Fix code signature on macOS

We build packages with extra debug info, but sign the application before
removing the debug info for the release package.
We have to codesign (potentially again) between copying and packaging.

Task-number: QTCREATORBUG-20370
Change-Id: I5549ca5045eb995e5a61794473c2d0180b778711
Reviewed-by: Tim Jenssen <tim.jenssen@qt.io>

scripts/common.py

@@ -177,3 +177,13 @@ def is_debug(path, filenames):
 def is_not_debug(path, filenames):
     files = [fn for fn in filenames if os.path.isfile(os.path.join(path, fn))]
     return [fn for fn in files if not is_debug_file(os.path.join(path, fn))]
+
+def codesign(app_path):
+    signing_identity = os.environ.get('SIGNING_IDENTITY')
+    if is_mac_platform() and signing_identity:
+        codesign_call = ['codesign', '--force', '--deep', '-s', signing_identity, '-v']
+        signing_flags = os.environ.get('SIGNING_FLAGS')
+        if signing_flags:
+            codesign_call.extend(signing_flags.split())
+        codesign_call.append(app_path)
+        subprocess.check_call(codesign_call)

scripts/createDistPackage.py

@@ -33,7 +33,8 @@ import tempfile
 import common
 
 def parse_arguments():
-    parser = argparse.ArgumentParser(description="Create Qt Creator package, filtering out debug information files.")
+    parser = argparse.ArgumentParser(description="Create Qt Creator package, filtering out debug information files.",
+        epilog="To sign the contents before packaging on macOS, set the SIGNING_IDENTITY and optionally the SIGNING_FLAGS environment variables.")
     parser.add_argument('--7z', help='path to 7z binary',
         default='7z.exe' if common.is_windows_platform() else '7z',
         metavar='<7z_binary>', dest='sevenzip')
@@ -52,6 +53,10 @@ def main():
     try:
         common.copytree(arguments.source_directory, tempdir, symlinks=True,
             ignore=(common.is_not_debug if arguments.debug else common.is_debug))
+        # on macOS we might have to codesign (again) to account for removed debug info
+        if not arguments.debug:
+            common.codesign(tempdir)
+        # package
         zip_source = os.path.join(tempdir, '*') if arguments.exclude_toplevel else tempdir
         subprocess.check_call([arguments.sevenzip, 'a', '-mx9',
             arguments.target_archive, zip_source])

scripts/makedmg.py

@@ -34,7 +34,8 @@ import time
 import common
 
 def parse_arguments():
-    parser = argparse.ArgumentParser(description='Create Qt Creator disk image, filtering out debug information files.')
+    parser = argparse.ArgumentParser(description='Create Qt Creator disk image, filtering out debug information files.',
+        epilog="To sign the contents before packaging on macOS, set the SIGNING_IDENTITY and optionally the SIGNING_FLAGS environment variables.")
     parser.add_argument('target_diskimage', help='output .dmg file to create')
     parser.add_argument('dmg_volumename', help='volume name to use for the disk image')
     parser.add_argument('source_directory', help='directory with the Qt Creator sources')
@@ -47,6 +48,9 @@ def main():
     tempdir = os.path.join(tempdir_base, os.path.basename(arguments.binary_directory))
     try:
         common.copytree(arguments.binary_directory, tempdir, symlinks=True, ignore=common.is_debug)
+        if common.is_mac_platform():
+            app_path = [app for app in os.listdir(tempdir) if app.endswith('.app')][0]
+            common.codesign(os.path.join(tempdir, app_path))
         os.symlink('/Applications', os.path.join(tempdir, 'Applications'))
         shutil.copy(os.path.join(arguments.source_directory, 'LICENSE.GPL3-EXCEPT'), tempdir)
         dmg_cmd = ['hdiutil', 'create', '-srcfolder', tempdir, '-volname', arguments.dmg_volumename,