Re: New 10.9.5 Gatekeeper rules (and a rant about them changing so often)

Subject: Re: New 10.9.5 Gatekeeper rules (and a rant about them changing so often)
From: James Moore <email@hidden>
Date: Tue, 05 Aug 2014 14:29:11 -0700

On Aug 5, 2014, at 2:04 PM, Dragan Milić <email@hidden> wrote:

On uto 05.08.2014., at 22.13, James Moore wrote:

Our approach is to sign things explicitly and then confirm that all executables are signed and valid at the very end. The confirmation happens in our main build script, outside of xcodebuild. I found it easier to do it this way since code-signing has to happen from the inside-out. Controlling the order of the signing is paramount.

Each project has a shell script that we run in a script build phase. It mostly lists its signable resources like this
………….

later it sources a global script that among other things signs the items in the resources list
………….

In other words the strategy we use is that sub-projects don’t do any code signing. All of the signing happens in a script phase of the app and then we verify the results with

xcrun codesign --verify --verbose=4 -deep <app path>

James, thanks a lot for the detailed answer and exposure of your workflow. It certainly is more advanced then mine, but I’m not very knowledgeable about shell scripts. I guess it’s time to learn it better. I do have one question though; how do I refer to scripts in the sub-projects from within a script in the main app project so that I can source them and set resources_to_sign variables? I guess I should start reading man page of xcodebuild(1), but it’s easier to ask.

If you were to follow our model exactly then the sub-projects wouldn’t run any scripts themselves. The top-level app’s script would sign everything inside itself. To give you an idea of what I mean here’s the complete list for Coda:

resources=(
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/Resources/onsgmls/libs/libosp.4.dylib",isao.sonobe.OgreKit
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/Resources/onsgmls/libs/onsgmls",isao.sonobe.OgreKit
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/Resources/onsgmls/onsgmls.sh",isao.sonobe.OgreKit
"$TARGET_BUILD_DIR/$FRAMEWORKS_FOLDER_PATH/TCMPortMapper.framework/Versions/A",de.codingmonkeys.TCMPortMapper

"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/Resources/gitinitchain.sh",com.panic.Coda
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/Resources/askpass",com.panic.Coda
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/Resources/SequelProTunnelAssistant",com.panic.Coda
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/MacOS/SubEthaEditHelperToolTemplate",com.panic.Coda
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/MacOS/puttygen",uk.org.greenend.chiark.puttygen

"$TARGET_BUILD_DIR/$FRAMEWORKS_FOLDER_PATH/HDCrashReporter.framework/Versions/A",com.HumbleDaisy.HDCrashReporter
"$TARGET_BUILD_DIR/$FRAMEWORKS_FOLDER_PATH/SPMySQL.framework/Versions/A",com.sequelpro.spmysql
"$TARGET_BUILD_DIR/$FRAMEWORKS_FOLDER_PATH/UniversalDetector.framework/Versions/A",org.mozilla.universalchardet
"$TARGET_BUILD_DIR/$FRAMEWORKS_FOLDER_PATH/SyncKit.framework/Versions/A",com.sunflowersw.SyncKit

"$TARGET_BUILD_DIR/$FRAMEWORKS_FOLDER_PATH/HockeySDK.framework/Versions/A",net.hockeyapp.sdk.mac

# Pops
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/PlugIns/Border Radius.codapop",com.panic.Coda
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/PlugIns/Border Width.codapop",com.panic.Coda
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/PlugIns/Border.codapop",com.panic.Coda
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/PlugIns/Box Shadow.codapop",com.panic.Coda
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/PlugIns/CSS Color.codapop",com.panic.Coda
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/PlugIns/Gradient.codapop",com.panic.Coda
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/PlugIns/Margin.codapop",com.panic.Coda
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/PlugIns/Padding.codapop",com.panic.Coda
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/PlugIns/Styles.codapop",com.panic.Coda
"$TARGET_BUILD_DIR/$CONTENTS_FOLDER_PATH/PlugIns/Text Shadow.codapop",com.panic.Coda

"$TARGET_BUILD_DIR/$FRAMEWORKS_FOLDER_PATH/FTPKit.framework/Versions/A/Frameworks/Neon.framework/Versions/A",com.panic.Neon
"$TARGET_BUILD_DIR/$FRAMEWORKS_FOLDER_PATH/FTPKit.framework/Versions/A",com.panic.FTPKit
"$TARGET_BUILD_DIR/$FRAMEWORKS_FOLDER_PATH/PanicCore.framework/Versions/A",com.panic.PanicCore
"$TARGET_BUILD_DIR/$FRAMEWORKS_FOLDER_PATH/OgreKit.framework/Versions/A",isao.sonobe.OgreKit
)

Note above how we sign Neon inside of FTPKit and then sign FTPKit.

James

Panic Inc.

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

Follow-Ups:
- Re: New 10.9.5 Gatekeeper rules (and a rant about them changing so often)
  - From: Stephane Sudre <email@hidden>
- Re: New 10.9.5 Gatekeeper rules (and a rant about them changing so often)
  - From: Dragan Milić <email@hidden>

References:
	>New 10.9.5 Gatekeeper rules (and a rant about them changing so often) (From: Dragan Milić <email@hidden>)
	>Re: New 10.9.5 Gatekeeper rules (and a rant about them changing so often) (From: Seth Willits <email@hidden>)
	>Re: New 10.9.5 Gatekeeper rules (and a rant about them changing so often) (From: James Moore <email@hidden>)
	>Re: New 10.9.5 Gatekeeper rules (and a rant about them changing so often) (From: Dragan Milić <email@hidden>)

Prev by Date: Re: New 10.9.5 Gatekeeper rules (and a rant about them changing so often)
Next by Date: Re: New 10.9.5 Gatekeeper rules (and a rant about them changing so often)
Previous by thread: Re: New 10.9.5 Gatekeeper rules (and a rant about them changing so often)
Next by thread: Re: New 10.9.5 Gatekeeper rules (and a rant about them changing so often)
Index(es):
- Date
- Thread