Mirrors
/
kicad
mirror of https://github.com/KiCad/kicad-source-mirror
3
0
Fork 0
Code Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
40169 Commits
14 Branches
135 Tags
2.9 GiB
Tree: 6d74cc031e
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6d74cc031e'
${ noResults }
kicad/cmake/InstallSteps/SignMacOS.cmake

99 lines
4.8 KiB
Raw Normal View History

Support Apple Silicon on macOS As part of supporting Apple Silicon, we've got to upgrade our embedded Python to a version that comes with an Apple Silicon build. Python 3.9 suffices. This means we ignore python3.9 while fixing up bundles. Apple requires all code to be signed on Apple Silicon. We've added signing to the build. This has to be run after anything that adds to or modifies the installed files. As of Cmake 3.14 (CMP0082), the install rules are run in the order declared, so we are able to do this just by adding the signing subdirectory last in the main CMakeLists.txt. By default, the build will be signed "ad hoc", which does not require a developer to create keys or get keys from Apple. We added some CMake variables to control signing, KICAD_OSX_CODESIGN and KICAD_OSX_SIGNING_*. In order to better support development, we've added some necessary cleanup steps to KiCad that were performed externally in the release and nightly build process, like removing any .pyc files and extra Python symlinks erroneously introduced by fixup_bundle. We also adjusted "refix_rpaths" to be more accurate. We should not need "wrangle_bundle" when building and installing a local development copy of KiCad.
3 years ago
New macOS installation scripts Replaces BundleUtilities that got broken by recent updates and is basically unmaintained by cmake. Fixes https://gitlab.com/kicad/code/kicad/-/issues/15376
2 years ago
Support Apple Silicon on macOS As part of supporting Apple Silicon, we've got to upgrade our embedded Python to a version that comes with an Apple Silicon build. Python 3.9 suffices. This means we ignore python3.9 while fixing up bundles. Apple requires all code to be signed on Apple Silicon. We've added signing to the build. This has to be run after anything that adds to or modifies the installed files. As of Cmake 3.14 (CMP0082), the install rules are run in the order declared, so we are able to do this just by adding the signing subdirectory last in the main CMakeLists.txt. By default, the build will be signed "ad hoc", which does not require a developer to create keys or get keys from Apple. We added some CMake variables to control signing, KICAD_OSX_CODESIGN and KICAD_OSX_SIGNING_*. In order to better support development, we've added some necessary cleanup steps to KiCad that were performed externally in the release and nightly build process, like removing any .pyc files and extra Python symlinks erroneously introduced by fixup_bundle. We also adjusted "refix_rpaths" to be more accurate. We should not need "wrangle_bundle" when building and installing a local development copy of KiCad.
3 years ago
  2. function( sign_kicad_bundle target signing_id use_secure_timestamp use_hardened_runtime entitlements_file)
  4. # If the signing ID wasn't passed in, use - which means adhoc signing
  5. if ( NOT signing_id )
  6. set( signing_id "-")
  7. endif()
  9. MESSAGE( STATUS "Signing ${target} with ${signing_id}, hardened runtime: ${use_hardened_runtime}, secure timestamp: ${use_secure_timestamp}, entitlements file: ${entitlements_file}" )
  11. # --deep doesn't really work and is officially deprecated as of macos 13
  12. # https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG201
  14. # collect a list of things to sign, in order
  15. set( sign_list "${target}/Contents/Applications/eeschema.app/Contents/MacOS/eeschema"
  16. "${target}/Contents/Applications/eeschema.app"
  17. "${target}/Contents/Applications/gerbview.app/Contents/MacOS/gerbview"
  18. "${target}/Contents/Applications/gerbview.app" "${target}/Contents/Applications/pcbnew.app/Contents/MacOS/pcbnew" "${target}/Contents/Applications/pcbnew.app" "${target}/Contents/Applications/bitmap2component.app/Contents/MacOS/bitmap2component" "${target}/Contents/Applications/bitmap2component.app" "${target}/Contents/Applications/pcb_calculator.app/Contents/MacOS/pcb_calculator" "${target}/Contents/Applications/pcb_calculator.app" "${target}/Contents/Applications/pl_editor.app/Contents/MacOS/pl_editor" "${target}/Contents/Applications/pl_editor.app")
  20. # Python things!
