Merge branch 'master' into DRTVWR-543-maint

# Conflicts:
#	autobuild.xml
#	indra/CMakeLists.txt
#	indra/llcommon/CMakeLists.txt
#	indra/newview/CMakeLists.txt
#	indra/newview/llappviewerwin32.h

9 files changed, 94 insertions, 14 deletions

diff --git a/indra/newview/CMakeLists.txt b/indra/newview/CMakeLists.txt
index 7b8af8fc69..b8be4a0682 100644
--- a/indra/newview/CMakeLists.txt
+++ b/indra/newview/CMakeLists.txt
@@ -1909,7 +1909,9 @@ if (WINDOWS)
       add_dependencies(${VIEWER_BINARY_NAME} copy_win_scripts)
     endif (EXISTS ${CMAKE_SOURCE_DIR}/copy_win_scripts)
 
-    add_dependencies(${VIEWER_BINARY_NAME} SLPlugin)
+    add_dependencies(${VIEWER_BINARY_NAME}
+      SLPlugin
+    )
 
     # sets the 'working directory' for debugging from visual studio.
     # Condition for version can be moved to requirements once build agents will be updated (see TOOL-3865)
@@ -2259,7 +2261,7 @@ endif (INSTALL)
 
 # Note that the conventional VIEWER_SYMBOL_FILE is set by ../../build.sh
 if (PACKAGE AND (RELEASE_CRASH_REPORTING OR NON_RELEASE_CRASH_REPORTING) AND VIEWER_SYMBOL_FILE)
-  if (USE_BUGSPLAT)
+  if (BUGSPLAT_DB)
     # BugSplat symbol-file generation
     if (WINDOWS)
       # Just pack up a tarball containing only the .pdb file for the
@@ -2343,7 +2345,7 @@ if (PACKAGE AND (RELEASE_CRASH_REPORTING OR NON_RELEASE_CRASH_REPORTING) AND VIE
     if (LINUX)
       # TBD
     endif (LINUX)
-  endif (USE_BUGSPLAT)
+  endif (BUGSPLAT_DB)
 
   # for both Bugsplat and Breakpad
   add_dependencies(llpackage generate_symbols)
diff --git a/indra/newview/VIEWER_VERSION.txt b/indra/newview/VIEWER_VERSION.txt
index 4c8366c864..f186cd8874 100644
--- a/indra/newview/VIEWER_VERSION.txt
+++ b/indra/newview/VIEWER_VERSION.txt
@@ -1 +1 @@
-6.4.23
+6.4.24
diff --git a/indra/newview/installers/darwin/apple-notarize.sh b/indra/newview/installers/darwin/apple-notarize.sh
new file mode 100755
index 0000000000..466898ecda
--- /dev/null
+++ b/indra/newview/installers/darwin/apple-notarize.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+if [[ $SKIP_NOTARIZATION == "true" ]]; then
+    echo "Skipping notarization"
+    exit 0
+fi
+
+CONFIG_FILE="$build_secrets_checkout/code-signing-osx/notarize_creds.sh"
+if [ -f "$CONFIG_FILE" ]; then
+    source $CONFIG_FILE
+    app_file="$1"
+    zip_file=${app_file/app/zip}
+    ditto -c -k --keepParent "$app_file" "$zip_file"
+    if [ -f "$zip_file" ]; then
+        res=$(xcrun altool --notarize-app --primary-bundle-id "com.secondlife.viewer" \
+                                   --username $USERNAME \
+                                   --password $PASSWORD \
+                                   --asc-provider $ASC_PROVIDER \
+                                   --file "$zip_file" 2>&1)
+        requestUUID=$(echo $res | awk '/RequestUUID/ { print $NF; }')
+
+        echo "Apple Notarization RequestUUID: $requestUUID"
+
+        if [[ -n $requestUUID ]]; then
+            status="in progress"
+            while [[ "$status" == "in progress" ]]; do
+                sleep 30
+                status=$(xcrun altool --notarization-info "$requestUUID" \
+                                            --username $USERNAME \
+                                            --password $PASSWORD 2>&1 \
+                                | awk -F ': ' '/Status:/ { print $2; }' )
+                echo "$status"
+            done
+            # log results
+            xcrun altool --notarization-info "$requestUUID" \
+                        --username $USERNAME \
+                        --password $PASSWORD
+
+            #remove temporary file
+            rm "$zip_file"
+
+            if [["$status" == "success"]]; then
+                xcrun stapler staple "$app_file"
+            elif [["$status" == "invalid"]]; then
+                echo "Notarization error: failed to process the app file"
+                exit 1
+            fi
+        else
+            echo "Notarization error: couldn't get request UUID"
+            echo $res
+            exit 1
+        fi
+    fi
+fi
+
diff --git a/indra/newview/llappviewer.cpp b/indra/newview/llappviewer.cpp
index fe844cfa57..a4d28f7dc5 100644
--- a/indra/newview/llappviewer.cpp
+++ b/indra/newview/llappviewer.cpp
@@ -2006,7 +2006,9 @@ bool LLAppViewer::cleanup()
 	if (LLConversationLog::instanceExists())
 	{
 		LLConversationLog::instance().cache();
-	}
+    }
+
+    clearSecHandler();
 
 	if (mPurgeCacheOnExit)
 	{
diff --git a/indra/newview/llappviewerwin32.h b/indra/newview/llappviewerwin32.h
index ab52bf15f9..82b6b0c77c 100644
--- a/indra/newview/llappviewerwin32.h
+++ b/indra/newview/llappviewerwin32.h
@@ -51,8 +51,8 @@ protected:
 	bool initHardwareTest() override; // Win32 uses DX9 to test hardware.
 	bool initParseCommandLine(LLCommandLineParser& clp) override;
 
