MACOS/IPHONE: Sign whole bundle #2763
Conversation
| @@ -182,6 +182,7 @@ ifdef USE_DOCKTILEPLUGIN | |||
| mkdir -p $(bundle_name)/Contents/PlugIns | |||
| cp -r scummvm.docktileplugin $(bundle_name)/Contents/PlugIns/ | |||
| endif | |||
| ldid -S $(bundle_name)/Contents | |||
criezy
Feb 8, 2021
Member
What is ldid? There is no such command on macOS.
I see it was already present for the iOS bundle in ports.mk, but as I never compiled the iOS bundle on the command line (I always use Xcode), I never noticed. But adding it to the macOS bundle target will break command line compilation for all those compiling ScummVM on the command line on macOS (including myself). I don't think this is a good idea.
Since the PR title says sign whole bundle I assume this is related to signing? The command line utility on macOS to sign application is called codesign.
But I am not sure signing (and notarization, which may also be needed) are possible on Linux. This may be relevant: tpoechtrager/osxcross#198
What is ldid? There is no such command on macOS.
I see it was already present for the iOS bundle in ports.mk, but as I never compiled the iOS bundle on the command line (I always use Xcode), I never noticed. But adding it to the macOS bundle target will break command line compilation for all those compiling ScummVM on the command line on macOS (including myself). I don't think this is a good idea.
Since the PR title says sign whole bundle I assume this is related to signing? The command line utility on macOS to sign application is called codesign.
But I am not sure signing (and notarization, which may also be needed) are possible on Linux. This may be relevant: tpoechtrager/osxcross#198
lephilousophe
Feb 10, 2021
Author
Member
I am really a noob with all of this and I am not sure about what is really done by these tools.
I don't know if the ios7 part modifications are needed nor good. I don't even know if the packages produced by buildbot can run on an iPhone (jailbroken or not).
According to what I read, it seems that when a bundle is distributed on Mac, it should be signed as a whole. Up to now, only the binary was signed (either by cctools-port which calls ldid or explicitly by calling ldid directly).
The commit directs ldid to the folder containing the whole bundle to have "manifest" generated and its signature bundled in main binary (if I understood correctly).
ldid is a tool to edit entitlements(?) in Mac binaries. It also generates the hashes to sign binaries and can fake(?) sign binaries.
It seems to be used by jailbreak community and it's the only tool available on linux to do so. codesign isn't open sourced by Apple and nobody created a mock.
I found another tool called zsign while googling but never found a clear explanation about what it does more than ldid.
As ldid was already used in the Makefile, I thought it was OK. The only change here is to sign the whole directory instead of just the binary.
About that, the Info.plist needs to be changed because ldid doesn't handle the ${EXECUTABLE_NAME} variable and needs the real file name.
It's already like that in dists/iphone/Info.plist but I don't know why.
I am really a noob with all of this and I am not sure about what is really done by these tools.
I don't know if the ios7 part modifications are needed nor good. I don't even know if the packages produced by buildbot can run on an iPhone (jailbroken or not).
According to what I read, it seems that when a bundle is distributed on Mac, it should be signed as a whole. Up to now, only the binary was signed (either by cctools-port which calls ldid or explicitly by calling ldid directly).
The commit directs ldid to the folder containing the whole bundle to have "manifest" generated and its signature bundled in main binary (if I understood correctly).
ldid is a tool to edit entitlements(?) in Mac binaries. It also generates the hashes to sign binaries and can fake(?) sign binaries.
It seems to be used by jailbreak community and it's the only tool available on linux to do so. codesign isn't open sourced by Apple and nobody created a mock.
I found another tool called zsign while googling but never found a clear explanation about what it does more than ldid.
As ldid was already used in the Makefile, I thought it was OK. The only change here is to sign the whole directory instead of just the binary.
About that, the Info.plist needs to be changed because ldid doesn't handle the ${EXECUTABLE_NAME} variable and needs the real file name.
It's already like that in dists/iphone/Info.plist but I don't know why.
Add signing to MacOS for arm64 builds
lephilousophe
force-pushed the
lephilousophe:sign-macosx
branch
from
d376eea
to
40f61ae
Add signing to MacOS for arm64 builds
This has not been tested but it adds CodeResources file which seem to indicate the whole bundle will be signed.
This does the same thing for iPhone even though I suppose jailbroken devices are less sensitive to the missing signature on all binaries.