From 4d6ed77a4a423929899356ec1896bcd97e40acff Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Mon, 19 Oct 2020 18:17:23 +0200
Subject: [PATCH] Prepare macOS binaries for Notarization

- update code signing credentials, thanks to Tim Wilbrink
- split up large files into 50 MB chunks for Nightly to avoid Github's file size limit
- codesign tools/libs with hardened runtime and entitlements
- avoid relocation of app bundles on installation
- sign installer for distribution
---
 .github/add_signing_key.sh             |  15 +++++--
 .github/push_artifacts.sh              |  11 ++++-
 .github/remove_signing_key.sh          |   2 +-
 .github/secrets.tar.enc                | Bin 7184 -> 15376 bytes
 .travis.yml                            |   3 +-
 MacOSX/OpenSC_Uninstaller.entitlements |  10 +++++
 MacOSX/build-package.in                |  57 ++++++++++++++++---------
 MacOSX/target.plist                    |  18 ++++++++
 MacOSX/target_startup.plist            |   5 +++
 MacOSX/target_token.plist              |  27 ++++++++++++
 MacOSX/target_tokend.plist             |   5 +++
 11 files changed, 126 insertions(+), 27 deletions(-)
 create mode 100644 MacOSX/OpenSC_Uninstaller.entitlements
 create mode 100644 MacOSX/target.plist
 create mode 100644 MacOSX/target_startup.plist
 create mode 100644 MacOSX/target_token.plist
 create mode 100644 MacOSX/target_tokend.plist

diff --git a/.github/add_signing_key.sh b/.github/add_signing_key.sh
index 689e2cad..d2c494a2 100755
--- a/.github/add_signing_key.sh
+++ b/.github/add_signing_key.sh
@@ -18,9 +18,18 @@ security set-keychain-settings -t 3600 -u $KEY_CHAIN
 
 # Add certificates to keychain and allow codesign to access them
 curl -L https://developer.apple.com/certificationauthority/AppleWWDRCA.cer > AppleWWDRCA.cer
-security import AppleWWDRCA.cer  -k  ~/Library/Keychains/$KEY_CHAIN -T /usr/bin/codesign
-security import certificate.cer  -k  ~/Library/Keychains/$KEY_CHAIN -T /usr/bin/codesign
-security import certificate.p12  -k  ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD -T /usr/bin/codesign
+security import AppleWWDRCA.cer \
+    -k ~/Library/Keychains/$KEY_CHAIN \
+    -T /usr/bin/codesign -T /usr/bin/productsign
+security import DeveloperIDApplication.cer \
+    -k ~/Library/Keychains/$KEY_CHAIN \
+    -T /usr/bin/codesign -T /usr/bin/productsign
+security import DeveloperIDInstaller.cer \
+    -k ~/Library/Keychains/$KEY_CHAIN \
+    -T /usr/bin/codesign -T /usr/bin/productsign
+security import key.p12 \
+    -k ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD \
+    -T /usr/bin/codesign -T /usr/bin/productsign
 security unlock-keychain -p travis $KEY_CHAIN
 
 # https://docs.travis-ci.com/user/common-build-problems/#mac-macos-sierra-1012-code-signing-errors
diff --git a/.github/push_artifacts.sh b/.github/push_artifacts.sh
index 4b7f5d9a..5c62ce47 100755
--- a/.github/push_artifacts.sh
+++ b/.github/push_artifacts.sh
@@ -13,8 +13,15 @@ for file in ${BUILDPATH}/win32/Output/OpenSC*.exe ${BUILDPATH}/opensc*.tar.gz ${
 do
     if [ -f ${file} ]
     then
-        cp ${file} .
-        git add `basename ${file}`
+        # github only allows a maximum file size of 50MB
+        MAX_MB_FILESIZE=50
+        if [ $(du -m "$file" | cut -f 1) -ge $MAX_MB_FILESIZE ]
+        then
+            split -b ${MAX_MB_FILESIZE}m ${file} `basename ${file}`.
+        else
+            cp ${file} .
+        fi
+        git add `basename ${file}`*
     fi
 done
 
diff --git a/.github/remove_signing_key.sh b/.github/remove_signing_key.sh
index 218471c5..2ebac512 100755
--- a/.github/remove_signing_key.sh
+++ b/.github/remove_signing_key.sh
@@ -4,5 +4,5 @@ set -ex -o xtrace
 
 pushd .github/
 security delete-keychain mac-build.keychain
-rm -f certificate.cer certificate.p12
+rm -f DeveloperIDApplication.cer DeveloperIDInstaller.cer key.p12
 popd
diff --git a/.github/secrets.tar.enc b/.github/secrets.tar.enc
index ea2adfa66fac2e438691d2e361cb883957347de9..09e8b80ebc9eab519f472b4296e7489cd6e204cd 100644
GIT binary patch
literal 15376
zcmV+rJnzFD)t#&<s4CxJn`YMeXM7*xur;#h*y}B4AY#Jk37QA&Sm&lYtD}RolylqE
z5<G-qk_QXV4(7FtyzTA6#!u#3JhVMI8dp;^u|i{nA4ODiV>n+2KnPNClH;UV!SwUV
zuvudQjS@c}Kyz~NH*z@Rgmp{UFdHt64i$>1$tpR?n@Em<A3Vv#$LDU(>hYlAXOF!?
zS<@8Kb*n8d=ZIxc9aa@cT1|Cjd(L0J4~hCw)mu4s-aD<-Ji(NM^4U=qFX9wqoH}oY
zu1wxe8gC=InflrSV%t~XpwmpU;;pW)(<2reQ^1_7)<0eg-!zK#dBbmQ^qxo~37XvW
z$k>dJfD@_*B@g#<X|e5e{1%s~7jSkM;pmZIYJt|5f(pWFFLJRpx`f4}pVg;>M3Tt;
zQi;cGSi7iX#;qal_JW(-I_J{&j>n#>1SBsJsVBZ3V2#XmikN188+bAvC$^*9P8@HO
zY{`ZM?<{Y(&e_hj!QrMgbw?p=PUHF#K752o-MM*F076QCKmQP)PDAv%Z~)F^|2D2M
z6lY?^n{|EoD?wT*fH@0_nCUYaQRZu9pH5(T;OH+xeKd*Tf}{${ygSypKSxq%TtR}>
zFeJ+8!guq)@Npu0-KW8*;Wk1ij<B9UvV*hvLE-zCiI&OCm3Or3BKPW?bE~tBr<t;@
zR#6!RN2Qxy-TPcgHrnP-3%WBo7cY!D<nF&7anOv~_eSb#SU1++1WN)s_7*^+;(FLC
z7R4NnYB>7t#(5)v+Kj=(Nk~$3KLQQWJUnqemp+A|;p;@<86grvWo0$>?(@h0-M(_R
zQ{SHQvDM0ODdC};jh|^c8+W}{()dQYA$-TdirLHue<$NeePq}D7${|Njvbh%DRQ6v
zqz{tKz`a64`{5D{nAyCHxkordMhOoA)8P{<0OcO#A#D)imJ#uoSm}ovN-<PgG-(dQ
zeB(e!`-%&HWZ3V(1tz*$VO3}mG80C!S>qxi+5393QL6Wx`)l;dDEGrqx+Wzh{fwMe
znv?v1v;(@nuWO<1Ga0U59S3NP1J;L>eMS1!jx$ZN5IdM9sQf%ka+7eEsr0N{J$~s-
zobXjzUz=-MH+w_z5GjvAO^<$fl_rkyDNg_+`rZ;WGYL4ErvTff6W2=edLNs5UTKkP
zn-;FrS{1Q&iAf{Jd~GR;heS6i{&)bRiPolvOZm8$XxBW_wEA8$!$Lm@=S)e6%$8!E
z&e~-Kd-G%oz{}Ne&Z&$F%9C`XYPe5_N=l2rNK<;<gW|72c-iV4<P1J(UuoaIL{Vy?
