399 lines
16 KiB
Perl
399 lines
16 KiB
Perl
|
#!/usr/bin/perl
|
||
|
#############################################################################
|
||
|
##
|
||
|
## Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
|
||
|
## All rights reserved.
|
||
|
## Contact: Nokia Corporation (qt-info@nokia.com)
|
||
|
##
|
||
|
## This file is part of the S60 port of the Qt Toolkit.
|
||
|
##
|
||
|
## $QT_BEGIN_LICENSE:LGPL$
|
||
|
## No Commercial Usage
|
||
|
## This file contains pre-release code and may not be distributed.
|
||
|
## You may use this file in accordance with the terms and conditions
|
||
|
## contained in the Technology Preview License Agreement accompanying
|
||
|
## this package.
|
||
|
##
|
||
|
## GNU Lesser General Public License Usage
|
||
|
## Alternatively, this file may be used under the terms of the GNU Lesser
|
||
|
## General Public License version 2.1 as published by the Free Software
|
||
|
## Foundation and appearing in the file LICENSE.LGPL included in the
|
||
|
## packaging of this file. Please review the following information to
|
||
|
## ensure the GNU Lesser General Public License version 2.1 requirements
|
||
|
## will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
|
||
|
##
|
||
|
## In addition, as a special exception, Nokia gives you certain additional
|
||
|
## rights. These rights are described in the Nokia Qt LGPL Exception
|
||
|
## version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
|
||
|
##
|
||
|
## If you have questions regarding the use of this file, please contact
|
||
|
## Nokia at qt-info@nokia.com.
|
||
|
##
|
||
|
##
|
||
|
##
|
||
|
##
|
||
|
##
|
||
|
##
|
||
|
##
|
||
|
##
|
||
|
## $QT_END_LICENSE$
|
||
|
##
|
||
|
#############################################################################
|
||
|
|
||
|
#######################################################################
|
||
|
#
|
||
|
# A script for setting binary capabilities based on .pkg file contents.
|
||
|
#
|
||
|
#######################################################################
|
||
|
|
||
|
#
|
||
|
# Note: Please make sure to output all changes done to the pkg file in a print statements
|
||
|
# starting with "Patching: " to ease integration into IDEs!
|
||
|
#
|
||
|
|
||
|
use File::Copy;
|
||
|
use File::Spec;
|
||
|
use File::Path;
|
||
|
|
||
|
sub Usage() {
|
||
|
print("This script can be used to set capabilities of all binaries\n");
|
||
|
print("specified for deployment in a .pkg file.\n");
|
||
|
print("If no capabilities are given, the binaries will be given the\n");
|
||
|
print("capabilities supported by self-signed certificates.\n\n");
|
||
|
print(" *** NOTE: If *_template.pkg file is given and one is using symbian-abld or\n");
|
||
|
print(" symbian-sbsv2 platform, 'target-platform' is REQUIRED. ***\n\n");
|
||
|
print(" *** NOTE2: When patching gcce binaries built with symbian-sbsv2 toolchain,\n");
|
||
|
print(" armv5 must be specified as platform.\n");
|
||
|
print("\nUsage: patch_capabilities.pl [-c|-t tmp_path] pkg_filename [target-platform [capability list]]\n");
