Featured content is also available via:

Attempt at fixing Mac OS X code signing

Desktop / LibreOffice - Stephan Bergmann [redhat.com] - 10 February 2015 04:04 UTC

...so that LibreOffice.app dmgs built with --enable-macosx-code-signing with an appstore-enabled identity will hopefully no longer be rejected on Mac OS X >= 10.9.5 as "'soffice' can't be opened because the identity of the developer cannot be confirmed." (Which I cannot verify for lack of an appstore-enabled certificate, though.)

First of all, do not ignore errors from calls to codesign utitlity. Really.

That reveals that soffice cannot be signed as soon as it is linked, as it requires all the other stuff in the app to be already signed. So just don't sign it after linking, it will be signed last step in macosx-codesign-app-bundle anyway.

Second, --resource-rules exemptions are no longer allowed per "OS X Code Signing In Depth."

Third, the handful of remaining shell scripts in MacOS/ need to be signed too. (Signing them adds extended attributes to the files.)

Unfortunately, as discussed at "Mac OS X codesigning woes," "hdiutil makehybrid" drops extended attributes from the generated dmg (so the dmg's LibreOffice.app would no longer be considered properly signed, as the shell scripts would no longer be signed). So switch from "hdiutil makehybrid" to "hdiutil create."

615fae2 Attempt at fixing Mac OS X code signing
setup_native/source/mac/CodesignRules.plist | 17 ------------
solenv/bin/macosx-codesign-app-bundle | 35 +++++++++++++++----------
solenv/bin/modules/installer/simplepackage.pm | 5 ++--
solenv/gbuild/platform/macosx.mk | 6 ++++-
4 files changed, 28 insertions(+), 35 deletions(-)

Upstream: cgit.freedesktop.org