Mono/macOS: Codesign the editor binary

Using --deep to also sign the AOT cross-compilers.
godotengine · Mar 2, 2021 · b96c0c3 · b96c0c3
1 parent bf6cf6e
commit b96c0c3
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 31 deletions.
diff --git a/build-macosx/editor_mono.entitlements b/build-macosx/editor_mono.entitlements
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+ <true/>
+ <key>com.apple.security.cs.allow-jit</key>
+ <true/>
+ <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+ <true/>
+ <key>com.apple.security.cs.disable-library-validation</key>
+ <true/>
+ <key>com.apple.security.device.audio-input</key>
+ <true/>
+ <key>com.apple.security.device.camera</key>
+ <true/>
+</dict>
+</plist>
diff --git a/build-release.sh b/build-release.sh
@@ -14,14 +14,55 @@ else
   echo "Disabling binary signing as config.sh does not define the required data."
 fi
 
-function sign {
+sign_windows() {
   if [ $can_sign == 0 ]; then
     return
   fi
   ./osslsigncode -pkcs12 ${SIGN_KEYSTORE} -pass "${SIGN_PASSWORD}" -n "${SIGN_NAME}" -i "${SIGN_URL}" -t http://timestamp.comodoca.com -in $1 -out $1-signed
   mv $1-signed $1
 }
 
+sign_macos() {
+  if [ ! -z "${OSX_HOST}" ]; then
+    osx_tmpdir=$(ssh "${OSX_HOST}" "mktemp -d")
+    reldir="$1"
+    binname="$2"
+    appname="$3"
+
+    entitlements=editor.entitlements
+    if [[ "${appname}" == "Godot_mono.app" ]]; then
+      entitlements=editor_mono.entitlements
+    fi
+
+
+    scp "${reldir}/${binname}.zip" "${OSX_HOST}:${osx_tmpdir}"
+    scp "${basedir}/build-macosx/${entitlements}" "${OSX_HOST}:${osx_tmpdir}"
+    ssh "${OSX_HOST}" "
+              cd ${osx_tmpdir} && \
+              unzip ${binname}.zip && \
+              codesign --deep --timestamp \
+                --options=runtime --entitlements ${entitlements} \
+                -s ${OSX_KEY_ID} -v ${appname}/Contents/MacOS/Godot && \
+              zip -r ${binname}_signed.zip ${appname}"
+
+    request_uuid=$(ssh "${OSX_HOST}" "xcrun altool --notarize-app --primary-bundle-id \"${OSX_BUNDLE_ID}\" --username \"${APPLE_ID}\" --password \"${APPLE_ID_PASSWORD}\" --file ${osx_tmpdir}/${binname}_signed.zip")
+    request_uuid=$(echo ${request_uuid} | sed -e 's/.*RequestUUID = //')
+    ssh "${OSX_HOST}" "while xcrun altool --notarization-history 0 -u \"${APPLE_ID}\" -p \"${APPLE_ID_PASSWORD}\" | grep -q ${request_uuid}.*in\ progress; do echo Waiting on Apple signature; sleep 30s; done"
+    if ! ssh "${OSX_HOST}" "xcrun altool --notarization-history 0 -u \"${APPLE_ID}\" -p \"${APPLE_ID_PASSWORD}\" | grep -q ${request_uuid}.*success"; then
+      echo "Signing failed?"
+      ssh "${OSX_HOST}" "rm -rf ${osx_tmpdir}"
+      exit 1
+    else
+      ssh "${OSX_HOST}" "
+              cd ${osx_tmpdir} && \
+              xcrun stapler staple ${appname} && \
+              zip -r ${binname}_stapled.zip ${appname}"
+      scp "${OSX_HOST}:${osx_tmpdir}/${binname}_stapled.zip" ${reldir}/${binname}.zip
+      ssh "${OSX_HOST}" "rm -rf ${osx_tmpdir}"
+    fi
+  fi
+}
+
 godot_version=""
 templates_version=""
 build_classical=1
@@ -117,14 +158,14 @@ if [ "${build_classical}" == "1" ]; then
   binname="${godot_basename}_win64.exe"
   cp out/windows/x64/tools/godot.windows.opt.tools.64.exe ${binname}
   strip ${binname}
-  sign ${binname}
+  sign_windows ${binname}
   zip -q -9 "${reldir}/${binname}.zip" ${binname}
   rm ${binname}
 