|
||
|
print("\nE.g. patch_capabilities.pl myapp_template.pkg release-armv5 \"All -TCB\"\n");
|
||
|
print("\nThe parameter -c can be used to just check if package is compatible with self-signing\n");
|
||
|
print("without actually doing any patching.\n");
|
||
|
print("Explicit capability list cannot be used with -c parameter.\n");
|
||
|
print("\nThe parameter -t can be used to specify a dir under which the temporary files are created.\n");
|
||
|
print("Defaults to 'patch_capabilities_tmp' under the path to pkg file.\n");
|
||
|
exit();
|
||
|
}
|
||
|
|
||
|
sub trim($) {
|
||
|
my $string = shift;
|
||
|
$string =~ s/^\s+//;
|
||
|
$string =~ s/\s+$//;
|
||
|
return $string;
|
||
|
}
|
||
|
|
||
|
my $epocroot = $ENV{EPOCROOT};
|
||
|
my $epocToolsDir = "";
|
||
|
if ($epocroot ne "") {
|
||
|
$epocroot =~ s,\\,/,g;
|
||
|
if ($epocroot =~ m,[^/]$,) {
|
||
|
$epocroot = $epocroot."/";
|
||
|
}
|
||
|
$epocToolsDir = "${epocroot}epoc32/tools/";
|
||
|
}
|
||
|
|
||
|
my $nullDevice = "/dev/null";
|
||
|
$nullDevice = "NUL" if ($^O =~ /MSWin/);
|
||
|
|
||
|
my @capabilitiesToAllow = ("LocalServices", "NetworkServices", "ReadUserData", "UserEnvironment", "WriteUserData", "Location");
|
||
|
my @capabilitiesSpecified = ();
|
||
|
|
||
|
# If arguments were given to the script,
|
||
|
if (@ARGV)
|
||
|
{
|
||
|
# Parse the first given script argument as a ".pkg" file name.
|
||
|
my $pkgFileName = shift(@ARGV);
|
||
|
my $justCheck = "";
|
||
|
my $msgPrefix = "Patching:";
|
||
|
my $tempPatchPath = "";
|
||
|
|
||
|
if ($pkgFileName eq "-c") {
|
||
|
$pkgFileName = shift(@ARGV);
|
||
|
$justCheck = true;
|
||
|
$msgPrefix = "Warning:";
|
||
|
}
|
||
|
|
||
|
if ($pkgFileName eq "-t") {
|
||
|
$tempPatchPath = shift(@ARGV);
|
||
|
$pkgFileName = shift(@ARGV);
|
||
|
}
|
||
|
|
||
|
my ($pkgVolume, $pkgPath, $pkgPlainFileName) = File::Spec->splitpath($pkgFileName);
|
||
|
if ($tempPatchPath eq "") {
|
||
|
$tempPatchPath = File::Spec->catpath($pkgVolume, $pkgPath."patch_capabilities_tmp", "");
|
||
|
}
|
||
|
|
||
|
mkpath($tempPatchPath);
|
||
|
|
||
|
# These variables will only be set for template .pkg files.
|
||
|
my $target;
|
||
|
my $platform;
|
||
|
|
||
|
# Check if using template .pkg and set target/platform variables
|
||
|
if (($pkgFileName =~ m|_template\.pkg$|i) && -r($pkgFileName))
|
||
|
{
|
||
|
my $targetplatform;
|
||
|
my $templateFile;
|
||
|
my $templateContents;
|
||
|
open($templateFile, "< $pkgFileName") or die ("Could not open $pkgFileName");
|
||
|
$templateContents = <$templateFile>;
|
||
|
close($templateFile);
|
||
|
unless (($targetplatform = shift(@ARGV)) || $templateContents !~ /\$\(PLATFORM\)/)
|
||
|
{
|
||
|
Usage();
|
||
|
}
|
||
|
$targetplatform = "-" if (!$targetplatform);
|
||
|
my @tmpvalues = split('-', $targetplatform);
|
||
|
$target = $tmpvalues[0];
|
||
|
$platform = $tmpvalues[1];
|
||
|
|
||
|
# Convert visual target to real target (debug->udeb and release->urel)
|
||
|
$target =~ s/debug/udeb/i;
|
||
|
$target =~ s/release/urel/i;
