From: Carl Hetherington Date: Mon, 31 May 2021 13:45:51 +0000 (+0200) Subject: Fix relinking in make_dmg.sh X-Git-Tag: v2.15.153 X-Git-Url: https://main.carlh.net/gitweb/?p=dcpomatic.git;a=commitdiff_plain;h=d077ad2b75c45b5abea465f5e8bc4a3850a172f3 Fix relinking in make_dmg.sh c432ef98c4cf3b2bda32734983eec3b42b8c3d1e completely broke the relinking of libraries using install_name_tool by only doing it for the x86_64 part of the binaries. This commit fixes that, and also does some tidy up that happened while trying to debug the error. The main cleanup is that --deep is no longer used with codesign, rather we sign all the executables ourselves manually. Various Apple forums suggest that --deep is a Bad Idea for reasons that aren't really clear. For reference, after spending days trying to debug the Gatekeeper refusal to start DoM the way to reveal the problem was: 1. start a clean VM (there are caches everywhere, so once a failure has happened you are even less likely to get any useful logging on the second failure). 2. open "Console" on macOS; logs are written to un-greppable places so you have to use this to see everything. 3. click "start streaming"; I don't know if this step is necessary. 4. put a search term in the search box (e.g. "dcp" for this) 5. start the thing that is not working. And remember that otool without `-arch` on a fat binary will only really operate / look at the first? native? architecture, so if you have an x86_64/arm64 binary and the arm64 parts are wrong you won't see anything about that with `otool -L`, only with `otool -arch arm64 -L` --- diff --git a/platform/osx/make_dmg.sh b/platform/osx/make_dmg.sh index ee5cd3019..499926876 100644 --- a/platform/osx/make_dmg.sh +++ b/platform/osx/make_dmg.sh @@ -18,6 +18,9 @@ APPLE_PASSWORD=$4 ARCH1=$5 ARCH2=$6 +APPLICATION_IDENTITY="Developer ID Application: Carl Hetherington (R82DXSR997)" +INSTALLER_IDENTITY="Developer ID Installer: Carl Hetherington (R82DXSR997)" + # This is our work area for making up the .dmgs mkdir -p build/platform/osx cd build/platform/osx @@ -45,13 +48,13 @@ function copy { fi done else - for f in $1/$ARCH1/$2; do + for f in $1/$ARCH2/$2; do if [ -h $f ]; then ln -s $(readlink $f) "$3/`basename $f`" else - g=`echo $f | sed -e "s@/$ARCH1/@/$ARCH2/@g"` + g=`echo $f | sed -e "s@/$ARCH2/@/$ARCH1/@g"` mkdir -p "$3" - lipo -create $f $g -output "$3/`basename $f`" + lipo -create $f $g -output "$3/$(basename $f)" fi done fi @@ -67,13 +70,13 @@ function copy_lib_root { fi done else - for f in $ROOT/$ARCH1/lib/$1*.dylib; do + for f in $ROOT/$ARCH2/lib/$1*.dylib; do if [ -h $f ]; then ln -s $(readlink $f) "$2/`basename $f`" else - g=`echo $f | sed -e "s@/$ARCH1/@/$ARCH2/@g"` + g=`echo $f | sed -e "s@/$ARCH2/@/$ARCH1/@g"` mkdir -p "$2" - lipo -create $f $g -output "$2/`basename $f`" + lipo -create $f $g -output "$2/$(basename $f)" fi done fi @@ -81,16 +84,16 @@ function copy_lib_root { } function copy_lib_env { - for f in $ENV/$ARCH1/lib/$1*.dylib; do + for f in $ENV/$ARCH2/lib/$1*.dylib; do if [ -h $f ]; then ln -s $(readlink $f) "$2/`basename $f`" else if [ "$ARCH2" == "" ]; then cp $f "$2/`basename $f`" else - g=`echo $f | sed -e "s@/$ARCH1/@/$ARCH2/@g"` + g=`echo $f | sed -e "s@/$ARCH2/@/$ARCH1/@g"` mkdir -p "$2" - lipo -create $f $g -output "$2/`basename $f`" + lipo -create $f $g -output "$2/$(basename $f)" fi fi done @@ -247,16 +250,21 @@ function relink_relative { to_relink=`echo $to_relink | sed -e "s/\+//g"` local linkers=("$@") - for obj in "${linkers[@]}"; do - deps=`otool -L "$obj" | awk '{print $1}' | egrep "($to_relink)" | egrep "($ENV|$ROOT|boost|libicu|libssh)"` - changes="" - for dep in $deps; do - base=`basename $dep` - changes="$changes -change $dep @executable_path/../Frameworks/$base" + arch1_name=$(echo $ARCH1 | sed -e s@/.