Fix Word integration from source builds on Apple Silicon

From what I can gather [1], all apps on Apple Silicon need to be signed, but macOS will automatically ad-hoc sign...something. (The linked page says if you've "compiled the executable yourself", but it doesn't seem to be limited to that.) In any case, the automatic signing doesn't happen for the Word dylib, so we need to add a `codesign` call to sign that file, and then it works. I put the signing code in a separate file, in case we discover other things that need to be explicitly signed, and because someone making a custom build for their own usage might want to sign the full app bundle. [1] https://wiki.lazarus.freepascal.org/Code_Signing_for_macOS#Ad_hoc_signing
zotero · Feb 23, 2023 · b03a43f · b03a43f
1 parent 5dffe49
commit b03a43f
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 1 deletion.
diff --git a/scripts/build_and_run b/scripts/build_and_run
@@ -1,5 +1,8 @@
 #!/bin/bash -e
 
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ROOT_DIR="$(dirname "$SCRIPT_DIR")"
+
 # Set ZOTERO_REPOS_DIR to use directory other than $HOME for zotero-client and zotero-standalone-build
 if [ -n "${ZOTERO_REPOS_DIR:-}" ]; then
 	repos_dir=$ZOTERO_REPOS_DIR
@@ -72,6 +75,8 @@ fi
 
 if [ "`uname`" = "Darwin" ]; then
 	command="Zotero.app/Contents/MacOS/zotero"
+	# Sign the Word dylib so it works on Apple Silicon
+	$SCRIPT_DIR/codesign_local $repos_dir/zotero-standalone-build/staging/Zotero.app
 elif [ "`uname`" = "Linux" ]; then
 	command="Zotero_linux-x86_64/zotero"
 elif [ "`uname -o 2> /dev/null`" = "Cygwin" ]; then
@@ -81,4 +86,4 @@ else
 	exit 1
 fi
 
-$repos_dir/zotero-standalone-build/staging/$command $profile -ZoteroDebugText -jsconsole $PARAMS "$@"
+$repos_dir/zotero-standalone-build/staging/$command $profile -ZoteroDebugText -jsconsole -purgecaches $PARAMS "$@"
diff --git a/scripts/codesign_local b/scripts/codesign_local
@@ -0,0 +1,42 @@
+#!/bin/bash
+set -euo pipefail
+
+# Perform ad-hoc code signing of Zotero.app for local usage
+#
+# Currently we sign only the Word dylib, since that's necessary for Zotero developers to work on
+# Word integration on Apple Silicon. If we discover other problems, we can uncomment some of the
+# other lines. If you're making a custom build, you can modify this file to sign the entire build
+# instead of just the bare minimum needed for development.
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ROOT_DIR="$(dirname "$SCRIPT_DIR")"
+. "$ROOT_DIR/config.sh"
+
+if [ -z "${1:-}" ]; then
+	echo "Usage: $0 path/to/staging/Zotero.app"
+	exit 1
+fi
+
+APPDIR=$1
+DEVELOPER_ID="-"
+
+entitlements_file="$ROOT_DIR/mac/entitlements.xml"
+#/usr/bin/codesign --force --options runtime --entitlements "$entitlements_file" --sign "$DEVELOPER_ID" \
+#	"$APPDIR/Contents/MacOS/pdftotext" \
+#	"$APPDIR/Contents/MacOS/pdfinfo" \
+#	"$APPDIR/Contents/MacOS/XUL" \
+#	"$APPDIR/Contents/MacOS/updater.app/Contents/MacOS/org.mozilla.updater"
+#find "$APPDIR/Contents" -name '*.dylib' -exec /usr/bin/codesign --force --options runtime --entitlements "$entitlements_file" --sign "$DEVELOPER_ID" {} \;
+#find "$APPDIR/Contents" -name '*.app' -exec /usr/bin/codesign --force --options runtime --entitlements "$entitlements_file" --sign "$DEVELOPER_ID" {} \;
+#/usr/bin/codesign --force --options runtime --entitlements "$entitlements_file" --sign "$DEVELOPER_ID" "$APPDIR/Contents/MacOS/zotero"
+
+# Skip signing of Safari extension, since it's not present for local builds
+
+# Sign final app package
+#echo
+#/usr/bin/codesign --force --options runtime --entitlements "$entitlements_file" --sign "$DEVELOPER_ID" "$APPDIR"
+
+# Verify app
+#/usr/bin/codesign --verify -vvvv "$APPDIR"
+
+find "$APPDIR/Contents" -name 'libZoteroWordIntegration.dylib' -exec /usr/bin/codesign --force --options runtime --entitlements "$entitlements_file" --sign "$DEVELOPER_ID" {} \;