|
||
|
|
||
|
if (($platform =~ m/^gcce$/i) && ($ENV{SBS_HOME})) {
|
||
|
# Print a informative note in case suspected misuse is detected.
|
||
|
print "\nNote: You must use armv5 as platform when packaging gcce binaries built using symbian-sbsv2 mkspec.\n";
|
||
|
}
|
||
|
}
|
||
|
|
||
|
# If the specified ".pkg" file exists (and can be read),
|
||
|
if (($pkgFileName =~ m|\.pkg$|i) && -r($pkgFileName))
|
||
|
{
|
||
|
print ("\n");
|
||
|
if ($justCheck) {
|
||
|
print ("Checking");
|
||
|
} else {
|
||
|
print ("Patching");
|
||
|
}
|
||
|
print (" package file and relevant binaries...\n");
|
||
|
|
||
|
if (!$justCheck) {
|
||
|
# If there are more arguments given, parse them as capabilities.
|
||
|
if (@ARGV)
|
||
|
{
|
||
|
@capabilitiesSpecified = ();
|
||
|
while (@ARGV)
|
||
|
{
|
||
|
push (@capabilitiesSpecified, pop(@ARGV));
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
# Start with no binaries listed.
|
||
|
my @binaries = ();
|
||
|
my $binariesDelimeter = "///";
|
||
|
|
||
|
my $tempPkgFileName = $tempPatchPath."/__TEMP__".$pkgPlainFileName;
|
||
|
|
||
|
if (!$justCheck) {
|
||
|
unlink($tempPkgFileName);
|
||
|
open (NEW_PKG, ">>".$tempPkgFileName);
|
||
|
}
|
||
|
open (PKG, "<".$pkgFileName);
|
||
|
|
||
|
my $checkFailed = "";
|
||
|
my $somethingPatched = "";
|
||
|
|
||
|
# Parse each line.
|
||
|
while (<PKG>)
|
||
|
{
|
||
|
my $line = $_;
|
||
|
my $newLine = $line;
|
||
|
|
||
|
# Patch pkg UID if it's in protected range
|
||
|
if ($line =~ m/^\#.*\((0x[0-7][0-9a-fA-F]*)\).*$/)
|
||
|
{
|
||
|
my $oldUID = $1;
|
||
|
print ("$msgPrefix UID $oldUID is not compatible with self-signing!\n");
|
||
|
|
||
|
if ($justCheck) {
|
||
|
$checkFailed = true;
|
||
|
} else {
|
||
|
my $newUID = $oldUID;
|
||
|
$newUID =~ s/0x./0xE/i;
|
||
|
$newLine =~ s/$oldUID/$newUID/;
|
||
|
print ("$msgPrefix Package UID changed to: $newUID.\n");
|
||
|
$somethingPatched = true;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
# If the line specifies a file, parse the source and destination locations.
|
||
|
if ($line =~ m|^ *\"([^\"]+)\"\s*\-\s*\"([^\"]+)\"|)
|
||
|
{
|
||
|
my $sourcePath = $1;
|
||
|
|
||
|
# If the given file is a binary, check the target and binary type (+ the actual filename) from its path.
|
||
|
if ($sourcePath =~ m:\w+(\.dll|\.exe)$:i)
|
||
|
{
|
||
|
# Do preprocessing for template pkg,
|
||
|
# In case of template pkg target and platform variables are set
|
||
|
if(length($target) && length($platform))
|
||
|
{
|
||
|
$sourcePath =~ s/\$\(PLATFORM\)/$platform/gm;
|
||
|
$sourcePath =~ s/\$\(TARGET\)/$target/gm;
|
||
|
}
|
||
|
|
||
|
my ($dummy1, $dummy2, $binaryBaseName) = File::Spec->splitpath($sourcePath);
|
||
|
|
||
|
if ($justCheck) {
|
||
|
push (@binaries, $binaryBaseName.$binariesDelimeter.$sourcePath);
