From f3f458da8527969a251599054060c8f638375d5a Mon Sep 17 00:00:00 2001
From: Micah Lee <micah@micahflee.com>
Date: Sun, 21 Apr 2019 19:13:48 -0700
Subject: macOS package hardening (#967)

When making a macOS release, add a timestamp to signature
---
 install/build_osx.sh | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/install/build_osx.sh b/install/build_osx.sh
index 010e3edb..40e1fe90 100755
--- a/install/build_osx.sh
+++ b/install/build_osx.sh
@@ -27,11 +27,26 @@ if [ "$1" = "--release" ]; then
   ENTITLEMENTS_PARENT_PATH="$ROOT/install/macos_sandbox/parent.plist"
 
   echo "Codesigning the app bundle"
-  codesign --deep -s "$IDENTITY_NAME_APPLICATION" -f --entitlements "$ENTITLEMENTS_CHILD_PATH" "$APP_PATH"
-  codesign -s "$IDENTITY_NAME_APPLICATION" -f --entitlements "$ENTITLEMENTS_PARENT_PATH" "$APP_PATH"
+  codesign \
+    --deep \
+    -s "$IDENTITY_NAME_APPLICATION" \
+    --force \
+    --entitlements "$ENTITLEMENTS_CHILD_PATH" \
+    --timestamp \
+    "$APP_PATH"
+  codesign \
+    -s "$IDENTITY_NAME_APPLICATION" \
+    --force \
+    --entitlements "$ENTITLEMENTS_PARENT_PATH" \
+    --timestamp \
+    "$APP_PATH"
 
   echo "Creating an installer"
-  productbuild --sign "$IDENTITY_NAME_INSTALLER" --component "$APP_PATH" /Applications "$PKG_PATH"
+  productbuild \
+    --sign "$IDENTITY_NAME_INSTALLER" \
+    --component "$APP_PATH" /Applications \
+    --timestamp \
+    "$PKG_PATH"
 
   echo "Cleaning up"
   rm -rf "$APP_PATH"
-- 
cgit v1.2.3-54-g00ecf