Add CMake install step for macOS code signing

Signed-off-by: Kenneth Chew <79120643+kthchew@users.noreply.github.com>
2025-09-17 16:05:42 -04:00 · 2024-12-11 22:04:26 -05:00 · 2024-12-11 22:04:26 -05:00 · 50e66375a6
commit 50e66375a6
parent 058717bcc2
7 changed files with 77 additions and 0 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -409,6 +409,8 @@ if(UNIX AND APPLE)
    set(MACOSX_SPARKLE_SHA256 "50612a06038abc931f16011d7903b8326a362c1074dabccb718404ce8e585f0b" CACHE STRING "SHA256 checksum for Sparkle release archive")
    set(MACOSX_SPARKLE_DIR "${CMAKE_BINARY_DIR}/frameworks/Sparkle")

+    set(MACOSX_CODESIGN_IDENTITY "-" CACHE STRING "The identity to use for codesigning (the name, not the secret)")
+
    if(NOT MACOSX_SPARKLE_UPDATE_PUBLIC_KEY STREQUAL "" AND NOT MACOSX_SPARKLE_UPDATE_FEED_URL STREQUAL "")
        set(Launcher_ENABLE_UPDATER YES)
    endif()
--- a/launcher/CMakeLists.txt
+++ b/launcher/CMakeLists.txt
@ -1561,3 +1561,18 @@ if(WIN32 OR (UNIX AND APPLE))
        COMPONENT bundle
    )
 endif()
+
+if(UNIX AND APPLE)
+    # Need to fix code signing for the bundle
+    if(MACOSX_CODESIGN_IDENTITY STREQUAL "-")
+        set(MACOSX_ENTITLEMENTS "${CMAKE_CURRENT_BINARY_DIR}/../program_info/AdhocSignedApp.entitlements")
+    else()
+        set(MACOSX_ENTITLEMENTS "${CMAKE_CURRENT_BINARY_DIR}/../program_info/App.entitlements")
+    endif()
+    configure_file(
+        "${CMAKE_CURRENT_SOURCE_DIR}/MacOSCodesign.cmake.in"
+        "${CMAKE_CURRENT_BINARY_DIR}/MacOSCodesign.cmake"
+        @ONLY
+    )
+    install(SCRIPT "${CMAKE_CURRENT_BINARY_DIR}/MacOSCodesign.cmake" COMPONENT Runtime)
+endif()
--- a/launcher/MacOSCodesign.cmake.in
+++ b/launcher/MacOSCodesign.cmake.in
@ -0,0 +1,8 @@
+execute_process(
+        COMMAND "@CMAKE_SOURCE_DIR@/program_info/macos_signature.sh" "@MACOSX_CODESIGN_IDENTITY@" "@MACOSX_ENTITLEMENTS@"
+        WORKING_DIRECTORY "@CMAKE_INSTALL_PREFIX@"
+        RESULT_VARIABLE CODESIGN_RESULT
+)
+if(NOT CODESIGN_RESULT EQUAL 0)
+    message(FATAL_ERROR "Failed to codesign the bundle")
+endif()
--- a/program_info/AdhocSignedApp.entitlements
+++ b/program_info/AdhocSignedApp.entitlements
@ -2,6 +2,7 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+    @Launcher_DebugEntitlements@
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.device.audio-input</key>
--- a/program_info/App.entitlements
+++ b/program_info/App.entitlements
@ -2,6 +2,7 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+    @Launcher_DebugEntitlements@
    <key>com.apple.security.device.audio-input</key>
    <true/>
    <key>com.apple.security.device.camera</key>
--- a/program_info/CMakeLists.txt
+++ b/program_info/CMakeLists.txt
@ -38,6 +38,14 @@ set(Launcher_Branding_LogoQRC "program_info/prismlauncher.qrc" PARENT_SCOPE)

 set(Launcher_Portable_File "program_info/portable.txt" PARENT_SCOPE)

+if(CMAKE_BUILD_TYPE STREQUAL "Debug")
+    set(Launcher_DebugEntitlements "<key>com.apple.security.get-task-allow</key>\n    <true/>")
+else()
+    set(Launcher_DebugEntitlements "")
+endif()
+
+configure_file(App.entitlements App.entitlements)
+configure_file(AdhocSignedApp.entitlements AdhocSignedApp.entitlements)
 configure_file(${Launcher_AppID}.desktop.in ${Launcher_AppID}.desktop)
 configure_file(${Launcher_AppID}.metainfo.xml.in ${Launcher_AppID}.metainfo.xml)
 configure_file(prismlauncher.rc.in prismlauncher.rc @ONLY)
--- a/program_info/macos_signature.sh
+++ b/program_info/macos_signature.sh
@ -0,0 +1,42 @@
+#!/usr/bin/env zsh
+
+# Run this script from the directory containing "PrismLauncher.app"
+
+CODE_SIGN_IDENTITY="${1:--}"
+MAIN_ENTITLEMENTS_FILE="${2:-../program_info/App.entitlements}"
+
+if [[ "$CODE_SIGN_IDENTITY" == "Developer ID Application"* ]]; then
+    CODE_SIGN_IDENTITY=("$CODE_SIGN_IDENTITY" --timestamp)
+fi
+
+################ FRAMEWORKS ################
+cd "PrismLauncher.app/Contents/Frameworks" || exit 1
+# See https://sparkle-project.org/documentation/sandboxing/
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime Sparkle.framework/Versions/B/XPCServices/Installer.xpc
+# For Sparkle versions >= 2.6
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime --preserve-metadata=entitlements Sparkle.framework/Versions/B/XPCServices/Downloader.xpc
+# For Sparkle versions < 2.6
+#codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime --entitlements Entitlements/Downloader.entitlements Sparkle.framework/Versions/B/XPCServices/Downloader.xpc
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime Sparkle.framework/Versions/B/Autoupdate
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime Sparkle.framework/Versions/B/Updater.app
+
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" ./*.framework
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" ./*.dylib
+
+################ XPC SERVICES ################
+if cd "../XPCServices"; then
+    codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime ./*.xpc
+fi
+
+################ PLUGINS ################
+cd "../MacOS" || exit 1
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" iconengines/*.dylib
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" imageformats/*.dylib
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" platforms/*.dylib
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" jars/*.jar
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" styles/*.dylib
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" tls/*.dylib
+
+################ APP ################
+cd "../../.." || exit 1
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" --entitlements "$MAIN_ENTITLEMENTS_FILE" -o runtime ./PrismLauncher.app