|
||
|
} else {
|
||
|
# Copy original files over to patching dir
|
||
|
# Patching dir will be flat to make it cleanable with QMAKE_CLEAN, so path
|
||
|
# will be collapsed into the file name to avoid name collisions in the rare
|
||
|
# case where custom pkg rules are used to install files with same names from
|
||
|
# different directories (probably using platform checks to choose only one of them.)
|
||
|
my $patchedSourcePath = $sourcePath;
|
||
|
$patchedSourcePath =~ s/[\/\\:]/_/g;
|
||
|
$patchedSourcePath = "$tempPatchPath/$patchedSourcePath";
|
||
|
$newLine =~ s/^.*(\.dll|\.exe)(.*)(\.dll|\.exe)/\"$patchedSourcePath$2$3/i;
|
||
|
|
||
|
copy($sourcePath, $patchedSourcePath) or die "$sourcePath cannot be copied for patching.";
|
||
|
push (@binaries, $binaryBaseName.$binariesDelimeter.$patchedSourcePath);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
print NEW_PKG $newLine;
|
||
|
|
||
|
chomp ($line);
|
||
|
}
|
||
|
|
||
|
close (PKG);
|
||
|
if (!$justCheck) {
|
||
|
close (NEW_PKG);
|
||
|
|
||
|
unlink($pkgFileName);
|
||
|
rename($tempPkgFileName, $pkgFileName);
|
||
|
}
|
||
|
print ("\n");
|
||
|
|
||
|
my $baseCommandToExecute = "${epocToolsDir}elftran -vid 0x0 -capability \"%s\" ";
|
||
|
|
||
|
# Actually set the capabilities of the listed binaries.
|
||
|
foreach my $binariesItem(@binaries)
|
||
|
{
|
||
|
$binariesItem =~ m|^(.*)$binariesDelimeter(.*)$|;
|
||
|
my $binaryBaseName = $1;
|
||
|
my $binaryPath = $2;
|
||
|
|
||
|
# Create the command line for setting the capabilities.
|
||
|
my $commandToExecute = $baseCommandToExecute;
|
||
|
my $executeNeeded = "";
|
||
|
if (@capabilitiesSpecified)
|
||
|
{
|
||
|
$commandToExecute = sprintf($baseCommandToExecute, join(" ", @capabilitiesSpecified));
|
||
|
$executeNeeded = true;
|
||
|
my $capString = join(" ", @capabilitiesSpecified);
|
||
|
print ("$msgPrefix Patching the the Vendor ID to 0 and the capabilities used to: \"$capString\" in \"$binaryBaseName\".\n");
|
||
|
} else {
|
||
|
# Test which capabilities are present and then restrict them to the allowed set.
|
||
|
# This avoid raising the capabilities of apps that already have none.
|
||
|
my $dllCaps;
|
||
|
open($dllCaps, "${epocToolsDir}elftran -dump s $binaryPath |") or die ("ERROR: Could not execute elftran");
|
||
|
my $capsFound = 0;
|
||
|
my $originalVid;
|
||
|
my @capabilitiesToSet;
|
||
|
my $capabilitiesToAllow = join(" ", @capabilitiesToAllow);
|
||
|
my @capabilitiesToDrop;
|
||
|
while (<$dllCaps>) {
|
||
|
if (/^Secure ID: ([0-7][0-9a-fA-F]*)$/) {
|
||
|
my $exeSid = $1;
|
||
|
if ($binaryBaseName =~ /\.exe$/) {
|
||
|
# Installer refuses to install protected executables in a self signed package, so abort if one is detected.
|
||
|
# We can't simply just patch the executable SID, as any registration resources executable uses will be linked to it via SID.
