macOS: Packaging and code signing updates.

Sign our bundle as described in Apple's Code Signing Guide. Enable the
Hardened Runtime when signing.

Look for packagemaker in our PATH before checking specific locations.

Switch from zlib to bzip2 compression for our .dmg. Sign our .dmg.

To do: Notarization.

Change-Id: Ia6556e67998ff247dd3d77d6f040773e070f66cc
Reviewed-on: https://code.wireshark.org/review/32032
Reviewed-by: Gerald Combs <gerald@wireshark.org>

2 files changed, 87 insertions, 52 deletions

diff --git a/packaging/macosx/osx-app.sh.in b/packaging/macosx/osx-app.sh.in
index 72107556f7..47845b1fff 100755
--- a/packaging/macosx/osx-app.sh.in
+++ b/packaging/macosx/osx-app.sh.in
@@ -448,27 +448,35 @@ for plugin in "$pkgplugin"/*/*.so ; do
 done
 
 codesign_file () {
+	# https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html
+	# https://developer.apple.com/library/archive/technotes/tn2206/_index.html
+	# https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues?language=objc
+	#
+	# XXX do we need to add hardened runtime entitlements or exceptions, e.g.
+	# com.apple.security.cs.allow-unsigned-executable-memory for Lua?
+	# https://developer.apple.com/documentation/security/hardened_runtime_entitlements?language=objc
 	codesign \
 		--sign "Developer ID Application: $CODE_SIGN_IDENTITY" \
+		--options=runtime \
 		--timestamp \
 		--verbose \
 		"$1"
-	codesign --verify --verbose "$1" || exit 1
 }
 
 if [ -n "$CODE_SIGN_IDENTITY" ] ; then
 	security find-identity -v -s "$CODE_SIGN_IDENTITY" -p codesigning
 
-	echo "Signing secondary executables"
-	if [ -z "$secondary_binary_list" ] ; then
-		echo "No executables specified for code signing."
-		exit 1
-	fi
-	for binary in $secondary_binary_list ; do
-		if [ -e "$binary" ];then
-			codesign_file "$binary"
-		fi
-	done
+	# The Code Signing Guide says:
+	#
+	# "While you use the --deep option for verification to mimic what Gatekeeper does,
+	# it is not recommended for signing. During signing, if you have nested code, and
+	# if you are signing manually, you sign nested code in stages (as Xcode does
+	# automatically), starting with the most deeply embedded components first. You
+	# then sign code at the next level of hierarchy, and so on. You work your way
+	# outward, finally signing the top level entity that contains all the others.
+	# Signing all the components in one shot with --deep is for emergency repairs and
+	# temporary adjustments only. Note that signing with the combination --deep
+	# --force will forcibly re-sign all code in a bundle."
 
 	echo "Signing frameworks"
 	for framework in "$pkglib"/*.framework/Versions/* ; do
@@ -486,19 +494,26 @@ if [ -n "$CODE_SIGN_IDENTITY" ] ; then
 		codesign_file "$plugin"
 	done
 
-	# Newer versions of codesign appear to require signing the primary
-	# executable last, otherwise it returns the error
-	#
-	# Wireshark.app/Contents/MacOS/Wireshark: code object is not signed at all
-	# In subcomponent: <some bit of unsigned code>
+	echo "Signing secondary executables"
+	if [ -z "$secondary_binary_list" ] ; then
+		echo "No executables specified for code signing."
+		exit 1
+	fi
+	for binary in $secondary_binary_list ; do
+		if [ -e "$binary" ];then
+			codesign_file "$binary"
+		fi
+	done
+
 	echo "Signing primary executable"
 	codesign_file "$pkgexec/Wireshark"
 
 	echo "Signing $bundle"
 	codesign_file "$bundle"
 
-	spctl --assess "$bundle" || exit 1
-
+	# Code Signing Guide, "Testing Conformance with Command Line Tools"
+	codesign --verify --deep --strict --verbose=2 "$bundle" || exit 1
+	spctl --assess --type exec --verbose=2 "$bundle" || exit 1
 else
 	echo "Code signing not performed (no identity)"
 fi
diff --git a/packaging/macosx/osx-dmg.sh.in b/packaging/macosx/osx-dmg.sh.in
index e4d4101417..04fae959c7 100755
--- a/packaging/macosx/osx-dmg.sh.in
+++ b/packaging/macosx/osx-dmg.sh.in
@@ -43,36 +43,40 @@ volume_name="Wireshark"
 src_dir="."
 tmp_dir="/tmp/dmg-$$"
 auto_open_opt=
+packagemaker=$( type -p packagemaker || type -p PackageMaker )
 
