From b99782d8504caa6d33eb05634b32f8ba27422ced Mon Sep 17 00:00:00 2001 From: Connor Turland Date: Fri, 14 Feb 2020 00:24:27 -0500 Subject: [PATCH] dylibs couldn't be signed so were breaking macos gatekeeper --- entitlements.mac.plist | 4 +--- nix/acorn/default.nix | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/entitlements.mac.plist b/entitlements.mac.plist index 6b9ca9b..19c3e39 100644 --- a/entitlements.mac.plist +++ b/entitlements.mac.plist @@ -10,9 +10,7 @@ com.apple.security.network.client - com.apple.security.files.all - - com.apple.security.cs.disable-library-validation + com.apple.security.files.user-selected.read-write diff --git a/nix/acorn/default.nix b/nix/acorn/default.nix index 37a724f..ca3dd5e 100644 --- a/nix/acorn/default.nix +++ b/nix/acorn/default.nix @@ -71,6 +71,23 @@ let rm $HOLOCHAIN ''); + macos-fix-dylibs = (pkgs.writeShellScriptBin "acorn-macos-fix-dylibs" '' + set -euxo pipefail + echo 'fixing the dynamic linking of hc and holochain' + echo 'based on: otool -L hc' + install_name_tool -change /nix/store/qjf3nf4qa8q62giagjwdmdbjqni983km-Libsystem-osx-10.12.6/lib/libSystem.B.dylib /usr/lib/libSystem.B.dylib hc + install_name_tool -change /nix/store/qjf3nf4qa8q62giagjwdmdbjqni983km-Libsystem-osx-10.12.6/lib/libresolv.9.dylib /usr/lib/libresolv.9.dylib hc + # note this is a slight hack, with unforeseen consequences? + # because its a different lib? libiconv.dylib > libiconv.2.dylib + install_name_tool -change /nix/store/cib1v4zhizcjwkr96753n87ssm3nsfkm-libiconv-osx-10.12.6/lib/libiconv.dylib /usr/lib/libiconv.2.dylib hc + echo 'based on: otool -L holochain' + install_name_tool -change /nix/store/qjf3nf4qa8q62giagjwdmdbjqni983km-Libsystem-osx-10.12.6/lib/libSystem.B.dylib /usr/lib/libSystem.B.dylib holochain + install_name_tool -change /nix/store/qjf3nf4qa8q62giagjwdmdbjqni983km-Libsystem-osx-10.12.6/lib/libresolv.9.dylib /usr/lib/libresolv.9.dylib holochain + # note this is a slight hack, with unforeseen consequences? + # because its a different lib? libiconv.dylib > libiconv.2.dylib + install_name_tool -change /nix/store/cib1v4zhizcjwkr96753n87ssm3nsfkm-libiconv-osx-10.12.6/lib/libiconv.dylib /usr/lib/libiconv.2.dylib holochain + ''); + build-linux = (pkgs.writeShellScriptBin "acorn-build-linux" '' ${pre-build}/bin/acorn-pre-build acorn_platform=''${1:-linux} @@ -83,12 +100,14 @@ let build-mac = (pkgs.writeShellScriptBin "acorn-build-mac" '' ${pre-build}/bin/acorn-pre-build ${fetch-bins}/bin/acorn-fetch-bins apple-darwin + ${macos-fix-dylibs}/bin/acorn-macos-fix-dylibs electron-packager . Acorn --platform=darwin --arch=x64 --overwrite --prune=true --icon=\"ui/logo/acorn-logo-desktop-512px@2x.icns\" --osx-sign.hardenedRuntime=true --osx-sign.gatekeeperAssess=false --osx-sign.entitlements=entitlements.mac.plist --osx-sign.entitlements-inherit=entitlements.mac.plist --osx-sign.type=distribution --osx-sign.identity=\"$APPLE_DEV_IDENTITY\" --osx-notarize.apple-id=\"$APPLE_ID_EMAIL\" --osx-notarize.apple-id-password=\"$APPLE_ID_PASSWORD\" ''); build-mac-unsigned = (pkgs.writeShellScriptBin "acorn-build-mac-unsigned" '' ${pre-build}/bin/acorn-pre-build ${fetch-bins}/bin/acorn-fetch-bins apple-darwin + ${macos-fix-dylibs}/bin/acorn-macos-fix-dylibs electron-packager . Acorn --platform=darwin --arch=x64 --overwrite --prune=true --icon=\"ui/logo/acorn-logo-desktop-512px@2x.icns\" ''); @@ -103,6 +122,8 @@ in bundle-ui clean reset + fetch-bins + macos-fix-dylibs build-linux build-mac build-mac-unsigned