由于项目中大量需要检查Codesign,单个单个速度太慢,于是考虑用脚本来完成这个任务。
先顺便提一下entitlements,最近发现QT不加这个,QtWebEngineProcess直接Crash。
entitlements参数可以加在可执行文件上。
conanchen@ConanChen ~ % codesign --display
--entitlements - --xml
/Users/conanchen/client-delivery/3P/AIRMAX/NU.FY23_2022.11.25/MAC64/Frameworks/Release/AIRMAX/adexmtsv
Executable=/Users/conanchen/client-delivery/3P/AIRMAX/NU.FY23_2022.11.25/MAC64/Frameworks/Release/AIRMAX/adexmtsv
格式化后的显示出来的entitlements文件
上面的命令可以显示出--entitlements的值。
根据上篇,检查签名,需要先检查 codesign -vvv然后再codesign
-dvvv显示证书,过滤掉adhoc证书。
而codesign命令会导出信息到starndard error.这是很恶心的一点。
并且苹果脚本中操作ShellScript,如果脚本报错,比如上面签名不合法,那返回值是1,do shell script
commandLine会直接失败。
同样的情况在find/grep 这些命令是一样的,最好包在苹果脚本的try on error 块中。
在苹果脚本里
try
set frameworkFiles to do shell script commandLine
on error
set frameworkFiles to {}
end try
可以用来当错误发生时,用on error进行处理。
另外 tell application "Finder"
set selectedItems to selection as alias list
if selectedItems is {} then return
#set firstFile to quoted form of POSIX path of (item 1 of
selectedItems)
set firstFile to POSIX path of (item 1 of selectedItems)
如果quoted form of返回是'在两边,并且不是期望的双引号。转义在这中间也比较麻烦。
这是整个脚本QuickAction的全部
tell application "Finder"
set selectedItems to selection as alias list
if selectedItems is {} then return
#set firstFile to quoted form of POSIX path of (item 1 of
selectedItems)
set firstFile to POSIX path of (item 1 of
selectedItems)
set baseName to "./"
set targetFolder to "\"" & firstFile
& "\""
set isDirectory to do shell script "file -b "
& targetFolder
if isDirectory is equal to "directory" then
if firstFile ends with ".framework/" or firstFile ends
with ".app/" or firstFile ends with ".bundle/" then
set parentPath to do shell script "dirname "
& targetFolder
log parentPath
set baseName to baseName & (do shell
script "basename " & targetFolder)
log baseName
set targetFolder to "\"" & parentPath
& "\""
log targetFolder
end if
set commandLine to "cd " & targetFolder
& ";find " & baseName
& " -name \"*.framework\" -or -name \"*.app\" -or
-name \"*.bundle\""
log commandLine
try
set frameworkFiles to do shell script
commandLine
on error
set frameworkFiles to {}
end try
set commandLine to "export NCPU=`sysctl -n
hw.physicalcpu`;cd " & targetFolder
& ";find " & baseName
& " -type f -print0 | xargs -P $NCPU -0 -L1 file |
grep -v -E \"for architecture\" | grep -E \"Mach-O .*\" | cut -d
\":\" -f1 | grep -v -E \"(x86_64]|arm64])\""
try
set machoFiles to do shell script commandLine
on error
set machoFiles to {}
end try
set frameworkFileLists to every paragraph of
frameworkFiles
set machoFileLists to every paragraph of
machoFiles
repeat with machoFile in machoFileLists
if machoFile does not contain ".framework/" and machoFile
does not contain ".app/" and machoFile does not contain ".bundle/"
then
if (frameworkFileLists as list) does not contain machoFile
then
set the end of (frameworkFileLists as list) to
machoFile
end if
end if
end repeat
tell application "Terminal"
activate
set currentTab to do script ("cd " &
targetFolder)
end tell
else
set frameworkFileLists to {targetFolder}
tell application "Terminal"
activate
set currentTab to do script ("echo " &
targetFolder)
end tell
end if
repeat with machoFile in frameworkFileLists
log machoFile
set codesign_verify_result to do shell script "cd "
& targetFolder & ";codesign -vvv "
& machoFile & "
2>&1 | grep -E \"(valid on
disk|satisfies its Designated Requirement|a sealed resource is
missing or invalid|invalid signature|code object is not signed at
all)\""
if codesign_verify_result contains "invalid signature" or
codesign_verify_result contains "code object is not signed at all"
or codesign_verify_result contains "a sealed resource is missing or
invalid" then
tell application "Terminal"
activate
do script ("codesign -vvv " & machoFile)
in currentTab
repeat until not currentTab is not busy
end repeat
end tell
else
set codesign_display_result to do shell script "cd "
& targetFolder & ";codesign -dvvv "
& machoFile & "
2>&1 | grep -E
\"(Authority=Developer ID Application:|adhoc)\""
if codesign_display_result contains "adhoc"
then
tell application "Terminal"
activate
do script ("echo " & machoFile
& " is adhoc codesign") in currentTab
end tell
else if codesign_display_result contains "My Company
Certificate" then
else
tell application "Terminal"
activate
do script ("echo \"" & machoFile
& "\" is codesigned with \"" &
codesign_display_result & "\"") in
currentTab
end tell
end if
end if
end repeat
end tell
