     global IS_RELEASE
     global JAR_W_DEP
     global JAR_WO_DEP
@@ -97,6 +99,15 @@ def main(args):
         # remove args after consuming
         del args[command_index + 1]
         del args[command_index]
+
+    # allows specifying code signing identity for mac builds
+    if '-mac-sign-identity' in args:
+        command_index = args.index('-mac-sign-identity')
+        SIGN_IDENTITY = args[command_index + 1]
+
+        # remove args after consuming
+        del args[command_index + 1]
+        del args[command_index]
 
     # allows for override of java home (virtual environments make this necessary at times)
     if '-java-home-o' in args:
@@ -299,24 +310,54 @@ def imageOsx():
         '--launcher PolyGlot=org.darisadesigns.polyglotlina.polyglot')
 
 def distOsx():
-    print('Creating distribution package...')
+    print('Creating app image...')
     command = (JAVA_HOME + '/bin/jpackage ' +
         '--runtime-image build/image ' +
         '--icon "PolyGlot.app" ' +
         '--name PolyGlot ' +
         '--module org.darisadesigns.polyglotlina.polyglot/org.darisadesigns.polyglotlina.PolyGlot ' +
         '--copyright "2014-' + CUR_YEAR + ' Draque Thompson" ' +
         '--description "PolyGlot is a spoken language construction toolkit." ' +
+        '--type app-image ' +
         '--mac-package-name "PolyGlot" ' +
         '--file-associations packaging_files/mac/file_types_mac.prop ' +
         '--icon packaging_files/mac/PolyGlot.icns ' +
         '--license-file LICENSE.TXT ' +
         '--app-version "' + POLYGLOT_VERSION + '"')
 
     os.system(command)
-
-    if copyDestination != "":
-        copyInstaller('PolyGlot-' + POLYGLOT_VERSION + '.dmg')
+
+    # Remove the extra copy of libjli.dylib which causes notarization to fail
+    os.remove('PolyGlot.app/Contents/runtime/Contents/MacOS/libjli.dylib')
+
+    if SIGN_IDENTITY:
+        print('Code signing app image...')
+        command = ('codesign ' +
+            '--force ' + # Overwrite existing signature
+            '--timestamp ' + # Embed secure timestamps
+            '--options runtime ' + # Enable hardened runtime
+            '--entitlements packaging_files/mac/entitlements.plist ' + # Add entitlements
+            '--sign "' + SIGN_IDENTITY + '" ' +
+            'PolyGlot.app')
+
+        os.system(command)
+    else:
+        print('No code signing identity specified, app image will not be signed')
+
+    if shutil.which('dmgbuild'):
+        print('Creating distribution package...')
+        command = ('dmgbuild ' +
+            '-s packaging_files/mac/dmg_settings.py ' +
+            'PolyGlot ' +
+            'PolyGlot-' + POLYGLOT_VERSION + '.dmg')
+
+        os.system(command)
+
+        if copyDestination != "":
+            copyInstaller('PolyGlot-' + POLYGLOT_VERSION + '.dmg')
+    else:
+      print('\'dmgbuild\' does not exist in PATH, distribution packaging will be skipped')
+      print('Run \'pip install dmgbuild\' to install it')
 
 
 ######################################
@@ -525,6 +566,8 @@ def printHelp():
 
     -java-home-o <jdk-path> : Overrides JAVA_HOME. Useful for stubborn VMs that will not normally recognize environment variables.
     
+    -mac-sign-identity <identity> : Sign the Mac app image with the specified code signing identity.
+
     -copyDestination <destination-path> : sets location for the final created installer file to be copied to (ignored if distribution not built)
     
     -skip <step> : skips the given step (can be used multiple times)

packaging_files/mac/dmg_settings.py

@@ -0,0 +1,42 @@
+import os.path
+
+# .. Useful stuff ..............................................................
+
+application = 'PolyGlot.app'
+appname = os.path.basename(application)
+
+# .. Basics ....................................................................
+
+# Volume format (see hdiutil create -help)
+format = 'UDZO'
+
+# Volume size
+size = None
+
+# Files to include
+files = [ application ]
+
+# Symlinks to create
+symlinks = { 'Applications': '/Applications' }
+
+# Where to put the icons
+icon_locations = {
+    appname:        (180, 170),
+    'Applications': (480, 170)
+}
+
+# .. Window configuration ......................................................
+
+# Background
+background = 'packaging_files/mac/dmg-background.tiff'
+
+# Window position in ((x, y), (w, h)) format
+window_rect = ((100, 100), (660, 400))
+
+# .. Icon view configuration ...................................................
+
+icon_size = 160
+
+# .. License configuration .....................................................
+
+license = { 'licenses': { 'en_US': 'LICENSE.TXT' } }

packaging_files/mac/entitlements.plist

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>