Move get_binary_arches into common, and code sign every binary in the app bundle

desktop/scripts/build-macos.py

@@ -7,6 +7,8 @@ import shutil
 import glob
 import itertools
 
+from common import get_binary_arches
+
 root = os.path.dirname(
     os.path.dirname(
         os.path.dirname(os.path.abspath(inspect.getfile(inspect.currentframe())))
@@ -54,6 +56,10 @@ def sign(path, entitlements, identity):
     )
 
 
+def get_binaries():
+    pass
+
+
 @click.group()
 def main():
     """
@@ -159,7 +165,7 @@ def cleanup_build():
         "QtSvgWidgets",
         "QtUiTools",
         "QtWebEngineQuick",
-        "QtWebEngineQuickDelegatesQml"
+        "QtWebEngineQuickDelegatesQml",
     ]:
         shutil.rmtree(
             f"{app_path}/Contents/MacOS/lib/PySide6/Qt/lib/{framework}.framework"
@@ -229,26 +235,11 @@ def cleanup_build():
 @click.argument("app_path")
 def codesign(app_path):
     """Sign macOS binaries before packaging"""
-    for path in itertools.chain(
+    bin_universal, bin_silicon, bin_intel = get_binary_arches(app_path)
-        glob.glob(f"{app_path}/Contents/Resources/lib/**/*.so", recursive=True),
+    binaries = bin_universal + bin_silicon + bin_intel + [app_path]
-        glob.glob(f"{app_path}/Contents/Resources/lib/**/*.dylib", recursive=True),
+
-        [
+    for filename in binaries:
-            f"{app_path}/Contents/Frameworks/QtCore.framework/Versions/A/QtCore",
+        sign(filename, entitlements_plist_path, identity_name_application)
-            f"{app_path}/Contents/Frameworks/QtDBus.framework/Versions/A/QtDBus",
-            f"{app_path}/Contents/Frameworks/QtGui.framework/Versions/A/QtGui",
-            f"{app_path}/Contents/Frameworks/QtWidgets.framework/Versions/A/QtWidgets",
-            f"{app_path}/Contents/Resources/lib/Python",
-            f"{app_path}/Contents/Resources/lib/onionshare/resources/tor/meek-client",
-            f"{app_path}/Contents/Resources/lib/onionshare/resources/tor/obfs4proxy",
-            f"{app_path}/Contents/Resources/lib/onionshare/resources/tor/snowflake-client",
-            f"{app_path}/Contents/Resources/lib/onionshare/resources/tor/tor",
-            f"{app_path}/Contents/Resources/lib/onionshare/resources/tor/libevent-2.1.7.dylib",
-            f"{app_path}/Contents/MacOS/onionshare",
-            f"{app_path}/Contents/MacOS/onionshare-cli",
-            f"{app_path}",
-        ],
-    ):
-        sign(path, entitlements_plist_path, identity_name_application)
 
     print(f"> Signed app bundle: {app_path}")
 

desktop/scripts/common.py

@@ -0,0 +1,32 @@
+import os
+import subprocess
+
+
+def get_binary_arches(app_dir):
+    universal = []
+    silicon = []
+    intel = []
+    for dirpath, dirnames, filenames in os.walk(app_dir):
+        for basename in filenames:
+            filename = os.path.join(dirpath, basename)
+            if os.path.isfile(filename):
+                out = subprocess.check_output(["file", filename]).decode("utf-8")
+                if (
+                    "Mach-O 64-bit executable" in out
+                    or "Mach-O 64-bit bundle" in out
+                    or "Mach-O 64-bit dynamically linked shared library" in out
+                ):
+                    arm64, x86 = False, False
+                    if "arm64" in out:
+                        arm64 = True
+                    if "x86_64" in out:
+                        x86 = True
+
+                    if arm64 and x86:
+                        universal.append(filename)
+                    elif arm64:
+                        silicon.append(filename)
+                    elif x86:
+                        intel.append(filename)
+
+    return universal, silicon, intel

desktop/scripts/macos-merge-universal.py

@@ -5,34 +5,7 @@ import click
 import subprocess
 
 
-def get_binary_arches(app_dir):
+from common import get_binary_arches
-    universal = []
-    silicon = []
-    intel = []
-    for dirpath, dirnames, filenames in os.walk(app_dir):
-        for basename in filenames:
-            filename = os.path.join(dirpath, basename)
-            if os.path.isfile(filename):
-                out = subprocess.check_output(["file", filename]).decode("utf-8")
-                if (
-                    "Mach-O 64-bit executable" in out
-                    or "Mach-O 64-bit bundle" in out
-                    or "Mach-O 64-bit dynamically linked shared library" in out
-                ):
-                    arm64, x86 = False, False
-                    if "arm64" in out:
-                        arm64 = True
-                    if "x86_64" in out:
-                        x86 = True
-
-                    if arm64 and x86:
-                        universal.append(filename)
-                    elif arm64:
-                        silicon.append(filename)
-                    elif x86:
-                        intel.append(filename)
-
-    return universal, silicon, intel
 
 
 @click.command()