z6{7-YfEAbeBunr-Jz;nL-gtPuW0{4|DFOrq`(}-D6Rp>2^Nbp4kZdigmXWQiw|XNa
z_*&~B8bD@wLF6*IWCb=U0jc9n_cuAhN+DbQ0?KQ{>(eT$j4SQcWRO_|-=JIr5*p^(
zQ8!>JeytmcS6QdZmlo)p2J%oJF)M;h@Z*FdjxWV-MK~ZiHGmuLciM+*?rLGAcXi9A
zl06<G<RT->jz45WXo$B?P6G&mc9diDlJC;Vim8}10DZ7Ih&~RRk_G}5qNiHSkd6VD
zyLR}Mpg*yQL3q}jPlqK%@f~$`#pDzyl<l+HOKjtG7-VjNEcm?W<wS}X7L0Wvzl0g(
zaV{;^z^K%n8@w^cefCFS#g!0lVnX$#7ve47-32R4A7uEtVE=QROAhq5Hk5P@U9>7i
z>miQ@G2c#gjc-f*>mY~vZ!A{{H?BUZ!!FKCdQuNuPoVEeTgC2}68RII6cuyAHVqAm
z%c1gFMc1B|{_AMXS9_lA44sHp4h3z{SuKkute8q3>#T{K%+WJyw+FzAY(EktShF@H
zKKpkDmukjfz_wQ>sS!)mHZXYauSY{AH1QF8iPH^w+_@qnDv5=Qj8(^hHs6Gnb6`p6
zFN#IJG?Hg0#n6<OFdaq|6CD%ljZkNU8W<&nYYhhl9|B6SYw8rzd7&v3m1pWU<v*!<
zuXuN5v;L+hV9ai8YKz3~n{XxRs>p84LcF|^fexKN8|b?bVGI>nOA)K(&KAP^czE;F
z6em?Z7Y(?v#TL~;%Y~GSC#hEHU*QY9B|f#+d)KiRzorY_-kN705p4!VzAL%bMDa3*
z_!0|@=*e%OA&S7OJd-~VW7Xa!o;c7-zAgFJ-ui>b5_Ec2q^t>c|2RUtSQhV}Wy75K
zh9i<1p-S#?Zk4tkN?{MBrR_1Vh^jF`%0r+aYZbodxi{<T)*9_L|6nOfsNyMqta)EL
zyhIhEl|GQwL=O@&_2vSEFwJ#i6}jAR>>^Q)@`B24N_ot6x#>C)5J&<=h6XwMgo}c<
zPdpe}!W=*)JjzEEbbR7V#QZ!Gs|{A9dxP3%hs&$?_w!-`_rX;w%kYVkuhOV&L?ytY
z5XuvaN592qW&l(o+xAibKIzefaST$NT_4T#oB))ugm~b^cSQ_`QE#JSjofG=Z?Jx$
zN+cZ}A1i<^lLAdW$puWKQAQcr2`&p*Bm4w-nv*X+=~=*uA{36=cI%EYP@t{={k?V@
zA=z+26pvRK^h7^0i;Zq7HEgq0mh+<CGS@03AnNxfbgW29@r`st#PH3ImcYI-)V49`
z|A!0>o7u(4pdk@1`e#g`3w+U6x<lvWH18*(?lbhoLtn}ecst(d^3?ptyhO#ULPH>l
z*C8paoUVRbB4WoXD*KTJwmOFUAvm*fzUQ*vUGiQ=RsIE7_)CCsEDpbFmtTaYmAdiN
zYb(@ah@S2*!^34LWDQD(KN}Ygh|)*8R_7;@MDr~{lH~HE25<r#5m6noI?EMFUQoQb
zPA&fe+&IX3*_D8p)fU880$>J=M{n<8Ip$&qrjh|UbLTR$uT>!<QZni~O*QD%1`SM+
zl@lyon7CsHqLUPTckNXLbe<#Jc`XW*=kwfuFGm$_Ckm^D+zWs1jA!{TgG2GFAR4Z6
z_!3*`eVNEAlZg&giUf-|K5yxrj}7kHIkj3ciRX>m$js86WuX7<55v%L4Z&(t3z*H?
zx~=rVz~aJ!z(9hYrI=xac2?Py{nglY$b<|&QBewfzoJIKsUIrB>FYzfjOK8XNh3X%
zMzT!pGO%f?9_08?fgyazCS`1N9hofXSpY5RsP1L?N21AuO_k0!`HOq{U_Ku$&^kfg
zA|Z?^>mmX>BGZ94;JC&?&umWohvOQ8_xFXP_A;800lcuqJ4^e$H8=+ndr#MOO(+bp
z6j595Lh{w}0AvrL$^C?c(hhIQ!YSAm?uQPani}GC)n7vSwjYG49&@!3Y96;*@L$PN
z$S(L&ZcURADuHovzIekMuNC#G%+`j3tju3~wSsQ8ZON0DZTP<p)B>{p_KcFn?CMh#
zUKpK#S`njvpnR{jw!69WdpPQixiHb!@+*URtQ_Qqs?dC95wEn-a;}0kyJ%y?vFh&l
zCB2Zu_MEpTUxBSF)dpg*rc%@d0)MWlr^f~B1(0}c;Z@lvPIUOcIsuWil}gzjABk|C
zXBFqV!Qj-eUR`zcJF1odSFW+1y6-9?Z}sv5lLZjj$+S0Cf2lNq-(F9>Ki(L&y3kc?
zPBA@t0_qtf%26h?fr9j)h|ue<eUM%K6l(T{H$U@9j7w-|h0ygadSp+N$@#Kmsyf*_
zvl-k5Fel1@X$P9LNU#xzSfxmUe?OjeKBK{LN0=6Q1hNf|OT!1iz1%c8&fi}O{g*E%
z(_&Hp<f$4psMpPq`jT2rNKrypOBj%ib&+S#Dp8ioHaaP$aHhwU_X-@_+r0ciP@6AQ
z3?wWvv+^sSenE;WhF*ZCaZ{pJ><xj@R0UA9x4+Y(ebDR&B2=9s<jeUs7;nWVC;htg
znGLEwQ=-R><qp1a<d2MKG0M@>aZr?PMWVWRbzr;#8V1+!kP0{lq;iDd%c&C4UKRB-
zj!|%=F_uXWe-H*GgMeFD9q_RPD-JIZ5aj}-E7j6)#B#)e4l?G6r_M{lDa?+2dU*{Q
z(no${kD!MX;}H`Hy1GpRnBW7x$LzSR_BQ0x^Im@5r*I}<f!%*L?1rx{*0iL459lR<
z429S#i#p(Wl4WO)h=mk@rHIwvhJU{106tg_<cxzCR}-mpl&cH|)SD@1a2HVslTnVE
z24&o$blVJi_y-<v+$?T_S&x1rF0E_aiAXd`z860_-`ND+s)ShYcG8}IzL0AzEWeLr
zW1u9cIrD-pX&-<CI={%l24!t{ckGcM0~1-;9aMQ(fcVy%fu_-O_48Cl@&IkBHLCJ*
z3}!FB*){i`qLJ|N=L$#+zR&WbI!wOp#MTlMd}50APzPh?2KnM|MRs*J^)6p@w_hrh
zm~GeVEaLT02zP0O<CiKi;#D93gIZ*?4NiMCf$YOzs%<M%nqp3_i`0&&rKZdemoxj$
z!k65#BtuOjj-6P$rLfQHR^K~<Pc7j#ZIBLwa{RZ}BA`gmYb~SDR&t|_JpOe2yDs?O
zhQr+`q!rGMTwGgP+-ieF(%m=id4N#z0)jOKUIKmIvlc}f6jBk&qu+k@IcI;Hp8Y|3
zN89e~{>IvOD^ObwgnOl<wh<}9u3FdQa_CG5)-C(5;B<+9nZz@@I|_X;dsOCBt8Y-*
z10+wCU7Nh_#)(8ndUDnQOGeOuptl(aceSaENH6#2X%V58{uxHvA3xWDr}2r=Qn<l+
zmjTG<Tf6r{Q}&Ickt(a#qAc+^vmyHp-hMr;HL}-G4=Qb!YK@bh<Hn0ei8dMKvXfZx
zFOHKCr?Bb}U~X)bL^<n0wrjltAvjOF4J)_`*kfgBM$%&#;@<EZ|CniM+9Pv~Gj&Ss
zf;oSf7ZSr{qTeSL{{^YX7X<ut^Y@45U87eU-Tl+WzwRh06H1W^TXHp0=4;g2&qx4T
z6Uy%0-i+fT2z7RBGJwun11yir+t@v63{KNt1Wn?!e3vxWQQOu%YbDFHElqi)?RTT=
z@vL|CIZSnEQlWA_pNX=>svS2(nCjDRpO)v<+Y?`@nQlsb>L5YQuue4th^p%JX-cI>
zx<U_<t|H)35UV*bmxm8^)D7Vx9X?($H9hw9JJfR6TelVaB`1wRp|i=sh@8uXwE}Xn
zIyer$DZizC>6);AaQpTFFD2~^{VeB{D)~p!Td|C68M>(PLA<oN&Yn^Er|m!W#R&KW
zt#aTMQvsX*&UNWDL!NzwD@jqOlyiK9j&?1%HIh2yV<iudopm4;?EFsjdu7%73Q?f1
zCNaI0CP(YBO;Fgbfy442Nae{JBC(rd&TtrOI+Y!JQ+we_RU)oDwp$1e<<d))sd@cE
