Sign the XZUtils executables.

Add overridable makefile variable `APP_SIGNING_ID` and add code signing targets to the makefile. There are four executables (`lzmadec`, `lzmainfo`, `xz` and `xzdec`), so add a stamp file for each executable to track the signing state, in the form `<exe-name>-signed.stamp.txt`. Update the dependencies of the intermediate `$(TMP)/xz.pkg` target to include all four executables (instead of just `xz`) and the four signing stamp files. Add a description of `APP_SIGNING_ID` to the readme file.
donmccaughey · Oct 27, 2021 · 6c0c6fa · 6c0c6fa
1 parent 928912c
commit 6c0c6fa
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -1,3 +1,4 @@
+APP_SIGNING_ID ?= Developer ID Application: Donald McCaughey
 INSTALLER_SIGNING_ID ?= Developer ID Installer: Donald McCaughey
 TMP ?= $(abspath tmp)
 
@@ -61,10 +62,47 @@ $(TMP)/install :
 
 ##### pkg ##########
 
+# sign executable
+
+$(TMP)/lzmadec-signed.stamp.txt :  $(TMP)/install/usr/local/bin/lzmadec | $$(dir $$@)
+	xcrun codesign \
+		--sign "$(APP_SIGNING_ID)" \
+		--options runtime \
+		$<
+	date > $@
+
+$(TMP)/lzmainfo-signed.stamp.txt :  $(TMP)/install/usr/local/bin/lzmainfo | $$(dir $$@)
+	xcrun codesign \
+		--sign "$(APP_SIGNING_ID)" \
+		--options runtime \
+		$<
+	date > $@
+
+$(TMP)/xz-signed.stamp.txt :  $(TMP)/install/usr/local/bin/xz | $$(dir $$@)
+	xcrun codesign \
+		--sign "$(APP_SIGNING_ID)" \
+		--options runtime \
+		$<
+	date > $@
+
+$(TMP)/xzdec-signed.stamp.txt :  $(TMP)/install/usr/local/bin/xzdec | $$(dir $$@)
+	xcrun codesign \
+		--sign "$(APP_SIGNING_ID)" \
+		--options runtime \
+		$<
+	date > $@
+
 $(TMP)/xz.pkg : \
 		$(TMP)/install/etc/paths.d/xz.path \
 		$(TMP)/install/usr/local/bin/uninstall-xz \
-		$(TMP)/install/usr/local/bin/xz
+		$(TMP)/install/usr/local/bin/lzmadec \
+		$(TMP)/install/usr/local/bin/lzmainfo \
+		$(TMP)/install/usr/local/bin/xz \
+		$(TMP)/install/usr/local/bin/xzdec \
+		$(TMP)/lzmadec-signed.stamp.txt \
+		$(TMP)/lzmainfo-signed.stamp.txt \
+		$(TMP)/xz-signed.stamp.txt \
+		$(TMP)/xzdec-signed.stamp.txt
 	pkgbuild \
 		--root $(TMP)/install \
 		--identifier cc.donm.pkg.xz \
@@ -123,6 +161,7 @@ $(TMP)/build-report.txt : | $$(dir $$@)
 	printf 'Build Date: %s\n' "$(date)" > $@
 	printf 'Software Version: %s\n' "$(version)" >> $@
 	printf 'Installer Revision: %s\n' "$(revision)" >> $@
+	printf 'Architectures: %s\n' "$(arch_list)" >> $@
 	printf 'macOS Version: %s\n' "$(macos)" >> $@
 	printf 'Xcode Version: %s\n' "$(xcode)" >> $@
 	printf 'Tag Version: v%s-r%s\n' "$(version)" "$(revision)" >> $@

diff --git a/README.md b/README.md
@@ -11,6 +11,11 @@ the source distribution for XZ Utils 5.2.5.
 The [`Makefile`][2] in the project root directory builds the installer package.
 The following makefile variables can be set from the command line:
 
+- `APP_SIGNING_ID`: The name of the 
+    [Apple _Developer ID Application_ certificate][5] used to sign the 
+    `nginx` executable.  The certificate must be installed on the build 
+    machine's Keychain.  Defaults to "Developer ID Application: Donald 
+    McCaughey" if not specified.
 - `INSTALLER_SIGNING_ID`: The name of the 
     [Apple _Developer ID Installer_ certificate][3] used to sign the 
     installer.  The certificate must be installed on the build machine's
@@ -24,7 +29,7 @@ The following makefile variables can be set from the command line:
 
 To build and sign the executable and installer, run:
 
-        $ make [INSTALLER_SIGNING_ID="<cert name>"] [TMP="<build dir>"]
+        $ make [APP_SIGNING_ID="<cert name 1>"] [INSTALLER_SIGNING_ID="<cert name 2>"] [TMP="<build dir>"]
 
 Intermediate files are generated in the temp directory; the signed installer 
 package is written into the project root with the name `pkg-config-0.29.2.pkg`.