Various cmake build cleanups/refactors

- Added contrib/macos/README.txt with description of the cancer happening here. - Add provisioningprofiles that Apple wants to make things work properly - Made the entitlements files match the provisioningprofiles - Remove configured entitlements files; we *can't* change any of the things here because they are closedly tied to the provisioningprofiles -- which means if someone wants to build their own Lokinet, they have to replace a bunch of crap and change application IDs throughout. This is the hostile-to-open-source Apple way. - Remove unused old lokinet binary, as we're no longer using it on macos - Use a POST_BUILD rather than install to copy things around into the right places - Convert all the configure_file's to consistently use @ONLY - Misc cleanups
3 years ago · 0bb00baacf
parent 5edd045c9b
commit 0bb00baacf
12 changed files with 136 additions and 91 deletions
--- a/contrib/mac.sh
+++ b/contrib/mac.sh
@ -22,7 +22,7 @@ cmake \
      -DFORCE_OXENMQ_SUBMODULE=ON \
      -DSUBMODULE_CHECK=OFF \
      -DWITH_LTO=OFF \
-      -DCMAKE_INSTALL_PREFIX=$(pwd) \
      -DCMAKE_BUILD_TYPE=Release \
-      $@ ..
+      "$@" \
+      ..
 ninja install && ninja sign
--- a/contrib/macos/LokinetExtension.Info.plist.in
+++ b/contrib/macos/LokinetExtension.Info.plist.in
@ -21,7 +21,7 @@
 	  <string>lokinet</string>

 	  <key>CFBundleVersion</key>
-	  <string>${LOKINET_VERSION}</string>
+	  <string>@LOKINET_VERSION@</string>