z*rSLDb8(X&42~-TRv{2f-A8$Xe(9r~DO?bD8w1t5kscrxg*eL<P-TYU)7@+V;eb<s
za<eY!0LV4(xdvtep#x1F<!o$m1B(={3^4>O7t^Z_>^`}jpf?#@ktdYt?K=n=Dk@)-
zXmn@59ee#c*(XIvfb^#>=jlpt@>_h|_ap6e9bl64_GEIf%9zkrq7MTx-6Hh$<d~@d
zKO5Z2p|yFAkk9{?h=NES&$Y5<=Zp=-m4AH(4r5<V1spntzjYlxZ*NhUsH~V{(yTcU
zsrWi{twx!~y1cguu13>d;knevGimtExUf}D70G<xstScLCuX)mU0gJ|XJX4YJ34du
z6GwC+xWZAn^cR-BBFAHJr&qfZE>tVh6gV^oY3HxfzZ~)^NChJGDIymF;z#-a+06pz
zXra?XiX<0@cj~I!!5bm}gS*PnfRfI+8^?Zz6P5gt<)GUYhJ5d3S{-7R2nhGnkktGB
zbAn%vj<UKVrXy=$$}4#cu%~uqAwxUKh+XMDr*QCL;ai2UczyHSR#Tz{Q=vaMTx)b9
zK!b^8HMT@^ldFSMMs0gsjzi@&^<ja0u<v*aL)@kpvlf07d@91VkMQuq?G-J~`2W5m
z4K6E)5w1bets<m+;ZQqtaO6@5bhb3hN;RtPZ6})MD6vI(cx<A?B;71o?+(%!J}q*y
zGWdn%+8LJs#`P90e>;`O;F4_Zq=6p*o)Ot<o=nAf#TNBTqSAKyU0$LhO#_aZGs7W+
z4ZaNe19oHRWu~C?D~zs3*&pIyqyGUov9-3^q+|KUOtHXQ4Y_a4M2<@Hi=IcMXg3aA
z%QwgdrAQa*{(bSdb2ti8H8B1$0VqG9>L?@ddL%ImbKoGyM{Ca>{z0f7OqKmbe;nBt
z<Aj#fR<>H;z{7uM>xWuXCCik8`L9_43lrrj5X}9fRy&qpKXDuEk7Qp4jiJUxz<%!_
z>zNOYTr8wJzIj<ij;gMy*p|F+NwQT3c*-9H=**r<I-gu;A=00Thp|L(yDn!S;Tj+=
zVEe`=kM#vcJ}ABX8mj<txR7{|m*L$I7o`uXqugqw^mwAt4M~vw@@G8)P!^<{`uY_&
zsfzSTu+~7&vq|AxFwqAe*%F40d%PT-kx;Kr1b1B*6Ut(jkf17BC&-SzN;RgGZB8Ce
z@2B)5)o9PvHpKe@1@zBs%32;c6wh%prT(S%LiKheVxiA1EQ^i#|G_FaRxT5IyV{s3
z`7_>W0~(v8Ivd@sMz!L?Z}Y_^?e7K=?+>;WHZ*97ynSOMi!}Xd{3-&2Vmu!aaFtaB
z)?I`-v?|ZA1=?_Z!LYm3J)o4(y0tKta;KF;Cj<X4Z*IqUO?UiFD2RdeSdt1=Vb$-G
zx`P03=S>p!-4riVkee-c63Wy{q9VFTif<cE7@RH6$~BJi;^}=Oke>+EiA&0K^t*`h
zmxQ@RCvJtLj<vQkDYCk5YTr|;j5@HYBTE}-Td=*LN@u~UA;L~nQP-)z>1tGAGu!n~
zwuC!o?%QV0=Bn$qvuz-kDtG(bLt9!|vOSh^F$I2QR{j<RuVzs|_v)`@T|G{}ZgQz=
zvn4I$SU3iS%cND2(}!ra(O&L3=<NScr8_@OBeMGB%*6f^W*~;PI@@Hy>%Ub^ZAtYn
zV?ME+TA3zZ){+)OjTk70o+Mo0`rzT}<;V*N|7NrFFzOeuMcnr5O=GNk#`n{Ci!{qa
z28c#{li)aypWu9#-i|gZnkGE6%B8X_XAhCe=aavaOlBvo5N;y&T#?@O^ku{mbIKvx
zJ*bn97zyWKd4jcew*QB&+d{QgVaico9Xh?>ypbZ96Ze_Fm*Hh-7?JX!g(=mF)002(
z>t$r!UT2mbE0X`Y)bK;Mv`iRUExFkq{kwXIZ&`aLltfO5HgjVa1zaW;moEX|a>eUe
zL=-iTlsyQ5jl4B?&6}TRxV<FVV)L5R4Xm%w!!MtG9Jp}NCTor239lnqhfJ=z)y<^H
zPL&dH4gSH^hV;YCf9d@SW+{081-jP`JLr`*B~$HkKN-AmP78eDmB!zRQ8ArUnw{fz
zvlSpL)vDfKH)!A&pj=!_VYT7&$dXx1Np~U3>1%;Xs3`VQB=6vPIEQsoVp<@FGth;b
z+ZiFsX1M6xyyNP_34eQd=m0GeG0zu?=pJ9pgWTOE6!-#si7@QIAQi~A{*HY7@&7l{
z@e;o9t4-uzL`4%66N*rVQ#IViP@`m$QHi}trPf=~Ilfm9=nsglrAPu&M^iz~c*-SK
zVeU!5m){jNUN}oLZ_y=_n=CEq#DBYO1o-OlCXOK)8S4+93aysuiIUPgq^JHOI<cE!
z_JB;o8KEEt%nFWJWsk<sr^7Y?N&iSoP>l;X<(#(lB6{$5zANB=1v`*gG^TW@bt^RR
zNUqHU8VO3a9bbY04;~w;v6WNl>20|-EQw9bonr2R<hh;E>H61zM;5p2Ady2yN-*S{
zX$&JxK=EGg$l&DV@M=rQMdc1Lq}9(r1(wSWfs*j9EGx*{%NEt$b+y$ZHG8l}F<7T2
zxjz7UrwQWIp=H68M$$q_ZcQ+l%q`*|Y;v&~68t@)1*wSiso^L49Vo3PsOgg`@1zqH
z+rX+%joweG)Gsu0RS15igyh0dxxXw$dQ5@|Xj9fEIl6;HEpNKhyjSQ^rj(EA3QZhH
z7RXMo&|P71+b)*52$?9J4>~RW*sqiBsk0>3d`Zng@Gl`Bfl_EpZXoqFGN5{O-Y^?O
z@4!qajnMs8a>aC~X*AV@V$7yG-J@~t0J*j$&0wyD=Os1~xZZMfM^iN-1L&{Z){001
zbpC>q0+0PjNUG2&IX~A1&Y|Bf9oDM&uCD~W1=3*@Y$1U_A(oFwjEG1<5J+gGc6%g_
z@Q|_(R*o!tmPBoytPnLNUI?|%v@_^#NKUa3Yo0$K7(M>-+Kz-vPH14zO%!vlcZ4pE
zp)lf)Vr<M?!?b0dJZi5?&Fx5Ss#w<%`*|XcAO?qGpW7+0pD#13r#<6e-U!_`m&cg{
zJVAaCckXm!>V2NP+Tl63>9Q?J5a1m*-!M$ZHny7f4eu<`1f_t(!I?Jl(cjAF8ba}B
z;Aa2@zbYJeqwtCJKi=#p&gy+bluKvrtK`VpSkIxn9fI<0NIO?5Fj$HUk==+rAmcv#
z<6IwCs?IVpN-r}da>PJn4N%bmDe=-ONVPW>(`oOxc=@OvU#I!KCTPhDc((Va>6-Tm
z{TvZA$w83`<td<0o~t2#LFJN`&^yJ<(p|z8kWKJ{EB!2CL34c^Fxe!rLV~Q`G{60r
ztQl!8*jTDszRSf!KdWs^`iah{;vl0t664#~Bp8PK9cNAAX}w}fqe(ZGW|({U9*@8P
zo2X{zC<dh`hN(>?|L$UVs58FVK$;1Aju%dWg8$Bv%v{s9O`|wp%`<IFg8KNDU}E)%
z-;-%_$;ynvosS%EgTR1I&$Ubu3imnAQO5l`%c2--@6>oc=a#-E)Gsx6E%|ozcW&^|
zGVjW8$VmrY{f9l;cRry|BZ(5s?$6ya_S2hh*rm(#@s2|$0uC?K!z-1Ub*K|0M)2&;
z*N28VJO_=AxS3YwczW=0)7mYwzbnKt{kO7f(OHNeJaV71LqlR<1lvPsXVmYXQ&Mti
zD5=OdT;E}Q2U71h?^A8z8LI_D@A8Kz@!h^dHjU2*=K4Y0xYo%)kI_mG;&FUVE&-OH
zXyn8?Eq|l{8>5RRq`C0=^ihucLpJI$08a+R+9|(~#HS{MB7wAE6xDsF*{o;mB1=}>
z850N;03T~qg6*XuI)@<_$gHTM4rvuV4!f)mj+*z_(oBQB?0SNMyo|ba4vqXp+hfyY
zPO93K2KG5Nog_U2BRm;z6Frt^qeFW<^Ne9p8-Rq00S=7?wk??#V=;8L){}ZTq>VYC
z^f{jhA`E63{f%ay$lcC^*~;@bs{N69)%U=NFy-4=RQIeUR(I2hBxH<l_(B<VHiH`<
