From 0de04eea9329778a7773e0ff6ffa6fcdcd52f49a Mon Sep 17 00:00:00 2001 From: Benitoite Date: Thu, 13 Jun 2019 01:57:37 -0700 Subject: [PATCH 01/10] macOS: optionally notarize app and dmg For macOS 10.15 *Catalina* compatibility: will notarize app and dmg with credentials provided thru cmake command. --- tools/osx/macosx_bundle.sh | 66 +++++++++++++++++++++++++++++++++++--- 1 file changed, 62 insertions(+), 4 deletions(-) diff --git a/tools/osx/macosx_bundle.sh b/tools/osx/macosx_bundle.sh index f3ff8d8ca..e334122be 100644 --- a/tools/osx/macosx_bundle.sh +++ b/tools/osx/macosx_bundle.sh @@ -204,9 +204,38 @@ plutil -convert binary1 "${CONTENTS}/Info.plist" # Sign the app CODESIGNID="$(cmake .. -LA -N | grep "CODESIGNID" | cut -d "=" -f2)" -codesign --deep --force -v -s "${CODESIGNID}" --timestamp "${APP}" -spctl -a -vvvv "${APP}" - +if ! test -z "$CODESIGNID" ; then + codesign --deep --force -v -s "${CODESIGNID}" --timestamp -o runtime "${APP}" + spctl -a -vvvv "${APP}" +fi + +# Notarize the app +NOTARY="$(cmake .. -LA -N | grep "NOTARY" | cut -d "=" -f2)" +if ! test -z "$NOTARY" ; then + ditto -c -k --sequesterRsrc --keepParent "${APP}" "${APP}.zip" + uuid=`xcrun altool --notarize-app --primary-bundle-id "com.filmulator" ${NOTARY} --file "${APP}.zip" 2>&1 | grep 'RequestUUID' | awk '{ print $3 }'` + echo "Result= $uuid" # Display identifier string + sleep 15 + while : + do + fullstatus=`xcrun altool --notarization-info "$uuid" ${NOTARY} 2>&1` # get the status + status1=`echo "$fullstatus" | grep 'Status\:' | awk '{ print $2 }'` + if [ "$status1" = "success" ]; then + xcrun stapler staple *app # staple the ticket + xcrun stapler validate -v *app + echo "Notarization success" + break + elif [ "$status1" = "in" ]; then + echo "Notarization still in progress, sleeping for 15 seconds and trying again" + sleep 15 + else + echo "Notarization failed fullstatus below" + echo "$fullstatus" + exit 1 + fi + done +fi + function CreateDmg { local srcDir="$(mktemp -dt $$)" @@ -234,7 +263,36 @@ function CreateDmg { hdiutil create -format UDBZ -fs HFS+ -srcdir "${srcDir}" -volname "${PROJECT_NAME}_${PROJECT_FULL_VERSION}" "${dmg_name}.dmg" # Sign disk image - codesign --deep --force -v -s "${CODESIGNID}" --timestamp "${dmg_name}.dmg" + if ! test -z "$CODESIGNID" ; then + codesign --deep --force -v -s "${CODESIGNID}" --timestamp "${dmg_name}.dmg" + fi + + # Notarize the dmg + if ! test -z "$NOTARY" ; then + zip "${dmg_name}.dmg.zip" "${dmg_name}.dmg" + uuid=`xcrun altool --notarize-app --primary-bundle-id "com.filmulator" ${NOTARY} --file "${dmg_name}.dmg.zip" 2>&1 | grep 'RequestUUID' | awk '{ print $3 }'` + echo "dmg Result= $uuid" # Display identifier string + sleep 15 + while : + do + fullstatus=`xcrun altool --notarization-info "$uuid" ${NOTARY} 2>&1` # get the status + status1=`echo "$fullstatus" | grep 'Status\:' | awk '{ print $2 }'` + if [ "$status1" = "success" ]; then + xcrun stapler staple "${dmg_name}.dmg" # staple the ticket + xcrun stapler validate -v "${dmg_name}.dmg" + echo "dmg Notarization success" + break + elif [ "$status1" = "in" ]; then + echo "dmg Notarization still in progress, sleeping for 15 seconds and trying again" + sleep 15 + else + echo "dmg Notarization failed fullstatus below" + echo "$fullstatus" + exit 1 + fi + done + fi + # Zip disk image for redistribution zip "${dmg_name}.zip" "${dmg_name}.dmg" AboutThisBuild.txt From 6095f8646739b35df902fa543e80a591200918fd Mon Sep 17 00:00:00 2001 From: Benitoite Date: Thu, 13 Jun 2019 02:03:00 -0700 Subject: [PATCH 02/10] macOS: Import notarization credentials Imports apple notarization credentials (Apple ID and App-specific password) given to cmake as `-DNOTARY:STRING="-u woz@apple.com -p abcd-efgh-ijkl-mnop"` --- CMakeLists.