Add macOS signing changes (#1856)

* Add short version to the Info.plist

* Add entitlements and work into the qmake project

* Add signing details to macdeployqt call

* Add some more entitlements

* Add app category for apple

* Fix up entitlements for signing / notarization for non-app store deployment

* Put signing of mac os behind a -s flag in the deploy_mac.sh script

* Split out the client / server entitlements
Remove hard-coded certificate name

* Minimise entitlements and enable sandboxing of the app / server

* Remove windows-only resource reference from mac build; add icon to xcode project

* Add missing components to Info.plist; sync them up. Put back required RC_FILE (used in deploy_mac.sh)

* Add minimum required macOS version as required by app store

* Remove whitespace for PR review; remove unneeded team / provisioning profile IDs (only used in xcode project not signing)

* Add a changelog entry

* Update for consistency with rest of change log

Author: emlynmac

ChangeLog

@@ -1,6 +1,9 @@
 
 ### 3.8.0dev <- NOTE: the release version number will be 3.8.1 ###
 
+- Internal: mac/deploy_mac.sh now takes an optional parameter to a certificate name to sign the build with.
+  (contributed by @emlynmac)
+
 - CLI: Jamulus now shows a link to the Website for translated content (#1759).
   (contributed by @henkdegroot)
 

Jamulus.entitlements

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.device.audio-input</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+	<key>com.apple.security.network.server</key>
+	<true/>
+</dict>
+</plist>

Jamulus.pro

@@ -128,10 +128,10 @@ win32 {
 
         DEFINES += SERVER_BUNDLE
         TARGET = $${TARGET}Server
-        MACOSX_BUNDLE_ICON_FILE = jamulus-server-icon-2020.icns
+        MACOSX_BUNDLE_ICON.files = mac/jamulus-server-icon-2020.icns
         RC_FILE = mac/jamulus-server-icon-2020.icns
     } else {
-        MACOSX_BUNDLE_ICON_FILE = mainicon.icns
+        MACOSX_BUNDLE_ICON.files = mac/mainicon.icns
         RC_FILE = mac/mainicon.icns
     }
 
@@ -141,11 +141,20 @@ win32 {
     HEADERS += mac/activity.h
     OBJECTIVE_SOURCES += mac/activity.mm
     CONFIG += x86
-    QMAKE_TARGET_BUNDLE_PREFIX = net.sourceforge.llcon
+    QMAKE_TARGET_BUNDLE_PREFIX = io.jamulus
     QMAKE_APPLICATION_BUNDLE_NAME. = $$TARGET
 
+    OSX_ENTITLEMENTS.files = Jamulus.entitlements
+    OSX_ENTITLEMENTS.path = Contents/Resources 
+    QMAKE_BUNDLE_DATA += OSX_ENTITLEMENTS
+    
     macx-xcode {
         QMAKE_INFO_PLIST = mac/Info-xcode.plist
+        XCODE_ENTITLEMENTS.name = CODE_SIGN_ENTITLEMENTS
+        XCODE_ENTITLEMENTS.value = Jamulus.entitlements
+        QMAKE_MAC_XCODE_SETTINGS += XCODE_ENTITLEMENTS
+        MACOSX_BUNDLE_ICON.path = Contents/Resources
+        QMAKE_BUNDLE_DATA += MACOSX_BUNDLE_ICON
     } else {
         QMAKE_INFO_PLIST = mac/Info-make.plist
     }
@@ -184,7 +193,7 @@ win32 {
     HEADERS += ios/ios_app_delegate.h
     HEADERS += ios/sound.h
     OBJECTIVE_SOURCES += ios/sound.mm
-    QMAKE_TARGET_BUNDLE_PREFIX = com.jamulussoftware.jamulus
+    QMAKE_TARGET_BUNDLE_PREFIX = io.jamulus
     QMAKE_APPLICATION_BUNDLE_NAME. = $$TARGET
     LIBS += -framework CoreFoundation \
         -framework CoreServices \

mac/Info-make.plist

@@ -12,15 +12,24 @@
         <string>APPL</string>
         <key>CFBundleVersion</key>
         <string>@FULL_VERSION@</string>
+        <key>CFBundleShortVersionString</key>
+	    <string>@SHORT_VERSION@</string>
+        <key>CFBundleSupportedPlatforms</key>
+	    <array>
+		    <string>MacOSX</string>
+        </array>
+        <key>LSApplicationCategoryType</key>
+	    <string>public.app-category.music</string>
+        <key>LSMinimumSystemVersion</key>
+        <string>10.13.0</string>
         <key>CFBundleExecutable</key>
         <string>@EXECUTABLE@</string>
         <key>CFBundleDevelopmentRegion</key>
         <string>en</string>
         <key>CFBundleIconFile</key>
         <string>@ICON@</string>
         <key>CFBundleGetInfoString</key>
-        <string>Created by Qt/QMake</string>
-
+        <string>Jamulus - Created with QT</string>
         <key>NSPrincipalClass</key>
         <string>NSApplication</string>
         <key>NSMicrophoneUsageDescription</key>