zMU?vW=1rM`!!;;yyrWO@cH2?(`R&kTqdEkr`eG>6`%XC$*r{%gV>wC8^6jTkj5$E%
z0s0m(h!Vc0t-2i08Gg_eVKt5cY!R!o(iHRh23%eEbM6gO7a6ELMTJIQlwP);Go`O{
zr|g@CkRnfrSYl6`Jy7+mJTSRvlGwt^V`&tdDz;{b8sA-seKJj2>{y_Ioe+H2jAY$D
z5*-U~^`&|eP>|Sb0BlEV@H|C!aKW)Xvlbw>TcvCzitTeeQR`mf<Jt(z1T^aFwW*g1
zGQ8^%ZJkYha=o{4k^B4(^i1C+V4WzpsBcim1`uNftPL;;r{k;e_CpT_bCL){O%e#+
zyoy;kC`;hsfa{rkyfGS6=PvjZ*@fM-=ohPpL3E%?bW}vObKh<XusiXghxLw=%pL<M
z9>iz!V0U0#^XJZpLqvK>!q_I-s+nNX*|TJnG9ZLy8ofscBxd`mKr;gQF?t-FTHqse
zvgGBKFB;u!CGA+4^O(h?1UTD*<q3g8pN}9j?A^Gv*XO5qZ~ox6W`ko_uJ`3Tvb6OH
z@9L-W=-X2}?{$rM4<r@c%?O*e`I}-!(9f7}`4-Xi8UL1WMVcJa&L`>uB#~dT4R$(^
z$cvXeH_T%^W=20J*vm2s<D9tCkH1{^B>^`Ioy}{j`s6|e=n}@uuS*h0WEbUtqheg|
zyWlu}cJ>E3<KA-W=vO7wS6IMZHR?Wms~`=3E>Vvb9(FR6k-+0Q1Io@suHm*~3<qwt
z5FDq|U}Ja%7!z2DrU(hAQSD*LNN_y*SdZ81aXD$qGYHb34vIr&fA@k8f>mZBp&Oy}
z9em&m^$O>FYOI_-9>g2SWE_)`3ySSJgMW4M@1jdcH;WAna9v}LWn)}dqt#ZSc56`s
zT8)CHv|z5*jzd=;I@%rBHDBUzN~CFTcd~G*6c=pVm01B+R;$bLhg}3{5wRe{A`>L@
z6qOk88F1N=(SpdV>f^1!alJ5HeVI4E%5>c}ID>lsnGkgtUgLO%B4yS6bOA?95zg3G
zf(-}b1L)?-XR71}_i9E+ac4U0d727(`w@DREH7o@^DNF9s3}GhyMvQAoe!!U8847U
ziFNX^=oMtm*M6O(yj>*zhP&ac2>+N==Q8QDLfnG4lbyjUj$w7}jHlupjoyq(6D@N@
zAyN8w-1=8KYhw(leAdv0@O6Kryaw>TJZS<@k3$<q@@UR*BMiY(eL;HIn+HNIj8dnJ
zDFj$jLANOeX$26>eZ&==!O&M$jmc81Q8tJgM&8DF{=W?~g3}8B1}%iAGlk9JN_@Sc
z=B|;E5iRdwWtg0gyxjQ{{U(y*<_D|{{_4m?#k7rj9P`?OkRu}im-J5iVr)10W0@wY
zclbC(_Jv&RC{b^RSS1kwKFt#3FW6Z7^t?8F@9y7V&7P*|9mSFH&}wMiz<x;O@+2VH
zpCM4ErHp(d&O0-Eajr8NcBz43dPdTVD3UlbltMR!!~%f|AcBxI!k75;oxv`J-Z=$-
zHdCVVfGyEsQuPunqNkhXZm;vn9=0u2Pnksc7a9M|I8WW->k77{Uz{ywSYWfgB+`{!
z%$s1~C00=sMuV~l+bMPr=y=bW@868W=jo4Wx&21Le{M0LjVjUn=jp?M16q7FLt@bS
zd@RDrfrHLNJ(I5L4+v?~9%P5?9aGzl1=<GwCs9`|m*}J&yqQTd5G3z32;*oPEQK(%
z{1T0HD3g<3wt!x!v#zzzGkXcR`H;B7YC@h(An+%x6+1UtOIFXq8R}3QiPJ(b8uJ~^
z@bcp<J`DO0@sAdm6p#)^I8L;2Vh|*egxOs2@A$ScLBdveU7K2&Yd2nb3nPfE?fIuj
z=s2}VZy`N%D$7(<n8k;+h)vs$YjvC}KCLL}3a!%$KbB2c17Zi5zq~zJeG;GaA~$!T
z*4uVMpoP*b%k46&df0Y&jH>D(9p~_C?CLsfEoX(a-*7~_htQx(yh~KMg7dJrieYP8
zb$y2RWI;i`VS}5gu3O7g^iOHdXR^j5`X_`P#-<buCsXv1)%rt1xG#%63_xcV^}S|+
zyiJF)e|Z&A@LJ6}BmMGaEeexG>~uQk|FsS{ZWG1ALfKz9uM=cr?SJmz`=?v?7y9B8
zpj$r$Y8kUJMcgxz8|`=?fZ{EwQd0;xK{x%Ya71In)T#}}dnrgO9O}wKEiZR+G7f3~
zRWJrwtiNdueQR$ReH?`?ejA;)gA&=B!Q0iU&gKnP-P8P1LZQM!C3lfp;J*+-6m@Oz
zN5nF_U^HqKq8ddRJM!joT}h{gR^qi@L0|k=`pY7Gi4FS6J-(_><4MneOCKzIlrRRM
zH54YWQk+_<ooNh=Ber>-i68}3M^b`fP+8ddv%ooS34gF^ICS;YR(Wa?OG3|4k!p>v
z*K+8=XaQ4si?}w&6uuB=Y1tN%d3o)8^p^o`%A1k}bQbbK@_^wo#W1{vh|{&-SB7t$
zM$eEHSh&m^!V#&=-lg;j(1i%{BI{axbvYj}E`_p5EE3KPzC)u)wfqdQ!xn>rHs`nF
zX>aY%&>hX~MlUL}ha!A0ni!9-ArzvdI%kA*Wi4DZj!Ab|R<~~h&}<5h4!^y99@qkz
zr_%NjFtyuI#}#V|W>0PPu*E!T`n*~8;vHHF!J32e!<gYg>QVh0_7=+j`7M>(1kgFT
z`9KS{ME#Wpm?~dQxVMgRq?)ZT_U;RIR{>%>WL!S6_m=#9!?($L->0mT*CsWkN;5_8
zooq=14HaXrYa#j5{}#Q|m38)zIB3ax_+>9&6wf+FAp&3o`#|AXT=Z|&x-h0Tebzyg
zS_p|FKv+L_^<@qF+|@x|>DH^VS<FjWiBhaTOZo%2SaBbSW^cQ%OA6)JhSQoSMUIcj
zcw!saX(Dyp>+~$hJ*6iv|G3vYPEo}wKcc~!ke=YNu(=3cz#+3NBQZk66P3!CG??Mi
zT!?HoGEP8y=m$Eg@_kl_8;=a1wNH(ZKNtBc6IK3;t5qqyYhH9lmI=$O<)SM&s#Yf%
zpzPxDQnc72l1`(LYz7IV$sg&o{c_xY&Wbn|--*ht*kQ_h<bpg)^723OTaUk*v&LL0
zh13<`<aHpOd5h3x$@I4+>036!cP^&Yd2v)>OYH*B@#Nv}<edeScl?-t%V>Wi*GtMo
zL47{TY#zzFmC0rO4VS{AIA)>d41m_%kYZ($Z2j*c73wmYfO*bVJ1{!^jH-0*C<>){
z5ZQeZH7>68B8)Y^=bV#iRw-dwWeqCDzOk`1A!dJ@A2`Hz*D4sW7aYeGT*}4>8v5jy
zDvrc6=dlAC#be7l*`|-EnOu;ASac&a2_S5FAU*u}4EdMu3uDgU{pIY^hkJtdTRGzS
z7@{8*gIQG|#`+WY+gNFYvY|MfY(4BiD~yHCC%2x~I}TFb@vH1m=L#8Wu5o+@sESZ>
zA6W4YEA^pi=O3F8;vQnBXu6wcm>P?V7q_KK<B*q^V>zazC0K>PK>X*2=t~PU@OP-u
zmmN%2=uLwpfILnJt;gz<)aHc&+uvFt1>uVMBNlKl6r#eWJC4XNE*8hGAN_IaS7#3q
zcuf)_v<)AyY5MQ?-be8qs)LR7k;2vd;)s>+pLE(}-n6*}@>}2+_bZp7knrb`Ny`g<
zTcJ<1ABRDr5+CTQuDqt=v;u4ugM2PdMsS|-C8-IbNy_>FAQ`q{WOvBaNxbk4N6;)d
zl-t}sX@1TmEH^(a%r1u1DB-=2`?p4$g8uSRh3ASu+93Pjz1%9<uwApn{0~Yt{2Tm2
z5)6|@vbS;kCVPx27p$f{yn~+AUThGF0u0-cgIqs0iWw&CE3&5`!~u*(1xd~4&GV_<
zA9b6z-L_!YHYvk=-0xN{3l6Y{xpb8agB237*y;9;o~EVdEj|<b+y0#TY5`gaRRfeg
z<?%hP1vREBkvNB&o0D$W=r1@-gR+p0H!T;;bn)&~O8HK7c7Dd>T_swIf3ObN1Jwk!
