[vlc-commits] macosx: added a basic script and some entitlements to enable Sandboxing on OS X Lion (refs #5149)

Felix Paul Kühne git at videolan.org
Mon Jun 18 22:14:58 CEST 2012


vlc | branch: master | Felix Paul Kühne <fkuehne at videolan.org> | Mon Jun 18 17:52:08 2012 +0200| [eba61d4f3b94f0539c5e250b3222b24c543b67be] | committer: Felix Paul Kühne

macosx: added a basic script and some entitlements to enable Sandboxing on OS X Lion (refs #5149)

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=eba61d4f3b94f0539c5e250b3222b24c543b67be
---

 Makefile.am                            |    2 +
 extras/package/macosx/VLC.entitlements |   34 ++++++++++++
 extras/package/macosx/codesign.sh      |   89 ++++++++++++++++++++++++++++++++
 3 files changed, 125 insertions(+)

diff --git a/Makefile.am b/Makefile.am
index 2318131..a159621 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -97,7 +97,9 @@ ChangeLog: Makefile.am
 ###############################################################################
 
 EXTRA_DIST += \
+	extras/package/macosx/codesign.sh \
 	extras/package/macosx/README.MacOSX.rtf \
+	extras/package/macosx/VLC.entitlements \
 	extras/package/macosx/Resources/dsa_pub.pem \
 	extras/package/macosx/Resources/English.lproj/About.xib \
 	extras/package/macosx/Resources/English.lproj/AudioEffects.xib \
diff --git a/extras/package/macosx/VLC.entitlements b/extras/package/macosx/VLC.entitlements
new file mode 100644
index 0000000..4bff5cd
--- /dev/null
+++ b/extras/package/macosx/VLC.entitlements
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.assets.movies.read-write</key>
+	<true/>
+	<key>com.apple.security.assets.music.read-write</key>
+	<true/>
+	<key>com.apple.security.assets.pictures.read-write</key>
+	<true/>
+	<key>com.apple.security.device.camera</key>
+	<true/>
+	<key>com.apple.security.device.microphone</key>
+	<true/>
+	<key>com.apple.security.device.usb</key>
+	<true/>
+	<key>com.apple.security.device.serial</key>
+	<true/>
+	<key>com.apple.security.files.downloads.read-write</key>
+	<true/>
+	<key>com.apple.security.files.user-selected.read-write</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+	<key>com.apple.security.network.server</key>
+	<true/>
+	<key>com.apple.security.temporary-exception.files.home-relative-path.read-only</key>
+	<string>/</string>
+	<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
+	<string>/dev/</string>
+</dict>
+</plist>
diff --git a/extras/package/macosx/codesign.sh b/extras/package/macosx/codesign.sh
new file mode 100755
index 0000000..ecc19dd
--- /dev/null
+++ b/extras/package/macosx/codesign.sh
@@ -0,0 +1,89 @@
+#!/bin/sh
+# Copyright @ 2012 Felix Paul Kühne <fkuehne at videolan dot org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
+
+info()
+{
+    local green="\033[1;32m"
+    local normal="\033[0m"
+    echo "[${green}codesign${normal}] $1"
+}
+
+usage()
+{
+cat << EOF
+usage: $0 [options]
+
+Sign VLC.app in the current directory
+
+OPTIONS:
+   -h            Show this help
+   -i            Identity to use
+   -t            Entitlements file to use
+EOF
+
+}
+
+while getopts "hi:t:" OPTION
+do
+     case $OPTION in
+         h)
+             usage
+             exit 1
+         ;;
+         i)
+             IDENTITY=$OPTARG
+         ;;
+         t)
+             OPTIONS="--entitlements $OPTARG"
+         ;;
+     esac
+done
+shift $(($OPTIND - 1))
+
+if [ "x$1" != "x" ]; then
+    usage
+    exit 1
+fi
+
+info "Signing the executable"
+
+codesign -s "$IDENTITY" $OPTIONS VLC.app/Contents/MacOS/VLC
+
+info "Signing the modules"
+find VLC.app/Contents/MacOS/plugins/* -type f -exec codesign -s "$IDENTITY" $OPTIONS '{}' \;
+
+info "Signing the libraries"
+find VLC.app/Contents/MacOS/lib/* -type f -exec codesign -s "$IDENTITY" $OPTIONS '{}' \;
+
+info "Signing the lua stuff"
+find VLC.app/Contents/MacOS/share/lua/* -type f -exec codesign -s "$IDENTITY" $OPTIONS '{}' \;
+
+info "all items signed, validating..."
+
+info "Validating binary"
+codesign --verify VLC.app/Contents/MacOS/VLC
+
+info "Validating modules"
+find VLC.app/Contents/MacOS/plugins/* -type f -exec codesign --verify '{}' \;
+
+info "Validating libraries"
+find VLC.app/Contents/MacOS/lib/* -type f -exec codesign --verify '{}' \;
+
+info "Validating lua stuff"
+find VLC.app/Contents/MacOS/share/lua/* -type f -exec codesign --verify '{}' \;
+
+info "Validation complete"



More information about the vlc-commits mailing list