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 128551b02..e1e48bf9c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -256,6 +256,10 @@ if(APPLE) if("${CODESIGNID}") set(CODESIGNID "${CODESIGNID}" CACHE STRING "Codesigning Identity") endif() + if("${NOTARY}") + set(NOTARY "${NOTARY}" CACHE STRING "Notarization Identity") + endif() + endif() # Enforce absolute paths for non-bundle builds: From 7ee7be183364ceeaf8a3b8d097926d0258905172 Mon Sep 17 00:00:00 2001 From: Benitoite Date: Thu, 13 Jun 2019 02:14:37 -0700 Subject: [PATCH 03/10] macOS: Copy some libraries into the bundle for libexpat and libz --- tools/osx/macosx_bundle.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/osx/macosx_bundle.sh b/tools/osx/macosx_bundle.sh index e334122be..291fc8778 100644 --- a/tools/osx/macosx_bundle.sh +++ b/tools/osx/macosx_bundle.sh @@ -155,6 +155,12 @@ ditto {"${GTK_PREFIX}","${RESOURCES}"}/share/icons/Adwaita/index.theme # Copy libjpeg-turbo into the app bundle cp /opt/local/lib/libjpeg.62.dylib "${RESOURCES}/../Frameworks" +# Copy libexpat into the app bundle +cp /opt/local/lib/libexpat.1.dylib "${RESOURCES}/../Frameworks" + +# Copy libz into the app bundle +cp /opt/local/lib/libz.1.dylib "${RESOURCES}/../Frameworks" + # Copy libtiff into the app bundle cp /opt/local/lib/libtiff.5.dylib "${RESOURCES}/../Frameworks" From 1141f5fc65455dc1637c4bea27c514e26e0d1d41 Mon Sep 17 00:00:00 2001 From: Benitoite Date: Thu, 13 Jun 2019 06:44:33 -0700 Subject: [PATCH 04/10] Fix a typo in macosx_bundle.sh --- tools/osx/macosx_bundle.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/osx/macosx_bundle.sh b/tools/osx/macosx_bundle.sh index 291fc8778..0fc231852 100644 --- a/tools/osx/macosx_bundle.sh +++ b/tools/osx/macosx_bundle.sh @@ -219,7 +219,7 @@ fi NOTARY="$(cmake .. -LA -N | grep "NOTARY" | cut -d "=" -f2)" if ! test -z "$NOTARY" ; then ditto -c -k --sequesterRsrc --keepParent "${APP}" "${APP}.zip" - uuid=`xcrun altool --notarize-app --primary-bundle-id "com.filmulator" ${NOTARY} --file "${APP}.zip" 2>&1 | grep 'RequestUUID' | awk '{ print $3 }'` + uuid=`xcrun altool --notarize-app --primary-bundle-id "com.rawtherapee.rawtherapee" ${NOTARY} --file "${APP}.zip" 2>&1 | grep 'RequestUUID' | awk '{ print $3 }'` echo "Result= $uuid" # Display identifier string sleep 15 while : @@ -276,7 +276,7 @@ function CreateDmg { # Notarize the dmg if ! test -z "$NOTARY" ; then zip "${dmg_name}.dmg.zip" "${dmg_name}.dmg" - uuid=`xcrun altool --notarize-app --primary-bundle-id "com.filmulator" ${NOTARY} --file "${dmg_name}.dmg.zip" 2>&1 | grep 'RequestUUID' | awk '{ print $3 }'` + uuid=`xcrun altool --notarize-app --primary-bundle-id "com.rawtherapee.rawtherapee" ${NOTARY} --file "${dmg_name}.dmg.zip" 2>&1 | grep 'RequestUUID' | awk '{ print $3 }'` echo "dmg Result= $uuid" # Display identifier string sleep 15 while : From 2ed66677b81ec441c6fae174bab367e70be31f60 Mon Sep 17 00:00:00 2001 From: Benitoite Date: Sat, 15 Jun 2019 23:09:00 -0700 Subject: [PATCH 05/10] Mac: Property lists for nested app bundle --- tools/osx/Info.plist-bin.in | 10 ++++++++++ tools/osx/rt-bin.entitlements | 8 ++++++++ tools/osx/rt.entitlements | 20 ++++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 tools/osx/Info.plist-bin.in create mode 100644 tools/osx/rt-bin.entitlements create mode 100644 tools/osx/rt.entitlements diff --git a/tools/osx/Info.plist-bin.in b/tools/osx/Info.plist-bin.in new file mode 100644 index 000000000..20ce5a741 --- /dev/null +++ b/tools/osx/Info.plist-bin.in @@ -0,0 +1,10 @@ + + + + + CFBundleName + RawTherapee-bin + CFBundleIdentifier + com.rawtherapee.rawtherapee + + diff --git a/tools/osx/rt-bin.entitlements b/tools/osx/rt-bin.entitlements new file mode 100644 index 000000000..9e5e269cb --- /dev/null +++ b/tools/osx/rt-bin.entitlements @@ -0,0 +1,8 @@ + + + + +com.apple.security.inherit + + + \ No newline at end of file diff --git a/tools/osx/rt.entitlements b/tools/osx/rt.entitlements new file mode 100644 index 000000000..2236af138 --- /dev/null +++ b/tools/osx/rt.entitlements @@ -0,0 +1,20 @@ + + + + + application-identifier + com.rawtherapee.rawtherapee + com.apple.security.temporary-exception.files.absolute-path.read-write + + "/" + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.files.user-selected.read-write + + com.apple.security.app-sandbox + + com.apple.security.files.downloads.read-write + + + From 8a8536702e303f3eb87ffead3a24d1368badb4ed Mon Sep 17 00:00:00 2001 From: Benitoite Date: Sat, 15 Jun 2019 23:11:29 -0700 Subject: [PATCH 06/10] Mac: point to directories from a nested app --- CMakeLists.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index e1e48bf9c..637cc1b9f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -164,7 +164,7 @@ endif() if(NOT DEFINED DATADIR) if(BUILD_BUNDLE) if(APPLE) - set(DATADIR "../Resources") + set(DATADIR "../../Resources") else() set(DATADIR .) endif() @@ -176,7 +176,7 @@ endif() if(NOT DEFINED LIBDIR) if(BUILD_BUNDLE) if(APPLE) - set(LIBDIR "../Frameworks") + set(LIBDIR "../../Frameworks") else() set(LIBDIR .) endif() From 1ad9444259af2c20e4835dedb65a03a873209d95 Mon Sep 17 00:00:00 2001 From: Benitoite Date: Sat, 15 Jun 2019 23:12:31 -0700 Subject: [PATCH 07/10] Mac: cleanup executable loader script --- tools/osx/executable_loader.in | 27 +-------------------------- 1 file changed, 1 insertion(+), 26 deletions(-) diff --git a/tools/osx/executable_loader.in b/tools/osx/executable_loader.in index dcc0cabc4..72d17b04e 100644 --- a/tools/osx/executable_loader.in +++ b/tools/osx/executable_loader.in @@ -7,21 +7,8 @@ app="${cwd%/Contents/*}" lib="${app}/Contents/Frameworks" resources="${app}/Contents/Resources" etc="${resources}"/etc - -### Pending deletion: -# See https://github.com/Beep6581/RawTherapee/issues/1779 -# cups_dir=/tmp/RT5 -# install -d "${cups_dir}" -# cp -f /usr/lib/libcups.2.dylib "${cups_dir}" -# export DYLD_LIBRARY_PATH="${lib}:${cups_dir}" - -# export GTK_EXE_PREFIX="${resources}" -# export GTK_DATA_PREFIX="${resources}" export XDG_DATA_DIRS="${resources}/share" -# export GTK_IM_MODULE_FILE="${etc}/gtk-3.0/gtk.immodules" - export DYLD_LIBRARY_PATH="${lib}" - export GTK_PATH="${lib}/gtk-3.0/3.0.0" export XDG_DATA_HOME="${resources}/share" export GSETTINGS_SCHEMA_DIR="${resources}/share/glib-2.0/schemas" @@ -31,25 +18,13 @@ export GDK_PIXBUF_MODULEDIR="${lib}/gdk-pixbuf-2.0/2.10.0/loaders" export RT_SETTINGS="${HOME}/Library/Application Support/RawTherapee/config" export RT_CACHE="${HOME}/Library/Application