zm#`lcEpWhDR*{Uzhd3a}jNO2YFZ@$3aK!fXfYwI=K$9liu2G+eRJ&!BJ26};!Q<Yx
znDsiCeH!d|5)~J{9d^G-oy=GI6s`)M1xmy4gRz!?WE6ndQdci=-%dOuhl&2qwuc0p
z7k~TU`K?6(5#AW_CP@ETi&?hc05k2I8kr4r!%elyx-mD!L5S;b6J@`e#m=4rij@Ud
zgto)`rTz4V!cV%6UluQT$cMvA=$<NJyB{Dgx!z1O97X~<fo;(l`p&XCY~a16Kty(8
zDJ~zw4zqiEQc(5iNe6XRsUMie)QBQbdLjjx*^F4MBQo=_qW1{ox_gF%oH1(j1zu(Y
z(ZGg~n+*2zjXxS{aP{`e!$E&YaOr4@d9Y2EcBfT4N?Gbl*X@i6Vy1KZY}!>L(oQ__
zf>@w*;}$lTSx1^jo^_lE-x%^+?V-@$R0C^)l#jGF_9{#fad1bm#M*j+dKC-Tb|&$T
z82J!v%=<w3hE=6$4L7V~y+nf`5zt%A?k+fBLZY&y!U3aQT46{Z&Md+|JL)P*L80Uu
z`tsdm4^#0?0XOzx5n2B9XCPA+QGHPwPV!F=r{5?km)PyH4f^}Je)MfGxC7iFs3MTe
z)R0p1njZHr5F5_M3SwUEp45JIe#DUl`>q-P!P285%aWA5FNZZd0VrzSyJie!prXX;
z*8XLs3V7DK_j{v!1WNa8{w%ElaIWHIDp*9%y&6%OuI<}wtJkLHAd%e=_((MDm6)2y
ztlmkxm0Um<?c+SO4Uh+LRxN}&wv7dmvjc{-ep~vMe&LEi<h+N1TEvO3_TliCHoZ<L
zvJI|Y68FGBLe=-+8~+^xy21WD_5Wu^x}VSj5L15g60GH~3O{6}X*2!H%e9zH8a|RH
z#Ce$lMulKxlI@%nlB`sysSD1`vCekK75ltZWwg!n7i~L0sdxav&rp<orh5at)0Ipe
zebzL$t(XFrG>g!T4yb0^niD~J+Etf*JgdJ<+9|PsQ{QdwrY*V<Gr*Yenf)po%t+?f
zGdPAAaX82oOElW`%(}KbClz=_e{c1a#h_GR7DEM5A==M%IUXurJVefWGAF4tL}~=X
zNV5ha+u6LtmLG|!Ox_H1PnoZf*c@<g?{4mW-qk<5;DA130FOo1#vFP^V#bWr-lk24
zI07+*1orgCc+@gd52EF=c&@jVc`ZfXQQ!^)xn#S_r>q_r>nMq9`w?m&rrsM$X#wQ&
zWM7pN#u++w^?z}xw;PJfQp2^K(qv=3s1H{FrHyz{<q>>>l7@AU+gwrP7rfj#X|lC7
zBO0pg>kr%RqM5v<3I=^VsC@e*4^d7{%MIPD{N*!fT*^#ARG6+FL;>ssSshWF`gH!h
zv2eSb9g2~yaSkl{@c2-U1bNxc)jZa&Y@wC0aAiI1FQ>=vMpKQJ07rxSJCqpInL8KT
zgvL<9YSRT)T86r{`0v;jltBoQt@$px07{G6I96Pq(Wnw5T*fjlL=Vts6Wj9KChnAD
zddU@`r7s_THXdb=ax`TW(nmvOiA`-BAp~UJi6^aO0n#h%yC>b;Y)|HXgA*|+?MEIO
z<I^$O@6f`r_z(6YE}Y1t@RL}zI^^H;*>d$7zb_NVy{zA6*R4P$3t9ji9ifl7Lqj)t
zG!EnTFl-##7xBJi(jTUw#Kvb7s!LM6!dJ#}-w~XXpHHd)(P7-l^U6{VPHLhWoOpA(
zD&7%M70IhNZ<Cy(n2Sl2X4}Hq(0)Rj9|dv3m$H-|u)J)|bSM5sIKuYB?!G3zPwTVP
zezf44^I>A|lb8qHI<Tj9(Mt0L0`=vuIvkGHD-sA(d$mS@#Y`#-D^+O3M<Jv+$6-`1
zUF(1Ak_HU~?6!@$wy>$js{K~ueZ0MJJUXX9qa{H2stvE9bD6s1FeDnCR&+u#WeKua
z(@MTK4CR)_H+!+5b_j4iD;6}cr~{l42>;EDy3PRI#LrFfx~fF44^6+$*|Zu3H@=`M
zSSKEUu#dDX)v|l#xIE|EyHTDwaY)QYS*)5AhN84wBo!hP;b@&vphp=k$==;;1w;7u
zR)9y4mQF)Xmd=6V9U2e>#!*?()jP32o!v10FirYcFolN-5^>N|OUiSq+=Wk+a-B=|
zgI6hVC~86`t0zFX7Ks3EOR73|N}_tFh$}z#yeHe2KO4Dfz7|N`i|v%31>=B<(|9`Q
zwONC=Mz$V%7emrvxP+$VQQm$&GVj4e#gp+lih9~4D^lkf<MPkZ3iuD6k_+_xFWF0~
zg*7K-W-OoSa#A=p3+o)x&qIyCva0mBNm@XqH?4Hc8*rTW_hKm*V?F|xhIZ(ok#v!h
zy6&@Dl#ZgG4QUM~C`hG*kLsj{y?;j=6fz2Xg?1iB?f-i{qd>*#Ablh$f-9i0@-|=8
ztkd;cs9&E(>N^n~RN(~S?vYCQkj>G<j<Sv)JwTDO-Q6zj#!kTKtsj$p+O3fVyOIfV
z422m2e_2imiEOkgXc0egSTUyvY)#=uv}7s5#Y^*<74`(e8W1#HyH#bapNn*aiuUQ0
z_To(7Ifa;FrhDK$-~Orrv-MUN_bKUoSvBU?YIS1bhuM4@xZo(py<_z9FhG$kCuE6*
z$w7SP$>8Zw2}D?u$bKAfE28AVJC7d+DZeMQZT^5UEzeVdNPsx-A3e;cZ%fc5emKM2
z2?aGUTgm$WTtG6Az|d&CAt%a*(?uSpk?-=aaU0hfgSnyY2d2D5l#TlIze-BwuA1O;
zIY5y|_>5|ewXtm&%lIjwhwBS3rAo&JUOP6OUq}M31}0hgT|wJ^EE@kVA!RwrKly-_
z1l>k+Q6|?F5+}rdM8A*MYpfmL4)MRnv<>zAY$EN{75x;V{{C??8WRuYO02)-=$|~8
zUGxA_etr;Qh-(?yR-%GLJ@!)@veyBKlV8tH54iem|D-wLQ^!bBlb!s=npyYpwN3UV
zTRtb44>nGDtTF6~e=L~+MO<<3U06ZGErm$hCp>>xc^xcAzflnd6|P%0oPH^XoivKw
zzOtLNZ%rgHu*ZS+QcgJqiAJn%mIIo9Fu}?+<!|BgXNWBUc~pUkE$K#~*Lk}VY51xj
zNYcSP_^=$C&Q@^@dSrt?Z|NHh&8|~8q{ob5X@$S$L}3#`Szkp+)&d2anpluhs_Zvu
z0G`ghdfo*xFyBic!r_yhMuBGY^j%G{NH;uGX*HnwmoPn(Q*uxiL2;fsou757NVVk=
znB@tc&5N(^bcVm<O&sAbEXFH3Dha{A#q*T?iZXBH;kx{N5)=Z(%3^a|u!>UbEY#uR
zM=@t(cDA&Zg$-qw-=wdQbY5j6)4U$~Gl12^(d*s-@Xj~Rz&U1!X&F#=h=dE+%6Sl_
zwf9e!{4&Z0R&P7aQaTV<m>;GO$M0k}fR!`IW|=Zg&Mmx>+$0zzFi<v3*(`(@!_p)-
zjF=#x=Lf7oLj*swUjC2W>Pepm`vtL~|E;Jn8_>3-nU*oB;m1MsV$yofIS@CKF;n3*
zud&Y@JwJu4&FYE-z3-Ni?O}1T6_RjxHMYpzTM2X|ovdK%Y#<lR$bhg#v9@v#`t>mb