AppleScript检查Codesign
由于项目中大量需要检查Codesign,单个单个速度太慢,于是考虑用脚本来完成这个任务。
先顺便提一下entitlements,最近发现QT不加这个,QtWebEngineProcess直接Crash。
entitlements参数可以加在可执行文件上。
conanchen@ConanChen ~ % codesign --display --entitlements - --xml /Users/conanchen/client-delivery/3P/AIRMAX/NU.FY23_2022.11.25/MAC64/Frameworks/Release/AIRMAX/adexmtsv
Executable=/Users/conanchen/client-delivery/3P/AIRMAX/NU.FY23_2022.11.25/MAC64/Frameworks/Release/AIRMAX/adexmtsv
上面的命令可以显示出--entitlements的值。
根据上篇,检查签名,需要先检查 codesign -vvv然后再codesign -dvvv显示证书,过滤掉adhoc证书。
而codesign命令会导出信息到starndard error.这是很恶心的一点。
并且苹果脚本中操作ShellScript,如果脚本报错,比如上面签名不合法,那返回值是1,do shell script commandLine会直接失败。
同样的情况在find/grep 这些命令是一样的,最好包在苹果脚本的try on error 块中。
在苹果脚本里
try
set frameworkFiles to do shell script commandLine
on error
set frameworkFiles to {}
end try
可以用来当错误发生时,用on error进行处理。
另外 tell application "Finder"
set selectedItems to selection as alias list
if selectedItems is {} then return
#set firstFile to quoted form of POSIX path of (item 1 of selectedItems)
set firstFile to POSIX path of (item 1 of selectedItems)
如果quoted form of返回是'在两边,并且不是期望的双引号。转义在这中间也比较麻烦。
这是整个脚本QuickAction的全部
tell application "Finder"
set selectedItems to selection as alias list
if selectedItems is {} then return
#set firstFile to quoted form of POSIX path of (item 1 of selectedItems)
set firstFile to POSIX path of (item 1 of selectedItems)
set baseName to "./"
set targetFolder to "\"" & firstFile & "\""
set isDirectory to do shell script "file -b " & targetFolder
if isDirectory is equal to "directory" then
if firstFile ends with ".framework/" or firstFile ends with ".app/" or firstFile ends with ".bundle/" then
set parentPath to do shell script "dirname " & targetFolder
log parentPath
set baseName to baseName & (do shell script "basename " & targetFolder)
log baseName
set targetFolder to "\"" & parentPath & "\""
log targetFolder
end if
set commandLine to "cd " & targetFolder & ";find " & baseName & " -name \"*.framework\" -or -name \"*.app\" -or -name \"*.bundle\""
log commandLine
try
set frameworkFiles to do shell script commandLine
on error
set frameworkFiles to {}
end try
set commandLine to "export NCPU=`sysctl -n hw.physicalcpu`;cd " & targetFolder & ";find " & baseName & " -type f -print0 | xargs -P $NCPU -0 -L1 file | grep -v -E \"for architecture\" | grep -E \"Mach-O .*\" | cut -d \":\" -f1 | grep -v -E \"(x86_64]|arm64])\""
try
set machoFiles to do shell script commandLine
on error
set machoFiles to {}
end try
set frameworkFileLists to every paragraph of frameworkFiles
set machoFileLists to every paragraph of machoFiles
repeat with machoFile in machoFileLists
if machoFile does not contain ".framework/" and machoFile does not contain ".app/" and machoFile does not contain ".bundle/" then
if (frameworkFileLists as list) does not contain machoFile then
set the end of (frameworkFileLists as list) to machoFile
end if
end if
end repeat
tell application "Terminal"
activate
set currentTab to do script ("cd " & targetFolder)
end tell
else
set frameworkFileLists to {targetFolder}
tell application "Terminal"
activate
set currentTab to do script ("echo " & targetFolder)
end tell
end if
repeat with machoFile in frameworkFileLists
log machoFile
set codesign_verify_result to do shell script "cd " & targetFolder & ";codesign -vvv " & machoFile & " 2>&1 | grep -E \"(valid on disk|satisfies its Designated Requirement|a sealed resource is missing or invalid|invalid signature|code object is not signed at all)\""
if codesign_verify_result contains "invalid signature" or codesign_verify_result contains "code object is not signed at all" or codesign_verify_result contains "a sealed resource is missing or invalid" then
tell application "Terminal"
activate
do script ("codesign -vvv " & machoFile) in currentTab
repeat until not currentTab is not busy
end repeat
end tell
else
set codesign_display_result to do shell script "cd " & targetFolder & ";codesign -dvvv " & machoFile & " 2>&1 | grep -E \"(Authority=Developer ID Application:|adhoc)\""
if codesign_display_result contains "adhoc" then
tell application "Terminal"
activate
do script ("echo " & machoFile & " is adhoc codesign") in currentTab
end tell
else if codesign_display_result contains "My Company Certificate" then
else
tell application "Terminal"
activate
do script ("echo \"" & machoFile & "\" is codesigned with \"" & codesign_display_result & "\"") in currentTab
end tell
end if
end if
end repeat
end tell