ArthurSav · October 26, 2024 17:33
diff --git a/macos-app-signing.sh b/macos-app-signing.sh
 #!/bin/bash

 # Function to check if SIP is enabled
 check_sip() {
    if [[ $(csrutil status) == *"enabled"* ]]; then
        echo "Warning: System Integrity Protection (SIP) is enabled."
        echo "Some signing operations may fail. You might need to:"
        echo "1. Restart in Recovery Mode (Command + R during startup)"
        echo "2. Run 'csrutil disable'"
        echo "3. Restart your Mac"
        read -p "Do you want to continue anyway? (y/n) " -n 1 -r
        echo
        if [[ ! $REPLY =~ ^[Yy]$ ]]; then
            exit 1
        fi
    fi
 }

 # Function to sign a single component
 sign_component() {
    local component="$1"
    local entitlements="$2"
    
    echo "Signing component: $component"
    
    # Remove existing signature
    codesign --remove-signature "$component" 2>/dev/null || true
    
    # Sign with enhanced permissions
    if [ -f "$entitlements" ]; then
        sudo codesign --force --deep --sign - --entitlements "$entitlements" --options runtime "$component"
    else
        sudo codesign --force --deep --sign - --options runtime "$component"
    fi
 }

 # Main signing function
 sign_app() {
    local APP_PATH="$1"
    
    # Check SIP status
    check_sip
    
    echo "Starting enhanced signing process for: $APP_PATH"
    
    # Create comprehensive entitlements file
    cat > entitlements.plist << EOF
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
    <key>com.apple.security.app-sandbox</key>
    <false/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.files.downloads.read-write</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
    <true/>
 </dict>
 </plist>
 EOF
    
    # Create widget-specific entitlements
    cat > widget_entitlements.plist << EOF
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
 </dict>
 </plist>
 EOF
    
    echo "1. Signing frameworks..."
    find "$APP_PATH/Contents/Frameworks" -type f -name "*.framework" -o -name "*.dylib" | while read -r framework; do
        sign_component "$framework" "entitlements.plist"
    done
    
    echo "2. Signing embedded XPC services..."
    find "$APP_PATH/Contents" -type d -name "*.xpc" | while read -r xpc; do
        sign_component "$xpc" "entitlements.plist"
    done
    
    echo "3. Signing plugins and extensions..."
    find "$APP_PATH/Contents/PlugIns" -type d -name "*.appex" | while read -r plugin; do
        sign_component "$plugin" "widget_entitlements.plist"
    done
    
    echo "4. Signing main application..."
    sign_component "$APP_PATH" "entitlements.plist"
    
    echo "5. Cleaning up..."
    rm entitlements.plist widget_entitlements.plist
    
    echo "6. Verifying signature..."
    codesign --verify --deep --verbose=4 "$APP_PATH"
    
    echo "7. Testing launch..."
    if [ -d "$APP_PATH" ]; then
        echo "Attempting to launch application..."
        open "$APP_PATH" || echo "Warning: Could not launch application automatically."
    fi
 }

 # Check if script is run with sudo
 if [ "$EUID" -ne 0 ]; then 
    echo "Please run with sudo"
    exit 1
 fi

 # Get app path from user
 read -p "Enter the name of the application (including .app extension): " APP_NAME
 APP_PATH="/Applications/$APP_NAME"

 if [ ! -d "$APP_PATH" ]; then
    echo "Error: Application not found at $APP_PATH"
    exit 1
 fi

 sign_app "$APP_PATH"
	#!/bin/bash

	# Function to check if SIP is enabled
	check_sip() {
	if [[ $(csrutil status) == "enabled" ]]; then
	echo "Warning: System Integrity Protection (SIP) is enabled."
	echo "Some signing operations may fail. You might need to:"
	echo "1. Restart in Recovery Mode (Command + R during startup)"
	echo "2. Run 'csrutil disable'"
	echo "3. Restart your Mac"
	read -p "Do you want to continue anyway? (y/n) " -n 1 -r
	echo
	if [[ ! $REPLY =~ ^[Yy]$ ]]; then
	exit 1
	fi
	fi
	}

	# Function to sign a single component
	sign_component() {
	local component="$1"
	local entitlements="$2"

	echo "Signing component: $component"

	# Remove existing signature
	codesign --remove-signature "$component" 2>/dev/null \|\| true

	# Sign with enhanced permissions
	if [ -f "$entitlements" ]; then
	sudo codesign --force --deep --sign - --entitlements "$entitlements" --options runtime "$component"
	else
	sudo codesign --force --deep --sign - --options runtime "$component"
	fi
	}

	# Main signing function
	sign_app() {
	local APP_PATH="$1"

	# Check SIP status
	check_sip

	echo "Starting enhanced signing process for: $APP_PATH"

	# Create comprehensive entitlements file
	cat > entitlements.plist << EOF
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>com.apple.security.app-sandbox</key>
	<false/>
	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
	<true/>
	<key>com.apple.security.cs.disable-library-validation</key>
	<true/>
	<key>com.apple.security.cs.allow-dyld-environment-variables</key>
	<true/>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>
	<key>com.apple.security.files.downloads.read-write</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
	<true/>
	</dict>
	</plist>
	EOF

	# Create widget-specific entitlements
	cat > widget_entitlements.plist << EOF
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	</dict>
	</plist>
	EOF

	echo "1. Signing frameworks..."
	find "$APP_PATH/Contents/Frameworks" -type f -name ".framework" -o -name ".dylib" \| while read -r framework; do
	sign_component "$framework" "entitlements.plist"
	done

	echo "2. Signing embedded XPC services..."
	find "$APP_PATH/Contents" -type d -name "*.xpc" \| while read -r xpc; do
	sign_component "$xpc" "entitlements.plist"
	done

	echo "3. Signing plugins and extensions..."
	find "$APP_PATH/Contents/PlugIns" -type d -name "*.appex" \| while read -r plugin; do
	sign_component "$plugin" "widget_entitlements.plist"
	done

	echo "4. Signing main application..."
	sign_component "$APP_PATH" "entitlements.plist"

	echo "5. Cleaning up..."
	rm entitlements.plist widget_entitlements.plist

	echo "6. Verifying signature..."
	codesign --verify --deep --verbose=4 "$APP_PATH"

	echo "7. Testing launch..."
	if [ -d "$APP_PATH" ]; then
	echo "Attempting to launch application..."
	open "$APP_PATH" \|\| echo "Warning: Could not launch application automatically."
	fi
	}

	# Check if script is run with sudo
	if [ "$EUID" -ne 0 ]; then
	echo "Please run with sudo"
	exit 1
	fi

	# Get app path from user
	read -p "Enter the name of the application (including .app extension): " APP_NAME
	APP_PATH="/Applications/$APP_NAME"

	if [ ! -d "$APP_PATH" ]; then
	echo "Error: Application not found at $APP_PATH"
	exit 1
	fi

	sign_app "$APP_PATH"