z&UZeW`lYs_<L<oEfhe%Cg(ahpcf>mGXUNa~3YZQp&ZgoRfT|@HbxDoueB<49)M&hz
z#L)WLw1_(BH`a!J8s*rym*RkwCUq(W!9mGL9Mazr5gLD=r2)E84eN!>V8OpDvBXzo
zYeXi{hPHdhX16pQtmzj7va=$M59918LjBC}QVub@LA;2qpWFJP9%^C&^=lB&;9)nD
zWypG1BrL@yu$Zq@ngfh!e%d-6O&ZrTC2&w(ZgAWwLkpJuH#>i0wxr&&;T9$A_*q=;
zlf=?*xLeb}5DV=w4qj5xaaSBw(5kd_4wl5`5w0)y<|>@O4<Lw8YxGVbUcW5nwy10&
z#s&gklgf(iFgP6Kku-|H=US!Ci#sbSN+%*Uc^-X=w<}n@&e`Z#3H9m?1XAqGhAZZJ
zW&(-P$AXK!w|`SzXXH<=eka`m0mvDt2Vnw9Nj4i|OQXy=+gYKu#G`x1V0Z@1+eX1~
zAwZH9J>`<<c*lXENBJ^1RvNH)6^#Y&(AV%XnrwtB1eP|txWRvWlexe1*hJ)+P65nZ
zL=W-j46mB0zW4nb*ea5%?>D<RF2G8PkW&^O4z5$&S_FXm_8WxMEP{K(V%!tUX!(Uk
zImp;IppIzWmmDS>ZQ9BU)+qzAPYLu6zB_k63nZq*F{*V})+_0g7hgG=q%aq}T=+n^
z%*-vm`<ASj$IeS)hIQu~$g{$gC}JXAzk9|WFj}|GHMbbc{mBm~xT&sQrJK?THhthw
zY`+o?IJm;?tPj;9brIA7X8})hrxXzJ4xeBrW75di+hM{8T8x}SUkw_pO?aE|{{W#m
zw1J7SZDioXuz)VUN8O_Tv)dYco{4DpOlZh*_YA~xW|7mS^_xo1U5qaVRB3z~72?tg
zceg_!=D9?Ehy-qLT*fvPFb=`31b^2(T8aX|VsK_(kJdeZ*Ic7|i+jG--WD(w_P)Qx
zA_bcUk7sY7h6;A(YIClPL!U&9!lv=n{sr`~s#G83!Kh<wA`AfureVWoWjsNC`QNLp
zr1u#1>J-XCX#))7UJUQSu_$V+aA6-d%M<o%nJ95b9`$_~;dQXqP3rQ?mY5uScg2cW
z(C+M?2$3DHW^m&8lHX+6*-D!*x@`I}rKR-9FHVeYRT%+uELj4{0=7a1W&_&b;ICw!
z(O+8<E|z7AYSRjrwQClpdm>qo^%Du;;`yjrY?0_IA5{%UA^Mc-KVbd>l%GG3_xA}5
zqdTe7ORP>F2lnSC3<s-a?B-0h9wN!1k6ysif$ZSAR^RgJlWGT!7066|q)Xw85~aQQ
zw_{kgukq^?V)R@iXH0@lKb(h$;r2)&HAy@s%}!lW@>(oYGg5OEx9(nam|Ty{dmhAx
zXbnl`HOXX$FfW_4B>8z`ZnF2$by8YM{*2HPtqm9yKOnIx>)ih*WeMOXDm~2HKl28E
zQRJIP^-yQ8K=f;Hse0;2jVUL56Gi!)wXK9>O4dH(hk@qN`nzKUA@mN5+i8l9DCbJc
z39-T1r81VI1j(88-6-B$><OJ^L4+>(0GJ9qEMaWSVT!K1v`*uDlEYyXDEok{s!G&s
zLQ!h<HrIv|<G$kcjb|hR)nr?cN2d;41F%!D7uTA|P-0$*Ug<7=1c>6k%E%UiKY{(C
z1VVe`2U+x2z)IKNKqXfzPclJzo>+OQB!0R#Y`q6MQxQwirZY-WEBKbW8^_|XYbR*D
zWnPo5sWJ$MZo3W7UG4xp>tZA3!L!#3b+USf;u?cDY@3Li;>hx0@+#(KhJIooYAM5o
zMW$$za>}I$qgJXf#g9R?z!}n`QGsrcAM2L*rDf49+?!{^V$pnyuzOkdqf>{_37OUD
zo=FB<-jbRMe~hpwthea75ij$}-d*#mKOsn>nR><LRG*u~{wuR#{9!~)50!PUw^=qj
z8o+H0^}H15)S|umM}{rJI%zZvC^>NAr>7y8Bm~<q|30OElK48VbsG8l2lu6#gKS3f
z^JWLODm(=wlX8t$ovL7ziI9s^6Aw8fGY`Ll3R3Z?1J!=zbpYbnq^>}K?XZl(v%Exe
zk|nq-E=DowccRfej>mLvk>#x_YF{GR`V*}p)I+jddbp`jo1?<zXXL8WB;ST|L6Mqh
zoJyE-pmj7_$bImR<vI047^Tlx;qmELb?#(t#*omhFN{f6_AcyFmo!5gsz%0Uq<3i%
zsunknM0V2`uSo@&()}X`$w2t#W-C9O!O5JqrZ}<nI=hod%J~2vpte@fIoU?9*F>su
zwaQA={z~L0vTk0*P!F{^hU3i`t*jjdA^^h7cH5ZYVxbf3ltaf;Zc*7fzi}Ry#fKKE
z(JhWqpP>W0=<f_S$;K;&h%Ul2wY4lcn7BOS2sjIzl#%r3lcGBCJvfD=9P!W)YvI)N
zP02WXCZ-z<7i$f>Lp+$Mb5s|u&s$LsVMSw_Jqg-bsz&e{JH2I}uM$h_lOaWD$*iv{
z+Dk}rqPRS9&3e~jU*pBdC>1Uh6Q@5k?0iW=C)89hS9^s0?_ti~R)7rd7?^lmb#>We
zWJ2h60)Kw)>14BCJFEO2#!Z`&Ym)7yf6Q((Yd#4njjpQal6WgznXolE!J<+DW(w~$
z_B4_4f{Nd(Jff+Us3<LgOGP7AQ+=9Ocrtqvo8B0Apo|7>bQ4OCYCKJy;x6B!$ub}g
z`Q*2}8Pin;dC6wi;vtY{AK;nHO7r`oCQBz@3`(_;kgsb)wsvM=w|Q*fZF9bsFusH9
z7E0qj+m|}3#WKp|NaTj8Ew;<FN16&7dgM*+5{X5Ys#Gjs3;^`m_~_y$64z!}n#vi@
zy5%otQh)0wPrD|VV;TYUAWPqBMP}DS`1`O;`E_L;rlIgL-6ywpe$pxp<+dbq4pEXv
zeNaU_ArLpM@4If#P1xcRbUaDTCW<yT=!|VH*8**jN&Mj88){ftR3Y%rZlhoVQ5jM;
zzY)F@gh2LR(`d^Q;BTT~X77KCm9eY4nK-nnj{>Uk^;r`NVJYX%#Q%TXJ26R6N;a;w
z;nY^i57{Cd<FR+<cd#+G2XKxjC_BDE-mkoN)uhaQpi~Ivw1@NUaQ7h)lKW+HOBaQ;
z_&Fx0<WG1bIN11qPE1z3i#h^tOGud%a)Lk;z$9=ONC4L;MYBSAAm&ye>O^gpk+0p^
zUYNti)CDkGZgdz4$K4*8%AIk6h$!4EJk?pQyMq0Ra!0v}EahbK*<2Thpo<iOs$t3O
zypBRggsAd}Kz2~=npLY+`1A$~U?$)<m`piN0kAyS{xE9?_<5;Os_UAYCT%RYLnrP9
zT>jQ|jZ#?qGJIm*CvFi25YIsXskJvW&wS3A4w~zNBEunSPefv6V&?XR6*e-rROUOQ
zIK)P3Ypt8I={lzg1tbPZ6jwG%?RSy%6Y0f&p5l*4?ybjkOUH6#^q1!afsNBID^*&0
uzRRf=3|OwL)EeNs{eqRRi80cgt!(VAMYVX&Nt_w=AGT})y6-FnWdsJ8e7gYv

literal 7184