 	  <key>ITSAppUsesNonExemptEncryption</key>
 	  <false/>
--- a/contrib/macos/README.txt
+++ b/contrib/macos/README.txt
@ -0,0 +1,23 @@
+This directory contains the magical incantations and random voodoo symbols needed to coax an Apple
+build.  There's no reason builds have to be this stupid, except that Apple wants to funnel everyone
+into the no-CI, no-help, undocumented, non-toy-apps-need-not-apply modern Apple culture.
+
+This is disgusting.
+
+
+
+
+These two files, in particular, are the very worst manifestations of this Apple cancer: they are
+required for proper permissions to run on macOS, are undocumented, and can only be regenerated
+through the entirely closed source Apple Developer backend:
+
+    lokinet.provisionprofile
+    lokinet-extension.provisionprofile
+
+This is actively hostile to open source development, but that is nothing new for Apple.
+
+If you are reading this to try to build Lokinet for yourself for an Apple operating system and
+simultaneously care about open source, privacy, or freedom then you, my friend, are a walking
+contradiction: you are trying to get Lokinet to work on a platform that actively despises open
+source, privacy, and freedom.  Even Windows is a better choice in all of these categories than
+Apple.
--- a/contrib/macos/lokinet-extension.entitlements.plist
+++ b/contrib/macos/lokinet-extension.entitlements.plist
@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+
+		<key>com.apple.developer.networking.networkextension</key>
+		<array>
+				<string>packet-tunnel-provider-systemextension</string>
+				<string>app-proxy-provider-systemextension</string>
+				<string>content-filter-provider-systemextension</string>
+				<string>dns-proxy-systemextension</string>
+				<string>dns-settings</string>
+		</array>
+
+		<key>com.apple.developer.networking.vpn.api</key>
+		<array>
+				<string>allow-vpn</string>
+		</array>
+
+		<key>com.apple.application-identifier</key>
+		<string>SUQ8J2PCT7.com.loki-project.lokinet.network-extension</string>
+
+		<key>keychain-access-groups</key>
+		<array>
+				<string>SUQ8J2PCT7.*</string>
+		</array>
+
+		<key>com.apple.developer.team-identifier</key>
+		<string>SUQ8J2PCT7</string>
+
+	</dict>
+</plist>
--- a/contrib/macos/lokinet-extension.entitlements.plist.in
+++ b/contrib/macos/lokinet-extension.entitlements.plist.in
@ -1,25 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-  <dict>
-    <key>com.apple.developer.networking.networkextension</key>
-    <array>
-      <string>packet-tunnel-provider</string>
-    </array>
-    <!--
-    <key>com.apple.developer.networking.vpn.api</key>
-    <array>
-      <string>allow-vpn</string>
-    </array>
-    <key>com.apple.security.app-sandbox</key>
-    <true/>
-    
-    <key>com.apple.security.application-groups</key>
-    <array>
-      <string>${CODESIGN_TEAM_ID}.com.loki-project.lokinet.network-extension</string>
-    </array>
-    -->
-    <key>com.apple.security.network.client</key>
-    <true/>
-  </dict>
-</plist>
--- a/contrib/macos/lokinet-extension.provisionprofile
+++ b/contrib/macos/lokinet-extension.provisionprofile
--- a/contrib/macos/lokinet.entitlements.plist
+++ b/contrib/macos/lokinet.entitlements.plist
@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+
+		<key>com.apple.developer.networking.networkextension</key>
+		<array>
+				<string>packet-tunnel-provider-systemextension</string>
+				<string>app-proxy-provider-systemextension</string>
+				<string>content-filter-provider-systemextension</string>
+				<string>dns-proxy-systemextension</string>
+				<string>dns-settings</string>
+		</array>
+
+		<key>com.apple.developer.networking.vpn.api</key>
+		<array>
+				<string>allow-vpn</string>
+		</array>
+
+		<key>com.apple.application-identifier</key>
+		<string>SUQ8J2PCT7.com.loki-project.lokinet</string>
+
+		<key>keychain-access-groups</key>
+		<array>
+				<string>SUQ8J2PCT7.*</string>
+		</array>
+
+		<key>com.apple.developer.team-identifier</key>
+		<string>SUQ8J2PCT7</string>
+
+	</dict>
+</plist>
--- a/contrib/macos/lokinet.entitlements.plist.in
+++ b/contrib/macos/lokinet.entitlements.plist.in
@ -1,24 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-  <dict>
-    <key>com.apple.developer.networking.networkextension</key>
-    <array>
-      <string>packet-tunnel-provider</string>
-    </array>
-    <!--
-    <key>com.apple.developer.networking.vpn.api</key>
-    <array>
-      <string>allow-vpn</string>
-    </array>
-    <key>com.apple.security.app-sandbox</key>
-    <true/>
-    <key>com.apple.security.application-groups</key>
-    <array>
-      <string>${CODESIGN_TEAM_ID}.com.loki-project.lokinet</string>
-    </array>
-    -->
-    <key>com.apple.security.network.client</key>
-    <true/>
-  </dict>
-</plist>
--- a/contrib/macos/lokinet.provisionprofile
+++ b/contrib/macos/lokinet.provisionprofile
--- a/contrib/macos/sign.sh.in
+++ b/contrib/macos/sign.sh.in
@ -1,6 +1,10 @@
 #!/usr/bin/env bash
 set -e
-codesign --verbose=4 --force -s "${CODESIGN_KEY}" --entitlements "${NETEXT_ENTITLEMENTS}" --deep --timestamp --options=runtime "${SIGN_TARGET}/Contents/Frameworks/lokinet-extension.framework" 
-for file in "${SIGN_TARGET}/Contents/MacOS/Lokinet" "${SIGN_TARGET}" ; do
-    codesign --verbose=4 --force -s "${CODESIGN_KEY}" --entitlements "${LOKINET_ENTITLEMENTS}" --deep --timestamp --options=runtime "$file" 
+codesign --verbose=4 --force -s "@CODESIGN_KEY@" \
+  --entitlements "@PROJECT_SOURCE_DIR@/contrib/macos/lokinet-extension.entitlements.plist" \
+  --deep --strict --timestamp --options=runtime "@SIGN_TARGET@/Contents/Frameworks/lokinet-extension.framework"
+for file in "@SIGN_TARGET@/Contents/MacOS/lokinet" "@SIGN_TARGET@" ; do
+    codesign --verbose=4 --force -s "@CODESIGN_KEY@" \
+      --entitlements "@PROJECT_SOURCE_DIR@/contrib/macos/lokinet.entitlements.plist" \
+      --deep --strict --timestamp --options=runtime "$file"
 done
--- a/daemon/CMakeLists.txt
+++ b/daemon/CMakeLists.txt
@ -4,8 +4,6 @@ if(APPLE)
  configure_file(${CMAKE_CURRENT_SOURCE_DIR}/Lokinet.modulemap.in ${CMAKE_CURRENT_BINARY_DIR}/swift/LokinetExtension/module.modulemap ESCAPE_QUOTES @ONLY)
  target_include_directories(lokinet PUBLIC ${CMAKE_CURRENT_BINARY_DIR}/swift)
  target_link_libraries(lokinet PUBLIC lokinet-extension)
-  add_executable(lokinet-old lokinet.cpp)
-  enable_lto(lokinet-old)
 else()
  add_executable(lokinet lokinet.cpp)
  add_executable(lokinet-vpn lokinet-vpn.cpp)
@ -42,10 +40,9 @@ if(NOT APPLE)
  endif()
 endif()