*@@) + arch2_name=$(echo $ARCH2 | sed -e s@/.*@@) + + for arch in $arch1_name $arch2_name; do + for obj in "${linkers[@]}"; do + deps=`otool -arch $arch -L "$obj" | awk '{print $1}' | egrep "($to_relink)" | egrep "($ENV|$ROOT|boost|libicu|libssh)"` + changes="" + for dep in $deps; do + base=`basename $dep` + changes="$changes -change $dep @executable_path/../Frameworks/$base" + done + if test "x$changes" != "x"; then + install_name_tool $changes -id `basename "$obj"` "$obj" + fi done - if test "x$changes" != "x"; then - install_name_tool $changes -id `basename "$obj"` "$obj" - fi done } @@ -268,39 +276,50 @@ function relink_absolute { shift local linkers=("$@") - for obj in "${linkers[@]}"; do - deps=`otool -L "$obj" | awk '{print $1}' | egrep "($to_relink)" | egrep "($ENV|$ROOT|boost|libicu|libssh)"` - for dep in $deps; do - base=`basename $dep` - install_name_tool -change "$dep" "$target"/$base -id `basename "$obj"` "$obj" + arch1_name=$(echo $ARCH1 | sed -e s@/.*@@) + arch2_name=$(echo $ARCH2 | sed -e s@/.*@@) + + for arch in $arch1_name $arch2_name; do + for obj in "${linkers[@]}"; do + deps=`otool -arch $arch -L "$obj" | awk '{print $1}' | egrep "($to_relink)" | egrep "($ENV|$ROOT|boost|libicu|libssh)"` + for dep in $deps; do + base=`basename $dep` + install_name_tool -change "$dep" "$target"/$base -id `basename "$obj"` "$obj" + done done - done + done } function sign { - codesign --deep --force --verify --verbose --options runtime --entitlements entitlements.plist --sign "Developer ID Application: Carl Hetherington (R82DXSR997)" "$1" - if [ "$?" != "0" ]; then - echo "Failed to sign $1" - exit 1 - fi + codesign --verify --verbose=4 --options runtime --entitlements entitlements.plist --sign "$APPLICATION_IDENTITY" "$1" + if [ "$?" != "0" ]; then + echo "Failed to sign $1" + exit 1 + fi } - # @param #1 .app directory # @param #2 .pkg or "" # @param #3 full name e.g. DCP-o-matic Batch Converter +# @param #4 list of executables function make_dmg { local appdir="$1" local pkg="$2" local full_name="$3" + local exes="$4" tmp_dmg=dcpomatic_tmp.dmg dmg="$full_name $version.dmg" vol_name=DCP-o-matic-$version - sign "$appdir" + find "$appdir/Contents/Frameworks" -iname "*.dylib" -type f -print0 | while IFS= read -r -d '' f; do + sign "$f" + done + for f in $exes; do + sign "$appdir/Contents/MacOS/$f" + done if [ "$pkg" != "" ]; then - productsign --sign "Developer ID Installer: Carl Hetherington (R82DXSR997)" "$pkg" "signed_temp.pkg" + productsign --sign "$INSTALLER_IDENTITY" "$pkg" "signed_temp.pkg" if [ "$?" != "0" ]; then echo "Failed to sign .pkg" exit 1 @@ -389,7 +408,7 @@ EOF xattr -c "$dmg" set -e - codesign --verify --verbose --options runtime --entitlements entitlements.plist --sign "Developer ID Application: Carl Hetherington (R82DXSR997)" "$dmg" + codesign --timestamp --verify --verbose --options runtime --entitlements entitlements.plist --sign "$APPLICATION_IDENTITY" "$dmg" set +e rm $tmp_dmg @@ -420,7 +439,7 @@ function copy_verify { if [ "$ARCH2" == "" ]; then prefix=$ROOT else - prefix=$ROOT/$ARCH1 + prefix=$ROOT/$ARCH2 fi # DCP-o-matic main @@ -434,7 +453,7 @@ copy_verify cp $prefix/src/dcpomatic/build/platform/osx/dcpomatic2.Info.plist "$approot/Info.plist" rl=("$approot/MacOS/dcpomatic2" "$approot/MacOS/dcpomatic2_cli" "$approot/MacOS/dcpomatic2_create" "$approot/MacOS/ffprobe" "$approot/Frameworks/"*.dylib) relink_relative "${rl[@]}" -make_dmg "$appdir" "" "DCP-o-matic" +make_dmg "$appdir" "" "DCP-o-matic" "dcpomatic2_verify openssl ffprobe dcpomatic2_cli dcpomatic2_create dcpomatic2" # DCP-o-matic KDM Creator setup "DCP-o-matic 2 KDM Creator.app" @@ -445,7 +464,7 @@ copy_verify cp $prefix/src/dcpomatic/build/platform/osx/dcpomatic2_kdm.Info.plist "$approot/Info.plist" rl=("$approot/MacOS/dcpomatic2_kdm" "$approot/MacOS/dcpomatic2_kdm_cli" "$approot/Frameworks/"*.dylib) relink_relative "${rl[@]}" -make_dmg "$appdir" "" "DCP-o-matic KDM Creator" +make_dmg "$appdir" "" "DCP-o-matic KDM Creator" "dcpomatic2_verify openssl dcpomatic2_kdm_cli dcpomatic2_kdm" # DCP-o-matic Encode Server setup "DCP-o-matic 2 Encode Server.app" @@ -456,7 +475,7 @@ copy_verify cp $prefix/src/dcpomatic/build/platform/osx/dcpomatic2_server.Info.plist "$approot/Info.plist" rl=("$approot/MacOS/dcpomatic2_server" "$approot/MacOS/dcpomatic2_server_cli" "$approot/Frameworks/"*.dylib) relink_relative "${rl[@]}" -make_dmg "$appdir" "" "DCP-o-matic Encode Server" +make_dmg "$appdir" "" "DCP-o-matic Encode Server" "dcpomatic2_verify openssl dcpomatic2_server_cli dcpomatic2_server" # DCP-o-matic Batch Converter setup "DCP-o-matic 2 Batch converter.app" @@ -466,7 +485,7 @@ copy_verify cp $prefix/src/dcpomatic/build/platform/osx/dcpomatic2_batch.Info.plist "$approot/Info.plist" rl=("$approot/MacOS/dcpomatic2_batch" "$approot/Frameworks/"*.dylib) relink_relative "${rl[@]}" -make_dmg "$appdir" "" "DCP-o-matic Batch Converter" +make_dmg "$appdir" "" "DCP-o-matic Batch Converter" "dcpomatic2_verify openssl dcpomatic2_batch" # DCP-o-matic Player setup "DCP-o-matic 2 Player.app" @@ -476,7 +495,7 @@ copy_verify cp $prefix/src/dcpomatic/build/platform/osx/dcpomatic2_player.Info.plist "$approot/Info.plist" rl=("$approot/MacOS/dcpomatic2_player" "$approot/Frameworks/"*.dylib) relink_relative "${rl[@]}" -make_dmg "$appdir" "" "DCP-o-matic Player" +make_dmg "$appdir" "" "DCP-o-matic Player" "dcpomatic2_verify openssl dcpomatic2_player" # DCP-o-matic Playlist Editor setup "DCP-o-matic 2 Playlist Editor.app" @@ -486,7 +505,7 @@ copy_verify cp $prefix/src/dcpomatic/build/platform/osx/dcpomatic2_playlist.Info.plist "$approot/Info.plist" rl=("$approot/MacOS/dcpomatic2_playlist" "$approot/Frameworks/"*.dylib) relink_relative "${rl[@]}" -make_dmg "$appdir" "" "DCP-o-matic Playlist Editor" +make_dmg "$appdir" "" "DCP-o-matic Playlist Editor" "dcpomatic2_verify openssl dcpomatic2_playlist" # DCP-o-matic Combiner setup "DCP-o-matic 2 Combiner.app" @@ -496,7 +515,7 @@ copy_verify cp $prefix/src/dcpomatic/build/platform/osx/dcpomatic2_combiner.Info.plist "$approot/Info.plist" rl=("$approot/MacOS/dcpomatic2_combiner" "$approot/Frameworks/"*.dylib) relink_relative "${rl[@]}" -make_dmg "$appdir" "" "DCP-o-matic Combiner" +make_dmg "$appdir" "" "DCP-o-matic Combiner" "dcpomatic2_verify openssl dcpomatic2_combiner" # DCP-o-matic Disk Writer .app setup "DCP-o-matic 2 Disk Writer.app" @@ -571,7 +590,7 @@ exit 0 EOF chmod gou+x $pkgbase/scripts/postinstall -find "$pkgbin" -iname "*.dylib" -print0 | while IFS= read -r -d '' f; do +find "$pkgbin" -iname "*.dylib" -type f -print0 | while IFS= read -r -d '' f; do sign "$f" done sign "$pkgbin/dcpomatic2_disk_writer" @@ -580,5 +599,5 @@ mkdir -p "$pkgroot/Library/Application Support/com.dcpomatic" mv $pkgbin/* "$pkgroot/Library/Application Support/com.dcpomatic/" pkgbuild --root $pkgroot --identifier com.dcpomatic.disk.writer --scripts $pkgbase/scripts "DCP-o-matic Disk Writer.pkg" -make_dmg "$appdir" "DCP-o-matic Disk Writer.pkg" "DCP-o-matic Disk Writer" +make_dmg "$appdir" "DCP-o-matic Disk Writer.pkg" "DCP-o-matic Disk Writer" "dcpomatic2_verify openssl dcpomatic2_disk"