zcmV+r9Pi_9+L*qof5~q_MEa)xA&#TAWWr7S>_3g+@FBE~FZ>gSi9O#U2B%8^WTCUP
zJaF9$AABwrJ#R)uIwM`1WojFv%X0PsafMi3vZp+&3HEyugWxZxoSEhX!@b-8Nj6L}
z9hed`tZ9ENrC2*!5M><aR3@v4CtyG;zyEmwvhQpQV#H0tiuf7dTllsendFzmSh1aN
zye*H~@-%W<!9MtrAnMSR_41UVisdY}o>&G)S&6!O8@G_BHLzCCG2x8h2y;l&Z|MLu
z^XVqtb_ixMJbv77T{yeH4!$UmGv+z3yztFR#m)XWn1>o{0hXQ!c&s8SNWrVu!tTjQ
z6W8=d(P`kfRdi5R%R*J8c4B@#Z(D;n0EQ)IYnMHw&~gesP@iG*#(MQmN=|JX%dAIO
z52}6;j%fx!iSj=muUOz5r-R(8KOgoIU3To5C_@2PLFv>kY~>wqsPGPHH+?4y`wE^6
z9*C8alSPjQ@RMP2Y%;z33)#qx@C{Qd%F~K1i3+DYAy%pv4oq<$P-H1DgqPe(?DpWl
zAv(o&<MpTd7UD|(6nN*L$iC%?WRZFR<z1!dP_YQE_fXy#S7!he8<uiqxyhC~3v(f)
z%Az2xg_dVWed!Ex+lFH42*PLOV51Qw6`FSFqM39WXq0Lffu!lQWyTGNH~=;A%LZOU
zt@~gu60H(e!=i-Ej<?#3dmFJ8cZ_iqj0)M;522*-aN&*qW4LN1%$en%vZjubyCy>8
z%<jNS59)EjETXL2l$8aao}WOvwkP0%(iK@moatt`;na6Y_M|x>jLI*be4(`*1Az_1
z7G^AuT-fC9=EU@7(uz7bT3NsCr$np4X88x==G<Fz%sPgC#O_wg3BEk=&<tqr$Zn*t
zB3Q7Gm^tm6y*a_rMfb8!2d)E}S@@`l#0FDwB!46p_$V4wUcD_tB-FZR##V<%n+qjX
z>4p|P-aUk6i6XR8-wqW1>o;y+Bq;_0a)uyWHRp4G1iS&RrTa3?5NYiid&2~%8DqzC
zls@(jpki(~OUd95#Ns~ErHizuPUNU-B<ylhc7+@BWGnu(^&$W~DtxG;Q(d{S9l_og
zgXEbH;K0Us7X6T&#nbQj58}00;mR%oS0p<wMZN~*2>iQ1aS~3mx%Vs3^k!S{Xx5$y
zIJ0$#;luvIn@Zu`f0qLnKl$-lAZoM7?IHihV+$O*HFbzEUknaE5^c0w6*w(UKuyE0
z&;+pbqtXVzc%*_ZnB27pmuUuhDRh-oh+x=Ak7gs|8!>!&a)WI&^_$o!Y4!_tr(FXU
z@IODo3N7Sajd?Qz=h=&Ut*h~;bHyp-?-o!lQ&k7(B?fA9<X}2xA-$f&Cr3yr1i5Po
z2Q7ebIdJ%_a1!0-CNVu+FL_oS#MbWKw<pS!E;<gU)3{nLa&~gobE)ngl^gOYvdIH<
zH_e2Mkkpg1b1wJa6{dyj3#M+tr61bVySRhr5kPKHCC(*={7elduB^F#s-vb2+Xrt-
z$-)K*Wqn!Qt&ikI1G;&i=jG~P@v>m+T>qAx)4Mf2y|LdIWo0kv9o(c2v3Z-aq_<-f
zM3v&QGEuC%SRL)!Q7Ipu^H`_Rvw0OO+C|PsYc)!MFeY>|w}LU^B?lo%Kf_fEcoY!V
zqa0`*Tr&c*nixGgH_Z%4>iSU}%=RzdRl-+N`S_}9%<{;ul#Jz*<^e5~{3KS#7c)KW
z(y4^+)Oge&Ku(fdRHD<qgAvJ(C3vk-NEpB=U)7taANBOD#3bUuxo&Qw_GnlbY1W5#
z*3pXLHEKfIC=5<}+L1O?-7aHF0~Rdf*aH_W?8!gcTaf9}TJyz>zynWLHb+Gz$p*Qg
zaOvr{I)60gP=x}HYvdP}`6HfdFbB;DGRC{xR+|K^Vs)h1nS3=HRn()(9v(@h3?&IW
zL2u59w_Yd%t$fw`<g*?3c1(#M(BHfn&(3bJ!C!^Xr{*YpVcMvyt$Dt1<yEGTUce(~
zki6aP2E4Y@OaMvBfGkg|<0l?&Pe!w`C8#29*k2%|sayb>I$RcFFU;=+G@$7?y=*+r
zR(jEuvw^+|x0ECZt1pPoGQTNglF}`>=Vr>WKySC2x<{LeeKVhusJ9CuwV<+S`!FNb
zSeI0o<>_WixR5L`q5k#-upmjajez9XRT64x)RJX_xCL;~GfkQqkHq7&J4i?Sm*5Oc
zT5l=Ev(mVPc%*~dj_GTlzgC2t5E5nUsyJzS9+9oUhJ7sU&lPa4+S=1ZO-a0MR^JZM
z{6Ma30upasCqZ98Td{=?x4`cZ!5w^;nq<u$FyH63;Lj6FxO&npX1a<_<=%=db$3Ja
zV6~Jr>1r98(DQb&!7opdlX&w_qlwFZ-chh-(A_zke7d_gPD&;Kjjft<*c?_G6A0O7
zVzAcY+@_X(*N9$fwo?Nnf#7iKn!Wr-^Aj<R07eWLHQ!RV3V(ZvoLLgZW4=}YQFf^N
zR%-g-dwDWL!{!mhhvv4xMlPYF`unTo(An|au?fW<UjV=RsVRu*9~=}KhkQP3qV7M_
zZHG$i<Odf&G{J17z@$?a8cX%DEzf%xG<Ps=CFY<c;dxGc!sADpGasVupr8Pec+wOu
z#?-)f+m=W%{plfSl!Mg9ox;WLIw0E>m-S4;1Nq4_c*r@)=$&OA$5L~?(#?f#D2aC4
ztJec=1SUff%7$t`BX-%&#AU50+DwCU;&x>sDSN9%|6RTca)2M+CBw41EE)7~pI`_%
z;vdchAlZo57S|xcCqGY%&_!rW@Z2MQasH*>Dl$+FM)Q?J7gI&7$1z|Qhvj~}?mBGC
zNxOxsVYz-~k2}(e#2xL-H|8o)&xkQ6TuMlA^V+gjXqrqcp<d~a4#I>U$4c@n;EeV$
zOe<0Jkw?KDJ83~YOtf0xuc$d$3AceGv2Y#|NmDV=49qX`&MQCJ?tw&bdC_h~6iZm9
zG)UpngQ?M_xvAUH1-Bw*(p?(2g@dgTcBv@+t!|XETr75gDjpW<+4#xo;#d5I`UfPM
zndgLk?Bb(9&7P?^{aqltnlQJnug30CFP5Wyh|z7DBhIRZ^-M}R?JUTcE{t4FnJ2QW
zek<1`gYV)Ucs)|ARzeh8oZG;&v6so})$tX5b4}>14&!>Kt@GVgqu|)9i9E#M9KMSG
z@p*E(^@r^Be;Ay9gKu^jPY~R_3b>7I3p~rAHeKpE5C9KCaSnU}2)xEk!lHDnDqKCv
zYI;AlHegP^JDOGSS58p<y|INEtHld$UbC4%oy~udTN|M-sx%=^bJj~h(0``Ee93~s
z=g<%!TFPbwuM~>99s~7(z1@M7=z2{&_vCW$ixq+6ng1YbHPuJ%NJ<Fk?zvbbhd<_p
zFabFi#^Hm*;5Ft(v)zzJf63gS9K#|j*Tq<CKZ;BCTj;=Oxs-n9r^MEkuRL8fb%q_W
zs}e)_j%g#S8f@>%GIxavnFYdV(y?<_&mHKsi)yEbC_!yk!hXmGwhjXwi?#6!c$j+Y
z9mx}K8EDs9W=7g-!2d-v*M(P+)b1KIzl?3xKo?e7Hem&tmL6vXEF@tn$_-o9*+%N?