-if(APPLE)
-  set(exetargets lokinet-old lokinet)
-else()
-  set(exetargets lokinet lokinet-vpn lokinet-bootstrap)
+set(exetargets lokinet)
+if(NOT APPLE)
+  list(APPEND exetargets lokinet-vpn lokinet-bootstrap)
 endif()

 foreach(exe ${exetargets})
@ -65,7 +62,7 @@ foreach(exe ${exetargets})
  add_log_tag(${exe})
  if(should_install)
    if(APPLE)
-      install(TARGETS ${exe} BUNDLE DESTINATION "${CMAKE_BINARY_DIR}" COMPONENT lokinet)
+      install(TARGETS ${exe} BUNDLE DESTINATION "${PROJECT_BINARY_DIR}" COMPONENT lokinet)
    else()
      install(TARGETS ${exe} RUNTIME DESTINATION bin COMPONENT lokinet)
    endif()
@ -73,48 +70,50 @@ foreach(exe ${exetargets})
 endforeach()

 if(APPLE)
-#  add_custom_command(TARGET lokinet
-#    POST_BUILD
-#    COMMAND ${CMAKE_COMMAND} -E echo "setting rpath"
-#    COMMAND ${CMAKE_INSTALL_NAME_TOOL} -add_rpath "@executable_path/../Frameworks/" $<TARGET_FILE:lokinet>
-#    )
+
+  set(CODESIGN_KEY "" CACHE STRING "codesign the macos app using this key identity")
+
  add_custom_target(icons ALL
    COMMAND ${PROJECT_SOURCE_DIR}/contrib/macos/mk-icns.sh ${PROJECT_SOURCE_DIR}/contrib/lokinet.svg ${CMAKE_CURRENT_BINARY_DIR}/lokinet.icns
    DEPENDS ${PROJECT_SOURCE_DIR}/contrib/lokinet.svg ${PROJECT_SOURCE_DIR}/contrib/macos/mk-icns.sh)
  add_dependencies(lokinet icons lokinet-extension)
-  install(TARGETS lokinet-extension FRAMEWORK DESTINATION "${CMAKE_CURRENT_BINARY_DIR}/Lokinet.app/Contents/Frameworks" COMPONENT lokinet)
+  add_custom_command(TARGET lokinet
+    POST_BUILD
+    COMMAND ${CMAKE_COMMAND} -E echo "setting rpath"
+    COMMAND ${CMAKE_COMMAND} -E echo ${CMAKE_INSTALL_NAME_TOOL} -add_rpath "@executable_path/../Frameworks/" $<TARGET_FILE:lokinet>
+    COMMAND ${CMAKE_INSTALL_NAME_TOOL} -add_rpath "@executable_path/../Frameworks/" $<TARGET_FILE:lokinet>
+    COMMAND mkdir -p $<TARGET_BUNDLE_DIR:lokinet>/Contents/Frameworks
+    COMMAND cp -au $<TARGET_BUNDLE_DIR:lokinet-extension> $<TARGET_BUNDLE_DIR:lokinet>/Contents/Frameworks/
+    COMMAND ${CMAKE_COMMAND} -E copy_if_different ${PROJECT_SOURCE_DIR}/contrib/macos/lokinet.provisionprofile
+        $<TARGET_BUNDLE_DIR:lokinet>/Contents/embedded.provisionprofile
+    )
+
  set_target_properties(lokinet
    PROPERTIES
    MACOSX_BUNDLE TRUE
    MACOSX_BUNDLE_INFO_STRING "Lokinet IP Packet Onion Router"
    MACOSX_BUNDLE_BUNDLE_NAME "Lokinet"
    MACOSX_BUNDLE_BUNDLE_VERSION "${LOKINET_VERSION}"
-    MACOSX_BUNDLE_LONG_VERSION_STRING "${lokinet_VERSION}.$lokinet_VERSION_MINOR}"
+    MACOSX_BUNDLE_LONG_VERSION_STRING "${lokinet_VERSION}"
    MACOSX_BUNDLE_SHORT_VERSION_STRING "${lokinet_VERSION_MAJOR}.${lokinet_VERSION_MINOR}"
    MACOSX_BUNDLE_GUI_IDENTIFIER "com.loki-project.lokinet"
-    MACOSX_BUNDLE_INFO_PLIST "${CMAKE_SOURCE_DIR}/contrib/macos/Info.plist"
+    MACOSX_BUNDLE_INFO_PLIST "${PROJECT_SOURCE_DIR}/contrib/macos/Info.plist"
    MACOSX_BUNDLE_ICON_FILE "${CMAKE_CURRENT_BINARY_DIR}/lokinet.icns"
-    MACOSX_BUNDLE_COPYRIGHT "© 2021, The Loki Project")
-  option(CODESIGN_KEY "codesign all the shit with this key" OFF)
-  if (CODESIGN_KEY AND CODESIGN_TEAM_ID)
+    MACOSX_BUNDLE_COPYRIGHT "© 2021, The Oxen Project")
+  if (CODESIGN_KEY)
    message(STATUS "codesigning with ${CODESIGN_KEY}")
-    set(SIGN_TARGET "${CMAKE_CURRENT_BINARY_DIR}/Lokinet.app")    
-    configure_file("${CMAKE_SOURCE_DIR}/contrib/macos/lokinet.entitlements.plist.in"
-      "${CMAKE_BINARY_DIR}/lokinet.entitlements.plist")    
-    configure_file("${CMAKE_SOURCE_DIR}/contrib/macos/lokinet-extension.entitlements.plist.in"
-      "${CMAKE_BINARY_DIR}/lokinet-extension.entitlements.plist")
-    set(LOKINET_ENTITLEMENTS "${CMAKE_BINARY_DIR}/lokinet.entitlements.plist")
-    set(NETEXT_ENTITLEMENTS "${CMAKE_BINARY_DIR}/lokinet-extension.entitlements.plist")
+    set(SIGN_TARGET "${CMAKE_CURRENT_BINARY_DIR}/lokinet.app")
    configure_file(
      "${PROJECT_SOURCE_DIR}/contrib/macos/sign.sh.in"
-      "${CMAKE_BINARY_DIR}/sign.sh")
+      "${PROJECT_BINARY_DIR}/sign.sh"
+      @ONLY)
    add_custom_target(
      sign
-      DEPENDS "${CMAKE_BINARY_DIR}/sign.sh" lokinet lokinet-extension
-      COMMAND "${CMAKE_BINARY_DIR}/sign.sh"
+      DEPENDS "${PROJECT_BINARY_DIR}/sign.sh" lokinet lokinet-extension
+      COMMAND "${PROJECT_BINARY_DIR}/sign.sh"
      )
  else()
-    message(STATUS "will not codesign")
+    message(WARNING "Not codesigning: CODESIGN_KEY is not set")
  endif()
 endif()