|
||
|
print ("$msgPrefix Executable with SID in the protected range (0x$exeSid) detected: \"$binaryBaseName\". A self-signed sis with protected executables is not supported.\n\n");
|
||
|
$checkFailed = true;
|
||
|
}
|
||
|
}
|
||
|
if (/^Vendor ID: ([0-9a-fA-F]*)$/) {
|
||
|
$originalVid = "$1";
|
||
|
}
|
||
|
if (!$capsFound) {
|
||
|
$capsFound = 1 if (/Capabilities:/);
|
||
|
} else {
|
||
|
$_ = trim($_);
|
||
|
if ($capabilitiesToAllow =~ /$_/) {
|
||
|
push(@capabilitiesToSet, $_);
|
||
|
if (Location =~ /$_/i) {
|
||
|
print ("$msgPrefix \"Location\" capability detected for binary: \"$binaryBaseName\". This capability is not self-signable for S60 3rd edition feature pack 1 devices, so installing this package on those devices will most likely not work.\n\n");
|
||
|
}
|
||
|
} else {
|
||
|
push(@capabilitiesToDrop, $_);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
close($dllCaps);
|
||
|
if ($originalVid !~ "00000000") {
|
||
|
print ("$msgPrefix Non-zero vendor ID (0x$originalVid) is incompatible with self-signed packages in \"$binaryBaseName\"");
|
||
|
if ($justCheck) {
|
||
|
print (".\n\n");
|
||
|
$checkFailed = true;
|
||
|
} else {
|
||
|
print (", setting it to zero.\n\n");
|
||
|
$executeNeeded = true;
|
||
|
}
|
||
|
}
|
||
|
if ($#capabilitiesToDrop) {
|
||
|
my $capsToDropStr = join("\", \"", @capabilitiesToDrop);
|
||
|
$capsToDropStr =~ s/\", \"$//;
|
||
|
|
||
|
if ($justCheck) {
|
||
|
print ("$msgPrefix The following capabilities used in \"$binaryBaseName\" are not compatible with a self-signed package: \"$capsToDropStr\".\n\n");
|
||
|
$checkFailed = true;
|
||
|
} else {
|
||
|
if ($binaryBaseName =~ /\.exe$/) {
|
||
|
# While libraries often have capabilities they do not themselves need just to enable them to be loaded by wider variety of processes,
|
||
|
# executables are more likely to need every capability they have been assigned or they won't function correctly.
|
||
|
print ("$msgPrefix Executable with capabilities incompatible with self-signing detected: \"$binaryBaseName\". (Incompatible capabilities: \"$capsToDropStr\".) Reducing capabilities is only supported for libraries.\n");
|
||
|
$checkFailed = true;
|
||
|
} else {
|
||
|
print ("$msgPrefix The following capabilities used in \"$binaryBaseName\" are not compatible with a self-signed package and will be removed: \"$capsToDropStr\".\n");
|
||
|
$executeNeeded = true;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
$commandToExecute = sprintf($baseCommandToExecute, join(" ", @capabilitiesToSet));
|
||
|
}
|
||
|
$commandToExecute .= $binaryPath;
|
||
|
|
||
|
if ($executeNeeded) {
|
||
|
# Actually execute the elftran command to set the capabilities.
|
||
|
print ("\n");
|
||
|
system ("$commandToExecute > $nullDevice");
|
||
|
$somethingPatched = true;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if ($checkFailed) {
|
||
|
print ("\n");
|
||
|
if ($justCheck) {
|
||
|
print ("$msgPrefix The package is not compatible with self-signing.\n");
|
||
|
} else {
|
||
|
print ("$msgPrefix Unable to patch the package for self-singing.\n");
|
||
|
}
|
||
|
print ("Use a proper developer certificate for signing this package.\n\n");
|
||
|
exit(1);
|
||
|
}
|
||
|
|
||
|
if ($justCheck) {
|
||
|
print ("Package is compatible with self-signing.\n");
|
||
|
} else {
|
||
|
if ($somethingPatched) {
|
||
|
print ("NOTE: A patched package may not work as expected due to reduced capabilities and other modifications,\n");
|
||
|
print (" so it should not be used for any kind of Symbian signing or distribution!\n");
|
||
|
print (" Use a proper certificate to avoid the need to patch the package.\n");
|
||
|
} else {
|
||
|
print ("No patching was required!\n");
|
||
|
}
|
||
|
}
|
||
|
print ("\n");
|
||
|
} else {
|
||
|
Usage();
|
||
|
}
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
Usage();
|
||
|
}
|