Add codesigning to macOS editor package binaries

2023-09-22 17:19:14 +02:00
parent da7ba0ecba
commit dbbd6ce045
5 changed files with 52 additions and 8 deletions
--- a/Source/Platforms/Mac/Default.entitlements
+++ b/Source/Platforms/Mac/Default.entitlements
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+ <true/>
+ <key>com.apple.security.cs.allow-jit</key>
+ <true/>
+ <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+ <true/>
+ <key>com.apple.security.cs.disable-executable-page-protection</key>
+ <true/>
+ <key>com.apple.security.cs.disable-library-validation</key>
+ <true/>
+</dict>
+</plist>
--- a/Source/Tools/Flax.Build/Configuration.cs
+++ b/Source/Tools/Flax.Build/Configuration.cs
@@ -39,12 +39,6 @@ namespace Flax.Build
        [CommandLine("deploy", "Runs the deploy tool.")]
        public static bool Deploy = false;

-        /// <summary>
-        /// Compresses deployed files.
-        /// </summary>
-        [CommandLine("deployDontCompress", "Skips compressing deployed files, and keeps files.")]
-        public static bool DontCompress = false;
-
        /// <summary>
        /// Builds the targets. Builds all the targets, use <see cref="BuildTargets"/> to select a custom set of targets for the build.
        /// </summary>
--- a/Source/Tools/Flax.Build/Deploy/Deployer.cs
+++ b/Source/Tools/Flax.Build/Deploy/Deployer.cs
@@ -9,6 +9,12 @@ namespace Flax.Build
 {
    public static partial class Configuration
    {
+        /// <summary>
+        /// Compresses deployed files.
+        /// </summary>
+        [CommandLine("deployDontCompress", "Skips compressing deployed files, and keeps files.")]
+        public static bool DontCompress = false;
+
        /// <summary>
        /// Package deployment output path.
        /// </summary>
@@ -28,9 +34,9 @@ namespace Flax.Build
        public static bool DeployPlatforms;

        /// <summary>
-        /// Certificate file path for binaries signing.
+        /// Certificate file path for binaries signing. Or sign identity for Apple platforms.
        /// </summary>
-        [CommandLine("deployCert", "Certificate file path for binaries signing.")]
+        [CommandLine("deployCert", "Certificate file path for binaries signing. Or sign identity for Apple platforms.")]
        public static string DeployCert;

        /// <summary>
--- a/Source/Tools/Flax.Build/Deploy/Deployment.Editor.cs
+++ b/Source/Tools/Flax.Build/Deploy/Deployment.Editor.cs
@@ -17,11 +17,15 @@ namespace Flax.Deploy
        {
            if (string.IsNullOrEmpty(Configuration.DeployCert))
                return;
+            Log.Info("Code signing file: " + file);
            switch (Platform.BuildTargetPlatform)
            {
            case TargetPlatform.Windows:
                VCEnvironment.CodeSign(file, Configuration.DeployCert, Configuration.DeployCertPass);
                break;
+            case TargetPlatform.Mac:
+                MacPlatform.CodeSign(file, Configuration.DeployCert);
+                break;
            }
        }

@@ -254,6 +258,10 @@ namespace Flax.Deploy
                    Utilities.Run("strip", "FlaxEditor", null, dst, Utilities.RunOptions.None);
                    Utilities.Run("strip", "FlaxEditor.dylib", null, dst, Utilities.RunOptions.None);
                    Utilities.Run("strip", "libMoltenVK.dylib", null, dst, Utilities.RunOptions.None);
+
+                    CodeSign(Path.Combine(dst, "FlaxEditor"));
+                    CodeSign(Path.Combine(dst, "FlaxEditor.dylib"));
+                    CodeSign(Path.Combine(dst, "libMoltenVK.dylib"));
                }
            }
        }
--- a/Source/Tools/Flax.Build/Platforms/Mac/MacPlatform.cs
+++ b/Source/Tools/Flax.Build/Platforms/Mac/MacPlatform.cs
@@ -1,5 +1,7 @@
 // Copyright (c) 2012-2023 Wojciech Figat. All rights reserved.

+using System;
+using System.IO;
 using System.Runtime.InteropServices;

 namespace Flax.Build.Platforms
@@ -44,6 +46,24 @@ namespace Flax.Build.Platforms
            }
        }

+        /// <summary>
+        /// Runs codesign tool on macOS to sign the code with a given identity from local keychain.
+        /// </summary>
+        /// <param name="file">Path to file to codesign.</param>
+        /// <param name="signIdenity">App code signing idenity name (from local Mac keychain). Use 'security find-identity -v -p codesigning' to list possible options.</param>
+        public static void CodeSign(string file, string signIdenity)
+        {
+            if (!File.Exists(file))
+                throw new FileNotFoundException("Missing file to sign.", file);
+            string cmdLine = string.Format("--force --timestamp -s \"{0}\" \"{1}\"", signIdenity, file);
+            if (string.IsNullOrEmpty(Path.GetExtension(file)))
+            {
+                // Add entitlements file with some settings for the app execution
+                cmdLine += string.Format(" --entitlements \"{0}\"", Path.Combine(Globals.EngineRoot, "Source/Platforms/Mac/Default.entitlements"));
+            }
+            Utilities.Run("codesign", cmdLine, null, null, Utilities.RunOptions.Default | Utilities.RunOptions.ThrowExceptionOnError);
+        }
+
        /// <summary>
        /// Returns true if running an x64 binary an arm64 host machine.
        /// </summary>