--- a/llarp/CMakeLists.txt
+++ b/llarp/CMakeLists.txt
@ -272,19 +272,16 @@ if(APPLE)
  # god made apple so that man may suffer
  find_library(NETEXT NetworkExtension REQUIRED)
  find_library(COREFOUNDATION CoreFoundation REQUIRED)
-  
+
  add_library(lokinet-extension SHARED
-    framework.mm
-    ${CMAKE_SOURCE_DIR}/include/lokinet-extension.hpp)
-  target_include_directories(lokinet-extension PUBLIC
-    ${CMAKE_CURRENT_SOURCE_DIR})
+    framework.mm)
  target_link_libraries(lokinet-extension PUBLIC
    liblokinet
    ${COREFOUNDATION}
    ${NETEXT})

-  configure_file(${CMAKE_SOURCE_DIR}/contrib/macos/LokinetExtension.Info.plist.in
-    ${CMAKE_CURRENT_BINARY_DIR}/LokinetExtension.Info.plist)
+  configure_file(${PROJECT_SOURCE_DIR}/contrib/macos/LokinetExtension.Info.plist.in
+    ${CMAKE_CURRENT_BINARY_DIR}/LokinetExtension.Info.plist @ONLY)
  
  set_target_properties(lokinet-extension PROPERTIES
    FRAMEWORK TRUE
@ -296,6 +293,13 @@ if(APPLE)
    # "compatibility version" in semantic format in Mach-O binary file
    SOVERSION ${lokinet_VERSION}
    PUBLIC_HEADER ${CMAKE_SOURCE_DIR}/include/lokinet-extension.hpp)
+
+  add_custom_command(TARGET lokinet-extension
+    POST_BUILD
+    COMMAND ${CMAKE_COMMAND} -E copy_if_different ${PROJECT_SOURCE_DIR}/contrib/macos/lokinet-extension.provisionprofile
+    $<TARGET_BUNDLE_DIR:lokinet-extension>/Versions/Current/embedded.provisionprofile
+    )
+
  
 endif()