-if [ -f /Applications/Xcode.app/Contents/Applications/PackageMaker.app/Contents/MacOS/PackageMaker ]
-then
-	#
-	# Xcode 4 and later, with the "Auxiliary Tools for Xcode"
-	# download from developer.apple.com.  (There are no such
-	# downloads for Mavericks or later, but PackageMaker from
-	# the Late July 2012 download for Mountain Lion appears to
-	# work on Yosemite.)
-	#
-	packagemaker=/Applications/Xcode.app//Contents/Applications/PackageMaker.app/Contents/MacOS/PackageMaker
-elif [ -f /Applications/Xcode.app/Developer/Tools/packagemaker ]
-then
-	packagemaker=/Applications/Xcode.app/Developer/Tools/packagemaker
-elif [ -f /Applications/Xcode.app/Developer/usr/bin/packagemaker ]
-then
-	packagemaker=/Applications/Xcode.app/Developer/usr/bin/packagemaker
-elif [ -f /Developer/Tools/packagemaker ]
-then
-	packagemaker=/Developer/Tools/packagemaker
-elif [ -f /Developer/usr/bin/packagemaker ]
-then
-	packagemaker=/Developer/usr/bin/packagemaker
-elif [ -f /usr/bin/packagemaker ]
-then
-	packagemaker=/usr/bin/packagemaker
-elif [ -f /usr/local/bin/packagemaker ]
-then
-	packagemaker=/usr/local/bin/packagemaker
+if [ -z "$packagemaker" ] ; then
+	if [ -f /Applications/Xcode.app/Contents/Applications/PackageMaker.app/Contents/MacOS/PackageMaker ]
+	then
+		#
+		# Xcode 4 and later, with the "Auxiliary Tools for Xcode"
+		# download from developer.apple.com.  (There are no such
+		# downloads for Mavericks or later, but PackageMaker from
+		# the Late July 2012 download for Mountain Lion appears to
+		# work on Yosemite.)
+		#
+		packagemaker=/Applications/Xcode.app//Contents/Applications/PackageMaker.app/Contents/MacOS/PackageMaker
+	elif [ -f /Applications/Xcode.app/Developer/Tools/packagemaker ]
+	then
+		packagemaker=/Applications/Xcode.app/Developer/Tools/packagemaker
+	elif [ -f /Applications/Xcode.app/Developer/usr/bin/packagemaker ]
+	then
+		packagemaker=/Applications/Xcode.app/Developer/usr/bin/packagemaker
+	elif [ -f /Developer/Tools/packagemaker ]
+	then
+		packagemaker=/Developer/Tools/packagemaker
+	elif [ -f /Developer/usr/bin/packagemaker ]
+	then
+		packagemaker=/Developer/usr/bin/packagemaker
+	elif [ -f /usr/bin/packagemaker ]
+	then
+		packagemaker=/usr/bin/packagemaker
+	elif [ -f /usr/local/bin/packagemaker ]
+	then
+		packagemaker=/usr/local/bin/packagemaker
+	fi
 fi
+
 if [ -z "$packagemaker" ]
 then
 	echo "$0: couldn't find PackageMaker" 1>&2
@@ -175,14 +179,19 @@ if [ -n "$CODE_SIGN_IDENTITY" ] ; then
 		--sign "Developer ID Installer: $CODE_SIGN_IDENTITY" \
 		--timestamp \
 		"$pkg_file_unsigned" "$pkg_file" || exit 1
+	# TN2206, "Checking Gatekeeper Conformance"
 	spctl --assess --type install "$pkg_file" || exit 1
 	pkgutil --check-signature "$pkg_file" || exit 1
 	shasum "$pkg_file"
+	shasum -a 256 "$pkg_file"
 	rm -rf "$pkg_file_unsigned"
 else
 	echo "Code signing not performed (no identity)"
 fi
 
+# To do: Notarize our package.
+# https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow?language=objc
+
 echo -e "\\nCREATE WIRESHARK DISK IMAGE\\n"
 img_name="$pkg_title.dmg"
 
@@ -264,13 +273,24 @@ if [ -e "$img_name" ]; then
 	echo "$img_name already exists."
 	rm -i "$img_name"
 fi
-/usr/bin/hdiutil convert "$rw_name" -format UDZO -imagekey zlib-level=9 -o "$img_name" || exit 1
+
+# From the hdiutil man page:
+# UDZO - UDIF zlib-compressed image
+# ULFO - UDIF lzfse-compressed image (OS X 10.11+ only)
+# UDBZ - UDIF bzip2-compressed image (Mac OS X 10.4+ only)
+
+/usr/bin/hdiutil convert "$rw_name" -format UDBZ -o "$img_name" || exit 1
 rm -f "$rw_name"
 
-#if [ -n "$CODE_SIGN_IDENTITY" ] ; then
-#	echo -e "Signing the $img_name"
-#	codesign --sign "$CODE_SIGN_IDENTITY" --verbose "$img_name" || exit 1
-#	codesign --verify --verbose "$img_name" || exit 1
-#fi
+# TN2206, "Signing Disk Images"
+if [ -n "$CODE_SIGN_IDENTITY" ] ; then
+	echo -e "Signing $img_name"
+	codesign \
+		--sign "Developer ID Application: $CODE_SIGN_IDENTITY" \
+		--timestamp \
+		--verbose \
+		"$img_name"
+	spctl --assess --type open --context context:primary-signature --verbose=2 "$img_name" || exit 1
+fi
 
 exit 0