mac/Info-xcode.plist

@@ -1,32 +1,40 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
-    <dict>
-        <key>CFBundleName</key>
-        <string>${EXECUTABLE_NAME}</string>
-        <key>CFBundleDisplayName</key>
-        <string>${EXECUTABLE_NAME}</string>
-        <key>CFBundleIdentifier</key>
-        <string>${PRODUCT_BUNDLE_IDENTIFIER}</string>
-        <key>CFBundlePackageType</key>
-        <string>APPL</string>
-        <key>CFBundleVersion</key>
-        <string>${QMAKE_FULL_VERSION}</string>
-        <key>CFBundleExecutable</key>
-        <string>${EXECUTABLE_NAME}</string>
-        <key>CFBundleDevelopmentRegion</key>
-        <string>en</string>
-        <key>CFBundleIconFile</key>
-        <string>${ASSETCATALOG_COMPILER_APPICON_NAME}</string>
-        <key>CFBundleGetInfoString</key>
-        <string>Created by Qt/QMake</string>
-
-        <key>NSPrincipalClass</key>
-        <string>NSApplication</string>
-        <key>NSMicrophoneUsageDescription</key>
-        <string>Jamulus needs access to the microphone to record and stream your music to other musicians</string>
-        <!-- Temporarily opt out of Dark Mode as Qt 5.9 does not support it well, see https://bugreports.qt.io/browse/QTBUG-68891 -->
-        <key>NSRequiresAquaSystemAppearance</key>
-        <string>true</string>
-    </dict>
+<dict>
+	<key>CFBundleName</key>
+	<string>${EXECUTABLE_NAME}</string>
+	<key>CFBundleDisplayName</key>
+	<string>${EXECUTABLE_NAME}</string>
+	<key>CFBundleIdentifier</key>
+	<string>${PRODUCT_BUNDLE_IDENTIFIER}</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleVersion</key>
+	<string>${QMAKE_FULL_VERSION}</string>
+	<key>CFBundleShortVersionString</key>
+	<string>${QMAKE_SHORT_VERSION}</string>
+	<key>CFBundleSupportedPlatforms</key>
+	<array>
+		<string>MacOSX</string>
+	</array>
+	<key>LSApplicationCategoryType</key>
+	<string>public.app-category.music</string>
+	<key>LSMinimumSystemVersion</key>
+    <string>10.13.0</string>
+	<key>CFBundleExecutable</key>
+	<string>${EXECUTABLE_NAME}</string>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleIconFile</key>
+	<string>mainicon.icns</string>
+	<key>CFBundleGetInfoString</key>
+	<string>Jamulus - Created with QT</string>
+	<key>NSPrincipalClass</key>
+	<string>NSApplication</string>
+	<key>NSMicrophoneUsageDescription</key>
+	<string>Jamulus needs access to the microphone to record and stream your music to other musicians</string>
+	<key>NSRequiresAquaSystemAppearance</key>
+	<string>true</string>
+</dict>
 </plist>

mac/deploy_mac.sh

@@ -7,7 +7,28 @@ macdeploy_path="${root_path}/mac"
 resources_path="${root_path}/src/res"
 build_path="${root_path}/build"
 deploy_path="${root_path}/deploy"
-
+cert_name=""
+
+
+while getopts 'hs:' flag; do
+    case "${flag}" in
+    s) 
+    cert_name=$OPTARG 
+    if [[ -z "$cert_name" ]]; then
+        echo "Please add the name of the certificate to use: -s \"<name>\""
+    fi
+    # shift 2
+    ;;
+    h) 
+    echo "Usage: -s <cert name> for signing mac build" 
+    exit 0 
+    ;;
+    *)
+    exit 1
+    ;;
+   
+    esac
+done
 
 cleanup()
 {
@@ -29,7 +50,11 @@ build_app()
     make -f "${build_path}/Makefile" -C "${build_path}" -j "${job_count}"
 
     # Add Qt deployment dependencies
-    macdeployqt "${build_path}/${target_name}.app" -verbose=2 -always-overwrite
+    if [[ -z "$cert_name" ]]; then
+        macdeployqt "${build_path}/${target_name}.app" -verbose=2 -always-overwrite
+    else
+        macdeployqt "${build_path}/${target_name}.app" -verbose=2 -always-overwrite -hardened-runtime -timestamp -appstore-compliant -sign-for-notarization="${cert_name}"
+    fi
     mv "${build_path}/${target_name}.app" "${deploy_path}"
 
     # Cleanup