From 5c6898e856fb596adb2d887c2290934e69824f2c Mon Sep 17 00:00:00 2001 From: Ozgur Ersoy Date: Mon, 14 Apr 2025 19:56:08 +0200 Subject: [PATCH] fix(actions): implement recursive signing for all binaries in notarization script --- scripts/mac_build.sh | 136 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 117 insertions(+), 19 deletions(-) diff --git a/scripts/mac_build.sh b/scripts/mac_build.sh index 88dbb4f8..7f243488 100755 --- a/scripts/mac_build.sh +++ b/scripts/mac_build.sh @@ -129,29 +129,127 @@ if [ -n "$APP_PATH" ]; then fi fi -# Kütüphaneleri kontrol et ve gerekirse post-processing yap -echo "" -echo "🔍 Checking for unsigned libraries..." -if [ -n "$APP_PATH" ]; then - # Uygulamanın tüm executable ve kütüphanelerini bul - find "$APP_PATH" -type f -perm +111 | while read -r binary; do - # Codesign durumunu kontrol et - if ! codesign -v "$binary" &>/dev/null; then - echo "⚠️ Unsigned binary found: $binary" - # Bu dosyayı imzalamak için entitlements kullan - if [ -n "$ENTITLEMENTS_FILE" ]; then - echo "Re-signing binary with ad-hoc signature..." - codesign --force --options runtime --deep --sign - --timestamp --entitlements "$ENTITLEMENTS_FILE" "$binary" - fi +# Recursive imzalama fonksiyonu - tüm binary dosyaları imzalar +function sign_recursively() { + local app_path="$1" + local entitlements_file="$2" + local counter=0 + local total=0 + local failed=0 + + # Önce toplam dosya sayısını hesapla + # Tüm binary dosyaları bul (executable, dylib, so, çerçeveler) + echo "Scanning for binary files..." + + # Executable binary files (libraries, executables) + binaries=$(find "$app_path" -type f \( -name "*.dylib" -o -name "*.so" -o -perm +111 \) | sort) + total=$(echo "$binaries" | wc -l) + + echo "Found $total binary files to sign" + + # Helper binary dosyaları imzala (tercih sırasına göre) + echo "Signing all binary files (libraries and executables)..." + echo "$binaries" | while read -r binary; do + counter=$((counter + 1)) + + # Her 20 dosyada bir ilerleme göster + if [ $((counter % 20)) -eq 0 ] || [ $counter -eq 1 ] || [ $counter -eq $total ]; then + echo "Progress: $counter/$total - Signing: $binary" fi + + # Skip if not a regular file (symbolic links etc) + if [ ! -f "$binary" ]; then + continue + fi + + # Dosya türünü kontrol et + file_info=$(file "$binary") + + # Sadece Mach-O dosyalarını imzala + if ! echo "$file_info" | grep -q "Mach-O"; then + continue + fi + + if [[ "$binary" == *CrashReportClient* ]]; then + echo "🛠️ Special handling for CrashReportClient: $binary" + fi + + # Timestamp ve runtime options ile imzala + codesign --force --options runtime --deep --sign - --timestamp --entitlements "$entitlements_file" "$binary" 2>&1 || { + echo "⚠️ Failed to sign: $binary" + failed=$((failed + 1)) + } done - # Hardened Runtime için ek kontroller - echo "Ensuring Hardened Runtime flags are set for main executable..." - MAIN_EXECUTABLE="$APP_PATH/Contents/MacOS/$(basename "$APP_PATH" .app)" - if [ -f "$MAIN_EXECUTABLE" ]; then - codesign --force --options runtime --deep --sign - --timestamp --entitlements "$ENTITLEMENTS_FILE" "$MAIN_EXECUTABLE" + # Başvuru için ENTITLEMENTS içeriğini göster + echo "Using entitlements file for signatures:" + cat "$entitlements_file" + + # Tüm nested app'leri bul ve imzala + nested_apps=$(find "$app_path" -name "*.app" -type d) + + if [ -n "$nested_apps" ]; then + echo "Signing nested applications..." + echo "$nested_apps" | while read -r nested_app; do + if [ "$nested_app" != "$app_path" ]; then + echo "Signing nested app: $nested_app" + + # İmzalamadan önce Info.plist varsa Bundle ID ayarla + nested_info="$nested_app/Contents/Info.plist" + if [ -f "$nested_info" ]; then + echo "Setting bundle identifier for nested app" + /usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier com.luckyrobots.luckyworld.nested" "$nested_info" 2>/dev/null || true + fi + + codesign --force --options runtime --deep --sign - --timestamp --entitlements "$entitlements_file" "$nested_app" 2>&1 || { + echo "⚠️ Failed to sign nested app: $nested_app" + failed=$((failed + 1)) + } + fi + done fi + + # Asıl uygulamayı imzala + echo "Signing main application: $app_path" + codesign --force --options runtime --deep --sign - --timestamp --entitlements "$entitlements_file" "$app_path" 2>&1 || { + echo "⚠️ Failed to sign main app: $app_path" + failed=$((failed + 1)) + } + + echo "✅ Signing completed: $counter files processed, $failed failures" + + # İmzalama durumunu kontrol et + echo "Verifying signatures..." + codesign -vvv --deep --strict "$app_path" + + # Hardened Runtime ve diğer güvenlik ayarları kontrol et + echo "Checking security settings (Hardened Runtime, etc.):" + codesign -d --entitlements - "$app_path" | grep -i "runtime\|hardened\|security" + + # Spesifik olarak CrashReportClient'i kontrol et (sorunlu dosya) + crash_reporter=$(find "$app_path" -path "*CrashReportClient.app/Contents/MacOS/CrashReportClient" -type f | head -1) + if [ -n "$crash_reporter" ]; then + echo "Checking CrashReportClient specifically:" + codesign -d --entitlements - "$crash_reporter" | grep -i "runtime\|hardened\|security" + fi +} + +# Kütüphaneleri kontrol et ve gerekirse post-processing yap +echo "" +echo "🔍 Performing comprehensive signing and hardening of all binaries..." +if [ -n "$APP_PATH" ] && [ -n "$ENTITLEMENTS_FILE" ]; then + # Recursive olarak tüm binary dosyaları imzala + sign_recursively "$APP_PATH" "$ENTITLEMENTS_FILE" + + # Son olarak ana uygulamayı tekrar imzala + echo "Final signing of main app bundle" + codesign --force --options runtime --deep --sign - --timestamp --entitlements "$ENTITLEMENTS_FILE" "$APP_PATH" + + echo "✅ All binaries signed successfully with Hardened Runtime enabled" +else + echo "❌ App path or entitlements file not found, cannot perform comprehensive signing" + echo "App path: $APP_PATH" + echo "Entitlements file: $ENTITLEMENTS_FILE" fi echo ""