Merge pull request #9298 from nextcloud/bugfix/signing

mgallien · web-flow · commit c9b5fbbf0dda · 2026-01-12T08:47:33.000+01:00
Implement signing for Sparkle Installer and Autoupdate
diff --git a/admin/osx/mac-crafter/Sources/Utils/Signer.swift b/admin/osx/mac-crafter/Sources/Utils/Signer.swift
@@ -159,6 +159,42 @@ enum Signer: Signing {
         await sign(at: location, with: codeSignIdentity, entitlements: nil)
     }
 
+    ///
+    /// Find and sign the Sparkle Installer inside the Sparkle framework.
+    ///
+    /// This needs explicit treatment because codesign does not automatically sign it when signing the upstream framework bundle.
+    ///
+    private static func signSparkleInstaller(in bundle: URL, with codeSignIdentity: String) async {
+        let location = bundle
+            .appendingPathComponent("Contents")
+            .appendingPathComponent("Frameworks")
+            .appendingPathComponent("Sparkle.framework")
+            .appendingPathComponent("Versions")
+            .appendingPathComponent("B")
+            .appendingPathComponent("XPCServices")
+            .appendingPathComponent("Installer")
+            .appendingPathExtension("xpc")
+
+        await sign(at: location, with: codeSignIdentity, entitlements: nil)
+    }
+    
+    ///
+    /// Find and sign the Sparkle autoupdate inside the Sparkle framework.
+    ///
+    /// This needs explicit treatment because codesign does not automatically sign it when signing the upstream framework bundle.
+    ///
+    private static func signSparkleAutoupdate(in bundle: URL, with codeSignIdentity: String) async {
+        let location = bundle
+            .appendingPathComponent("Contents")
+            .appendingPathComponent("Frameworks")
+            .appendingPathComponent("Sparkle.framework")
+            .appendingPathComponent("Versions")
+            .appendingPathComponent("B")
+            .appendingPathComponent("Autoupdate")
+
+        await sign(at: location, with: codeSignIdentity, entitlements: nil)
+    }
+
     ///
     /// Find and sign the Sparkle updater app inside the Sparkle framework.
     ///
@@ -234,6 +270,8 @@ enum Signer: Signing {
         await signQtWebEngineProcessApp(in: location, with: codeSignIdentity)
         await signSparkleDownloader(in: location, with: codeSignIdentity)
         await signSparkleUpdaterApp(in: location, with: codeSignIdentity)
+        await signSparkleInstaller(in: location, with: codeSignIdentity)
+        await signSparkleAutoupdate(in: location, with: codeSignIdentity)
 
         let frameworksInsideMainBundle = try findFrameworks(at: location)
 