   binname="${godot_basename}_win32.exe"
   cp out/windows/x86/tools/godot.windows.opt.tools.32.exe ${binname}
   strip ${binname}
-  sign ${binname}
+  sign_windows ${binname}
   zip -q -9 "${reldir}/${binname}.zip" ${binname}
   rm ${binname}
 
@@ -147,34 +188,7 @@ if [ "${build_classical}" == "1" ]; then
   chmod +x Godot.app/Contents/MacOS/Godot
   zip -q -9 -r "${reldir}/${binname}.zip" Godot.app
   rm -rf Godot.app
-
-  if [ ! -z "${OSX_HOST}" ]; then
-    osx_tmpdir=$(ssh "${OSX_HOST}" "mktemp -d")
-
-    scp "${reldir}/${binname}.zip" "${OSX_HOST}:${osx_tmpdir}"
-    scp "${basedir}/build-macosx/editor.entitlements" "${OSX_HOST}:${osx_tmpdir}"
-    ssh "${OSX_HOST}" "
-              cd ${osx_tmpdir} && \
-              unzip ${binname}.zip &&\
-              codesign --timestamp --options=runtime --entitlements editor.entitlements -s ${OSX_KEY_ID} -v Godot.app/Contents/MacOS/Godot && \
-              zip -r ${binname}_signed.zip Godot.app"
-
-    request_uuid=$(ssh "${OSX_HOST}" "xcrun altool --notarize-app --primary-bundle-id \"${OSX_BUNDLE_ID}\" --username \"${APPLE_ID}\" --password \"${APPLE_ID_PASSWORD}\" --file ${osx_tmpdir}/${binname}_signed.zip")
-    request_uuid=$(echo ${request_uuid} | sed -e 's/.*RequestUUID = //')
-    ssh "${OSX_HOST}" "while xcrun altool --notarization-history 0 -u \"${APPLE_ID}\" -p \"${APPLE_ID_PASSWORD}\" | grep -q ${request_uuid}.*in\ progress; do echo Waiting on Apple signature; sleep 30s; done"
-    if ! ssh "${OSX_HOST}" "xcrun altool --notarization-history 0 -u \"${APPLE_ID}\" -p \"${APPLE_ID_PASSWORD}\" | grep -q ${request_uuid}.*success"; then
-      echo "Signing failed?"
-      ssh "${OSX_HOST}" "rm -rf ${osx_tmpdir}"
-      exit 1
-    else
-      ssh "${OSX_HOST}" "
-              cd ${osx_tmpdir} && \
-              xcrun stapler staple Godot.app && \
-              zip -r ${binname}_stapled.zip Godot.app"
-      scp "${OSX_HOST}:${osx_tmpdir}/${binname}_stapled.zip" ${reldir}/${binname}.zip
-      ssh "${OSX_HOST}" "rm -rf ${osx_tmpdir}"
-    fi
-  fi
+  sign_macos ${reldir} ${binname} Godot.app
 
   # Templates
   rm -rf osx_template.app
@@ -380,6 +394,7 @@ if [ "${build_mono}" == "1" ]; then
   chmod +x Godot_mono.app/Contents/MacOS/Godot
   zip -q -9 -r "${reldir_mono}/${binname}.zip" Godot_mono.app
   rm -rf Godot_mono.app
+  sign_macos ${reldir_mono} ${binname} Godot_mono.app
 
   # Templates
   rm -rf osx_template.app