diff options
| author | Dominik Schmidt <dev@dominik-schmidt.de> | 2019-01-28 16:20:43 +0300 |
|---|---|---|
| committer | Markus Goetz <markus@woboq.com> | 2019-02-05 11:48:30 +0300 |
| commit | 3f38484470efea40b007f1caa71fea01edb09655 (patch) | |
| tree | 8a08e1f4cfbe50721c7d24e944b2b579b0d4711e /admin | |
| parent | 6b7ac286e1bfbd42997e0063db8c5aaf99a27e18 (diff) | |
Enable runtime hardening for macOS builds
Diffstat (limited to 'admin')
| -rwxr-xr-x | admin/osx/sign_app.sh | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/admin/osx/sign_app.sh b/admin/osx/sign_app.sh index e495fe105..57e29cc95 100755 --- a/admin/osx/sign_app.sh +++ b/admin/osx/sign_app.sh @@ -6,14 +6,14 @@ src_app="$1" identity="$2" team_identifier="$3" -codesign -s "$identity" --force --preserve-metadata=entitlements --verbose=4 --deep "$src_app" +codesign -s "$identity" --force --preserve-metadata=entitlements --verbose=4 --options runtime --deep "$src_app" # Verify the signature codesign -dv $src_app -codesign --verify -v $src_app +codesign --verify -v --strict $src_app spctl -a -t exec -vv $src_app # Validate that the key used for signing the binary matches the expected TeamIdentifier # needed to pass the SocketApi through the sandbox codesign -dv $src_app 2>&1 | grep "TeamIdentifier=$team_identifier" -exit $?
\ No newline at end of file +exit $? |