macOS package hardening (#967)

When making a macOS release, add a timestamp to signature
2025-02-17 13:02:42 -05:00 · 2019-04-21 19:13:48 -07:00 · 2019-04-21 19:13:48 -07:00 · f3f458da85
commit f3f458da85
parent cba7a47a85
1 changed files with 18 additions and 3 deletions
--- a/install/build_osx.sh
+++ b/install/build_osx.sh
@ -27,11 +27,26 @@ if [ "$1" = "--release" ]; then
  ENTITLEMENTS_PARENT_PATH="$ROOT/install/macos_sandbox/parent.plist"

  echo "Codesigning the app bundle"
-  codesign --deep -s "$IDENTITY_NAME_APPLICATION" -f --entitlements "$ENTITLEMENTS_CHILD_PATH" "$APP_PATH"
-  codesign -s "$IDENTITY_NAME_APPLICATION" -f --entitlements "$ENTITLEMENTS_PARENT_PATH" "$APP_PATH"
+  codesign \
+    --deep \
+    -s "$IDENTITY_NAME_APPLICATION" \
+    --force \
+    --entitlements "$ENTITLEMENTS_CHILD_PATH" \
+    --timestamp \
+    "$APP_PATH"
+  codesign \
+    -s "$IDENTITY_NAME_APPLICATION" \
+    --force \
+    --entitlements "$ENTITLEMENTS_PARENT_PATH" \
+    --timestamp \
+    "$APP_PATH"

  echo "Creating an installer"
-  productbuild --sign "$IDENTITY_NAME_INSTALLER" --component "$APP_PATH" /Applications "$PKG_PATH"
+  productbuild \
+    --sign "$IDENTITY_NAME_INSTALLER" \
+    --component "$APP_PATH" /Applications \
+    --timestamp \
+    "$PKG_PATH"

  echo "Cleaning up"
  rm -rf "$APP_PATH"