From 601f23a1031d5fd2219121375f0ed4caaa1dbbf3 Mon Sep 17 00:00:00 2001
From: Yee Cheng Chin <ychin.git@gmail.com>
Date: Tue, 22 Jul 2025 18:24:58 -0700
Subject: [PATCH] Add make target to sign with ad-hoc signature with correct
 entitlements

By default, building MacVim locally will sign with an ad-hoc signature with no
entitlements. Release builds are then signed with the `macvim-signed`
target which signs MacVim with a valid signature and embed the
entitlments. This new target allows us to sign MacVim to have similar
entitlements and behaviors as a release build without needing an Apple
Developer signature.

There are currently two possible use cases for this:
1. Package managers like Homebrew can use this to build MacVim to get
   the correct hardened runtime entitlements.
2. Reproducible builds (#1506) can use this to generate a reproducible
   artifact. Proper release builds are not reproducible since there's no
   way for a proper digital signature to be reproduced, but we can strip
   and re-sign with an ad-hoc signature reproducibly using this target
   for a decent compromise.

Related: #1585
---
 src/MacVim/scripts/sign-developer-id | 33 ++++++++++++++++++----------
 src/Makefile                         |  5 ++++-
 2 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/src/MacVim/scripts/sign-developer-id b/src/MacVim/scripts/sign-developer-id
index 59cabea185..0e7a517403 100755
--- a/src/MacVim/scripts/sign-developer-id
+++ b/src/MacVim/scripts/sign-developer-id
@@ -2,24 +2,33 @@
 
 # Utility script to sign MacVim with a valid Developer ID with hardened runtime
 # along with a provided entitlments file. This script requires a Developer ID
-# cert already installed on the computer.
+# cert already installed on the computer, unless only making adhoc signatures.
 
 # Use the following to verify:
 #     codesign -d --verbose=4 --entitlements - <MacVim_app>
 
 if [[ $# == 0 || $# == 1 ]]; then
-    echo "Usage: sign-developer-id <MacVim_app> <entitlements_file>"
+    echo "Usage: sign-developer-id [--adhoc] <MacVim_app> <entitlements_file>"
     exit -1
 fi
 
 set -e
 
+signature_identity="Developer ID Application"
+
+if [[ "$1" == "--adhoc" ]]; then
+    # Create an adhoc signature. This is useful for local testing, but cannot
+    # generate a valid signed app that you could distribute to other people.
+    signature_identity="-"
+    shift
+fi
+
 macvim_path=$1
 entitlements=$2
 
 if [[ "$macvim_path" =~ dmg ]]; then
     set -x
-    codesign -f -s "Developer ID Application" -o runtime --timestamp "$macvim_path"
+    codesign -f -s "$signature_identity" -o runtime --timestamp "$macvim_path"
 else
     # Sign bottom-up to make sure everything is signed in order.
     # Note: Not using --deep because it's been deprecated since macOS 13, and
@@ -27,21 +36,21 @@ else
     # explicit and sign everything in order to be clear what we are doing.
     if [ -d "$macvim_path/Contents/Frameworks/Sparkle.framework/Versions/A" ]; then
         (set -x
-        codesign -f -s "Developer ID Application" -o runtime --timestamp "$macvim_path/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop"
-        codesign -f -s "Developer ID Application" -o runtime --timestamp "$macvim_path/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app")
+        codesign -f -s "$signature_identity" -o runtime --timestamp "$macvim_path/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop"
+        codesign -f -s "$signature_identity" -o runtime --timestamp "$macvim_path/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app")
     fi
     if [ -d $macvim_path/Contents/Frameworks/Sparkle.framework/Versions/B ]; then
         (set -x
-        codesign -f -s "Developer ID Application" -o runtime --timestamp "$macvim_path/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate"
-        codesign -f -s "Developer ID Application" -o runtime --timestamp "$macvim_path/Contents/Frameworks/Sparkle.framework/Versions/B/Updater.app")
+        codesign -f -s "$signature_identity" -o runtime --timestamp "$macvim_path/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate"
+        codesign -f -s "$signature_identity" -o runtime --timestamp "$macvim_path/Contents/Frameworks/Sparkle.framework/Versions/B/Updater.app")
     fi
     if [ -d $macvim_path/Contents/Frameworks/Sparkle.framework ]; then
         (set -x
-        codesign -f -s "Developer ID Application" -o runtime --timestamp "$macvim_path/Contents/Frameworks/Sparkle.framework")
+        codesign -f -s "$signature_identity" -o runtime --timestamp "$macvim_path/Contents/Frameworks/Sparkle.framework")
     fi
     set -x
-    codesign -f -s "Developer ID Application" -o runtime --timestamp "$macvim_path/Contents/Library/QuickLook/QLStephen.qlgenerator/Contents/MacOS/QLStephen"
-    codesign -f -s "Developer ID Application" -o runtime --timestamp --entitlements $entitlements "$macvim_path/Contents/bin/xxd"
-    codesign -f -s "Developer ID Application" -o runtime --timestamp --entitlements $entitlements "$macvim_path/Contents/MacOS/Vim"
-    codesign -f -s "Developer ID Application" -o runtime --timestamp --entitlements $entitlements "$macvim_path"
+    codesign -f -s "$signature_identity" -o runtime --timestamp "$macvim_path/Contents/Library/QuickLook/QLStephen.qlgenerator/Contents/MacOS/QLStephen"
+    codesign -f -s "$signature_identity" -o runtime --timestamp "$macvim_path/Contents/bin/xxd"
+    codesign -f -s "$signature_identity" -o runtime --timestamp --entitlements $entitlements "$macvim_path/Contents/MacOS/Vim"
+    codesign -f -s "$signature_identity" -o runtime --timestamp --entitlements $entitlements "$macvim_path"
 fi
diff --git a/src/Makefile b/src/Makefile
index e6f8e35f89..f04b1b4ffb 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -3773,7 +3773,7 @@ Makefile:
 
 ##############################################################################
 ### MacVim GUI
-.PHONY: macvim macvim-dmg macvim-dmg-legacy macvimclean macvim-signed macvim-dmg-release macvim-dmg-release-legacy macvim-install-runtime macvim-xcodeproj-compat
+.PHONY: macvim macvim-dmg macvim-dmg-legacy macvimclean macvim-signed macvim-signed-adhoc macvim-dmg-release macvim-dmg-release-legacy macvim-install-runtime macvim-xcodeproj-compat
 
 RUNTIME_FOLDER_LIST = MacVim/auto/runtime_folder_list.xcfilelist
 
@@ -3803,6 +3803,9 @@ macvim-tests:
 macvim-signed:
 	MacVim/scripts/sign-developer-id $(RELEASEDIR)/MacVim.app $(ENTITLEMENTS)
 
+macvim-signed-adhoc:
+	MacVim/scripts/sign-developer-id --adhoc $(RELEASEDIR)/MacVim.app $(ENTITLEMENTS)
+
 macvim-dmg-legacy: DMGFILESYSTEM = HFS+
 macvim-dmg-legacy: DMGFORMAT = UDZO
 macvim-dmg-legacy: macvim-dmg