  21. if( EXISTS "${target}/Contents/Frameworks/Python.framework" )
  22. set( sign_list ${sign_list} "${target}/Contents/Frameworks/Python.framework/Versions/Current/share/doc/python3.9/examples/Tools/pynche"
  23. "${target}/Contents/Frameworks/Python.framework/Versions/Current/Resources/Python.app/Contents/MacOS/Python")
  24. file( GLOB python_bins "${target}/Contents/Frameworks/Python.framework/Versions/Current/bin/*" )
  26. # add dylib, .so and .a files from Contents/Frameworks/Python.framework/Versions/Current/lib/ and recursively
  27. file( GLOB_RECURSE python_libs ${sign_list} "${target}/Contents/Frameworks/Python.framework/Versions/Current/lib/*.dylib"
  28. "${target}/Contents/Frameworks/Python.framework/Versions/Current/lib/*.so"
  29. "${target}/Contents/Frameworks/Python.framework/Versions/Current/lib/*.a"
  30. "${target}/Contents/Frameworks/Python.framework/Versions/Current/lib/*.o" )
  32. set( sign_list ${sign_list} ${python_bins} ${python_libs} )
  33. endif( )
  35. set( sign_list ${sign_list} "${target}/Contents/Frameworks/Python.framework/Versions/Current/Resources/Python.app"
  36. "${target}/Contents/Frameworks/Python.framework" )
  38. # add all the dylibs from contents/frameworks
  39. file( GLOB framework_dylibs "${target}/Contents/Frameworks/*.dylib" )
  41. # add all the files in Contents/PlugIns
  42. file( GLOB_RECURSE plugins "${target}/Contents/PlugIns/*" )
  44. file( GLOB_RECURSE translations "${target}/Contents/SharedSupport/internat/*.mo" )
  46. # add all the files in Contents/MacOS/
  47. # But we've gotta sign kicad-cli before signing kicad, at least on x86_64
  48. set( kicad_bins "${target}/Contents/MacOS/dxf2idf"
  49. "${target}/Contents/MacOS/idf2vrml"
  50. "${target}/Contents/MacOS/idfcyl"
  51. "${target}/Contents/MacOS/idfrect"
  52. "${target}/Contents/MacOS/kicad-cli"
  53. "${target}/Contents/MacOS/kicad")
  55. set( sign_list ${sign_list} ${framework_dylibs} ${plugins} ${translations} ${kicad_bins} ) # do i need to quote this differently?
  57. # add kicad.app!
  58. set( sign_list ${sign_list} "${target}" )
  60. # build the command used for signing
  61. set( command codesign --force --sign "${signing_id}" )
  63. if( use_secure_timestamp )
  64. set( command ${command} --timestamp )
  65. endif( )
  67. if( use_hardened_runtime )
  68. if ( signing_id STREQUAL "-" )
  69. message( FATAL_ERROR "Hardened runtime requires a (non-ad-hoc) signing identity." )
  70. endif( )
  72. set( command ${command} --options runtime )
  73. endif( )
  75. if( entitlements_file )
  76. set( command ${command} --entitlements "${entitlements_file}" )
  77. endif( )
  79. foreach( item ${sign_list} )
  80. set( cmd ${command} "${item}" )
  82. # MESSAGE( STATUS "Running ${cmd}")
  83. execute_process( COMMAND ${cmd}
  84. RESULT_VARIABLE codesign_result)
  86. if( NOT codesign_result EQUAL 0 )
  87. message( WARNING "macOS signing failed; ${cmd} returned ${codesign_result}" )
  88. endif( )
  89. endforeach( )
  90. endfunction()
  93. function( verify_signing target )
  94. set( cmd codesign --verify --deep --strict --verbose=3 "${target}" )
  96. execute_process( COMMAND ${cmd} RESULT_VARIABLE verify_result )
  97. if( NOT verify_result EQUAL 0 )
  98. message( FATAL_ERROR "macOS signing verification failed; ran ${cmd}" )
  99. endif( )
  100. endfunction( )