Support/RawTherapee/cache" -### Pending deletion: -# Environment variables for X11 backend -#if [[ -d ${etc}/fonts ]]; then -# export FONTCONFIG_PATH="${etc}/fonts" -#fi - # Strip out system argument case "$1" in -psn_*) shift ;; esac -# Commented-out as part of "crash-on-startup part 2" fix, see https://github.com/Beep6581/RawTherapee/issues/3882#issuecomment-311703141 -#if [[ -d "/tmp/RawTherapee.app" ]]; then -# rm -rf "/tmp/RawTherapee.app" -#fi -#ln -sf "${app}" /tmp - # Prevent crash when directory name contains special characters AppleLocale=`defaults read -g AppleLocale` export LANG=${AppleLocale%@*}.UTF-8 -exec "${cwd}/rawtherapee-bin" "$@" +exec "${cwd}/bin/rawtherapee-bin" "$@" From f77eb3e4d2390261ec544e8bb71ca472596982dc Mon Sep 17 00:00:00 2001 From: Benitoite Date: Sat, 15 Jun 2019 23:14:52 -0700 Subject: [PATCH 08/10] Mac: Use codesigning sandbox, entitlements Allows file system access in MacOS 10.15 *Catalina* --- tools/osx/macosx_bundle.sh | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/tools/osx/macosx_bundle.sh b/tools/osx/macosx_bundle.sh index 0fc231852..79002facb 100644 --- a/tools/osx/macosx_bundle.sh +++ b/tools/osx/macosx_bundle.sh @@ -101,7 +101,7 @@ ETC="${RESOURCES}/etc" EXECUTABLE="${MACOS}/rawtherapee" msg "Removing old files:" -rm -rf "${APP}" "${PROJECT_NAME}_*.dmg" +rm -rf "${APP}" "${PROJECT_NAME}_*.dmg" "*zip" msg "Creating bundle container:" install -d "${RESOURCES}" \ @@ -134,7 +134,7 @@ rm -r "${LIB}"/gdk-pixbuf-2.0 "${GTK_PREFIX}/bin/gdk-pixbuf-query-loaders" "${LIB}"/libpix*.so > "${ETC}/gtk-3.0/gdk-pixbuf.loaders" "${GTK_PREFIX}/bin/gtk-query-immodules-3.0" "${LIB}"/{im*.so,libprint*.so} > "${ETC}/gtk-3.0/gtk.immodules" -sed -i "" -e "s|${PWD}/RawTherapee.app/Contents/|@executable_path/../|" "${ETC}/gtk-3.0/gdk-pixbuf.loaders" "${ETC}/gtk-3.0/gtk.immodules" +sed -i "" -e "s|${PWD}/RawTherapee.app/Contents/|/Users/rb/repo-rt/build/RawTherapee.app/Contents/|" "${ETC}/gtk-3.0/gdk-pixbuf.loaders" "${ETC}/gtk-3.0/gtk.immodules" ditto {"${GTK_PREFIX}","${RESOURCES}"}/share/glib-2.0/schemas "${GTK_PREFIX}/bin/glib-compile-schemas" "${RESOURCES}/share/glib-2.0/schemas" @@ -188,30 +188,37 @@ find -E "${CONTENTS}" -type f -regex '.*/(rawtherapee-cli|rawtherapee|.*\.(dylib done msg "Registering @loader_path into the executable:" -echo " install_name_tool -add_rpath @loader_path/../Frameworks '${EXECUTABLE}'" | bash -v +echo " install_name_tool -add_rpath @executable_path/../../Frameworks '${EXECUTABLE}'" | bash -v echo " install_name_tool -add_rpath @loader_path/../Frameworks '${EXECUTABLE}-cli'" | bash -v msg "Installing required application bundle files:" PROJECT_SOURCE_DATA_DIR="${PROJECT_SOURCE_DIR}/tools/osx" - +ditto "${PROJECT_SOURCE_DIR}/build/Resources" "${RESOURCES}" # Executable loader # Note: executable is renamed to 'rawtherapee-bin'. -mv "${MACOS}/rawtherapee" "${MACOS}/rawtherapee-bin" +mkdir "${MACOS}/bin" +mv "${MACOS}/rawtherapee" "${MACOS}/bin/rawtherapee-bin" install -m 0755 "${PROJECT_SOURCE_DATA_DIR}/executable_loader.in" "${MACOS}/rawtherapee" # App bundle resources cp "${PROJECT_SOURCE_DATA_DIR}/"{rawtherapee,profile}.icns "${RESOURCES}" cp "${PROJECT_SOURCE_DATA_DIR}/PkgInfo" "${CONTENTS}" install -m 0644 "${PROJECT_SOURCE_DATA_DIR}/Info.plist.in" "${CONTENTS}/Info.plist" +install -m 0644 "${PROJECT_SOURCE_DATA_DIR}/Info.plist-bin.in" "${CONTENTS}/MacOS/bin/Info.plist" sed -i "" -e "s|@version@|${PROJECT_FULL_VERSION}| s|@shortVersion@|${PROJECT_VERSION}| s|@arch@|${arch}|" \ "${CONTENTS}/Info.plist" plutil -convert binary1 "${CONTENTS}/Info.plist" - +plutil -convert binary1 "${CONTENTS}/MacOS/bin/Info.plist" # Sign the app CODESIGNID="$(cmake .. -LA -N | grep "CODESIGNID" | cut -d "=" -f2)" if ! test -z "$CODESIGNID" ; then - codesign --deep --force -v -s "${CODESIGNID}" --timestamp -o runtime "${APP}" +install -m 0644 "${PROJECT_SOURCE_DATA_DIR}/rt.entitlements" "${CONTENTS}/Entitlements.plist" +plutil -convert binary1 "${CONTENTS}/Entitlements.plist" +install -m 0644 "${PROJECT_SOURCE_DATA_DIR}/rt-bin.entitlements" "${CONTENTS}/MacOS/bin/Entitlements.plist" +plutil -convert binary1 "${CONTENTS}/MacOS/bin/Entitlements.plist" +codesign -v -s "${CODESIGNID}" -i "com.rawtherapee.rawtherapee-bin" --timestamp -o runtime --entitlements "${APP}/Contents/MacOS/bin/Entitlements.plist" "${APP}/Contents/MacOS/bin/rawtherapee-bin" +codesign --deep --preserve-metadata=identifier,entitlements,runtime --strict -v -s "${CODESIGNID}" -i "com.rawtherapee.rawtherapee" --timestamp -o runtime --entitlements "${APP}/Contents/Entitlements.plist" "${APP}" spctl -a -vvvv "${APP}" fi @@ -276,7 +283,7 @@ function CreateDmg { # Notarize the dmg if ! test -z "$NOTARY" ; then zip "${dmg_name}.dmg.zip" "${dmg_name}.dmg" - uuid=`xcrun altool --notarize-app --primary-bundle-id "com.rawtherapee.rawtherapee" ${NOTARY} --file "${dmg_name}.dmg.zip" 2>&1 | grep 'RequestUUID' | awk '{ print $3 }'` + uuid=`xcrun altool --notarize-app --primary-bundle-id "com.rawtherapee" ${NOTARY} --file "${dmg_name}.dmg.zip" 2>&1 | grep 'RequestUUID' | awk '{ print $3 }'` echo "dmg Result= $uuid" # Display identifier string sleep 15 while : From 1d04026e9c5485cc7daf85b199bc7dba1bbcd082 Mon Sep 17 00:00:00 2001 From: Benitoite Date: Sat, 15 Jun 2019 23:24:38 -0700 Subject: [PATCH 09/10] Mac: update an absolute path --- tools/osx/macosx_bundle.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/osx/macosx_bundle.sh b/tools/osx/macosx_bundle.sh index 79002facb..2501e936b 100644 --- a/tools/osx/macosx_bundle.sh +++ b/tools/osx/macosx_bundle.sh @@ -134,7 +134,7 @@ rm -r "${LIB}"/gdk-pixbuf-2.0 "${GTK_PREFIX}/bin/gdk-pixbuf-query-loaders" "${LIB}"/libpix*.so > "${ETC}/gtk-3.0/gdk-pixbuf.loaders" "${GTK_PREFIX}/bin/gtk-query-immodules-3.0" "${LIB}"/{im*.so,libprint*.so} > "${ETC}/gtk-3.0/gtk.immodules" -sed -i "" -e "s|${PWD}/RawTherapee.app/Contents/|/Users/rb/repo-rt/build/RawTherapee.app/Contents/|" "${ETC}/gtk-3.0/gdk-pixbuf.loaders" "${ETC}/gtk-3.0/gtk.immodules" +sed -i "" -e "s|${PWD}/RawTherapee.app/Contents/|/Applications/RawTherapee.app/Contents/|" "${ETC}/gtk-3.0/gdk-pixbuf.loaders" "${ETC}/gtk-3.0/gtk.immodules" ditto {"${GTK_PREFIX}","${RESOURCES}"}/share/glib-2.0/schemas "${GTK_PREFIX}/bin/glib-compile-schemas" "${RESOURCES}/share/glib-2.0/schemas" From daedba584ada4b04b93915eff68c0edebc88c210 Mon Sep 17 00:00:00 2001 From: Benitoite Date: Sun, 16 Jun 2019 03:08:35 -0700 Subject: [PATCH 10/10] Mac: simplify exec. loader interpreter --- tools/osx/executable_loader.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/osx/executable_loader.in b/tools/osx/executable_loader.in index 72d17b04e..429173d8e 100644 --- a/tools/osx/executable_loader.in +++ b/tools/osx/executable_loader.in @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/bin/sh cd "$(dirname "$0")" || exit 1