-	bool beingDebugged() override;
-	bool restoreErrorTrap() override;
+	virtual bool beingDebugged();
+	virtual bool restoreErrorTrap();
 
 	bool sendURLToOtherInstance(const std::string& url) override;
 
diff --git a/indra/newview/llsecapi.cpp b/indra/newview/llsecapi.cpp
index b9259cb18d..aba8ca5a4a 100644
--- a/indra/newview/llsecapi.cpp
+++ b/indra/newview/llsecapi.cpp
@@ -75,6 +75,12 @@ void initializeSecHandler()
 	}
 
 }
+
+void clearSecHandler()
+{
+    gSecAPIHandler = NULL;
+    gHandlerMap.clear();
+}
 // start using a given security api handler.  If the string is empty
 // the default is used
 LLPointer<LLSecAPIHandler> getSecHandler(const std::string& handler_type)
diff --git a/indra/newview/llsecapi.h b/indra/newview/llsecapi.h
index 1e6f2154bc..410737b27f 100644
--- a/indra/newview/llsecapi.h
+++ b/indra/newview/llsecapi.h
@@ -533,6 +533,8 @@ public:
 };
 
 void initializeSecHandler();
+
+void clearSecHandler();
 				
 // retrieve a security api depending on the api type
 LLPointer<LLSecAPIHandler> getSecHandler(const std::string& handler_type);
diff --git a/indra/newview/slplugin.entitlements b/indra/newview/slplugin.entitlements
new file mode 100644
index 0000000000..a1c430a57a
--- /dev/null
+++ b/indra/newview/slplugin.entitlements
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+</dict>
+</plist>
diff --git a/indra/newview/viewer_manifest.py b/indra/newview/viewer_manifest.py
index 43dcc6fffe..b932f43141 100755
--- a/indra/newview/viewer_manifest.py
+++ b/indra/newview/viewer_manifest.py
@@ -1297,14 +1297,19 @@ class DarwinManifest(ViewerManifest):
                     signed=False
                     sign_attempts=3
                     sign_retry_wait=15
+                    libvlc_path = app_in_dmg + "/Contents/Resources/llplugin/media_plugin_libvlc.dylib"
+                    cef_path = app_in_dmg + "/Contents/Resources/llplugin/media_plugin_cef.dylib"
+                    slplugin_path = app_in_dmg + "/Contents/Resources/SLPlugin.app/Contents/MacOS/SLPlugin"
+                    greenlet_path = app_in_dmg + "/Contents/Resources/updater/greenlet/_greenlet.so"
                     while (not signed) and (sign_attempts > 0):
                         try:
-                            sign_attempts-=1;
-                            self.run_command(
-                                # Note: See blurb above about names of keychains
-                               ['codesign', '--verbose', '--deep', '--force',
-                                '--keychain', viewer_keychain, '--sign', identity,
-                                app_in_dmg])
+                            sign_attempts-=1
+                            # Note: See blurb above about names of keychains
+                            self.run_command(['codesign', '--force', '--timestamp','--keychain', viewer_keychain, '--sign', identity, libvlc_path])
+                            self.run_command(['codesign', '--force', '--timestamp', '--keychain', viewer_keychain, '--sign', identity, cef_path])
+                            self.run_command(['codesign', '--force', '--timestamp', '--keychain', viewer_keychain, '--sign', identity, greenlet_path])
+                            self.run_command(['codesign', '--verbose', '--deep', '--force', '--entitlements', self.src_path_of("slplugin.entitlements"), '--options', 'runtime', '--keychain', viewer_keychain, '--sign', identity, slplugin_path])
+                            self.run_command(['codesign', '--verbose', '--deep', '--force', '--options', 'runtime', '--keychain', viewer_keychain, '--sign', identity, app_in_dmg])
                             signed=True # if no exception was raised, the codesign worked
                         except ManifestError as err:
                             if sign_attempts:
@@ -1315,6 +1320,7 @@ class DarwinManifest(ViewerManifest):
                                 print >> sys.stderr, "Maximum codesign attempts exceeded; giving up"
                                 raise
                     self.run_command(['spctl', '-a', '-texec', '-vvvv', app_in_dmg])
+                    self.run_command([self.src_path_of("installers/darwin/apple-notarize.sh"), app_in_dmg])
 
         finally:
             # Unmount the image even if exceptions from any of the above 
@@ -1367,7 +1373,7 @@ class LinuxManifest(ViewerManifest):
         with self.prefix(dst="bin"):
             self.path("secondlife-bin","do-not-directly-run-secondlife-bin")
             self.path("../linux_crash_logger/linux-crash-logger","linux-crash-logger.bin")
-            self.path2basename("../llplugin/slplugin", "SLPlugin") 
+            self.path2basename("../llplugin/slplugin", "SLPlugin")
             #this copies over the python wrapper script, associated utilities and required libraries, see SL-321, SL-322 and SL-323
             with self.prefix(src="../viewer_components/manager", dst=""):
                 self.path("*.py")