z5~FnCO|KsGYRAFsuAwPp#7KL;+A=!O5-w#MHW3k$ch9)d3pzNZ2s(f15eE#>1JTET
z1D^eInFkagikb?2K=^bM)NbHgkM?fueCAlHcOJ&GHa9chxK9GbtH$c}83(8Bzn&H8
z@%z^SO0{6vmjkv|S7)HMa>?-37Itbh8?i}Coh#M~i*F&~t)&R#Jdc`EtIk872U3EH
zVVO)Vn}#!|P@@v(A}Equo|3?gBODp=mp0+H86g+IyVzJlTO{Kw{AWDGXiLnG>R#W+
z44V;iHNOc9c9|3nMFI`G6W|~+De<t|{cwUed6nPuUz$S=#O$;J)EdEWDs|v%oz~7*
z0&ovAbS}Ym{hAdBz_n{{wLjSLE|+ghlzHBb4XGZV%@0S0q&qd0WONITypbqDVqo@i
zrGNibRYcM19WM>n5i45yRR-nw0RiE4iaJ!gzR6)X`?#GH;3;{;zGy^1qmPcbPIWUE
zA#!6Z&v|rV*8V?(kYcYRnZ$N~Y%$t(s6cC&IuvR84v$ovjOL-nt|o%Iz5FT5q^~nA
zbd!KyW>K5d^XZeloCjfVsB3R6z}7E6d^zqK%v2=amCR1kl;rrI<{)_wlxksfb?^e|
zqTE!@t%)YKSMoOH21PZt<<=XZ@L|KcfQ4Lau?^_o^6)T6pIsw7P{(Pk{eWAmC;5Zg
z6%P?bGOt5E(uCeh?w#dwT;8~Mt-);jR_VA7*IUE7xmmR$RimcgfVQQDYhNdg$7JxP
zl)bmyR+^{5H&&4ti6tfES($0A@#kB%x1vBi=&W#;;g!l(J0!-6i+U3cg71JMe3Z3d
z#q~VOHBzp;@wocE%!1D-)Czsth;?q*x3ZK%0Cm=Phl#rK{)=v&8ZM#t%~CoHv*D|H
zFlSS}%boja#j&_`hhIxY+k{WN0ERz|DeV)(8q3&`62O*X0p<FJ^tI8r|BYuQvI;*u
zd#0B;ejQ?#E4UO^qMUvx`?|x=;hqBd$#=E-4^INWj|k8IyhX9eM*X(&VNchUtvQlE
zsT|;&+MY8iv5fJ~1D0VXe@|G;y%l;FuZODtToK92o861YitWX@DgC+ts<V7-K79?9
z9$N#*{J}5e4F34$L?W)M1|upA;5D47V~M3IB@)cUGH}pZA3^bEuXK8oho?TV^PWb{
zh#V9rK3U@e7U<@Ec<i{&I8ltQZFPzkeVSe}!l$;SlaX;H1zc&_B?bFA6aEszKP)j}
z<x2O=eXanbi>-BmV8G#krvdpImMH}0M4U=mX}Kd1`O9~`0<Q^wA7rFNuYj1RG)1{c
zmlU32HDtJwXEP{!-P9&{j9*ZkBjgHU(b3N_EY<gTDu-x5cxgI)6(O(0Shj!Qxcxgi
z#@~gt_SE_~=|thx#i7;4{-Q9}j7=3iecVyM-1PVo3@+Tt&|zqc-r{1<!!m&}&jFSX
zc+B>dvB}_rgySFzOoSN~0LZTHLFMEPy6p{ATn6;fp0Z-_eU}QL2WO6bFDhZzS570z
zVQJg(YVc(&Uf!m5kxEGwkWN$(ZO4pazrKX1|B^St9NX8?pys6#epQPq*x?T2m!;iy
zs#w2-n;bwi%Y&I^3qoS;nZXew&bBbWQd--9#!T{_75$r}r#2n*LY+Pq+{Efrk6PF}
zy-8s~RCp8W+}$ZrNM7~X@a7`E+DojxV~37dwZH@_Sr?sK&fC1uFd><%n!K2gCz-#x
zUOwguJhy%!sS#*z9^J`x0jP$hzMbk9bCF>rYMcAeD-bKKmDNJ1L3I{dXV<Q4E5F*{
zrKQ~yQgs!ykCn*Ut@{V##^EASNg37sGPVDKBi0zN<%99|G%2;Zko66h1AE9Z|C?M+
zKFZ)kCf>jp88OTz0yAWI-gBAquFK1io+?KNavAIM7D`h%L^(fS?WGCT4^#25lqs}4
z<xE->Gl)c?d_#BsIq}lEn-|MYch=han>VwpFlRYY0<2?2RVti;4WMQ)4=|EY*Znd)
z59k~HlOM!s$6+*(2d+uMNKI;vhb)5{B7^h}qFB$ne&?-u016g?2(S2u<W_(Q0Zy{E
z^#?7AMnCuu2l~y*(wbMqUj}R}7;oT2za#_B-tS%9VHVqkgmumD{=aSmY?pX`*+!oH
zf7O`q2@wft!sgwW?MotPJ`MgSPBC|YBc0)JqkXgnUV{<<0#y_K|E|!tJVAkx?@*lZ
z3eGp;;;`b#6AA-ua0DJ$9bhWXn{4uK(hO^JP<+l&Q=O-p8uPmOV1G|szC?#up_{+k
z_p4tmU)EtR5S{rb%L(B0-oVZU8h%_$?vNMBD0A#1EjD4+db;f%A-Q#Aa|W*aJZ9K>
z#p=>0vZxq!GdLG`mG0;k&+X|tJN48z{=tP9mu?j}Kq%R7>Q@zC<;hMqhWwymGxy)%
z8}uRDF43Tu%b;cW39;k$Yq4MeB|n>l)~7%Fg64YiHCWK8b4>#pfCUK2sZAz&{No-+
zIcuemzsaYT<bmM0;{8DtWPlV1E9*B*eJ@$u*MF1MBUATQLWnZcCSad($=gyhQQ2&I
z7K1u8jPL|-kLG!8^q{jEi@$%(%iH55I!}{(3Ya|}NmphiMs~FXNp!VxOfguqfP+Gf
zhy^H_?9y>kDdSK*N~V!-NqXj~5>FE;mDZ$-&0VeoZIwkFsO|vLl*HhYy+JC?f*^(%
zS4T`yNTrKZ-_%zi!yOP4S*6Z)y=mVSp|sc;Td(gdzgH0U!6leii=XRWwawJ0#(#s0
zC0ZRPo&>c&wTN_INy5ON9oW?3d_nH!lX`4SwGulcpDwapMO~)u9hFCAKfG*DhD5ad
z5GSFRM-TBB*aDb6ZPm3#d-rSm1|GrUs~$N2>GY*%X&axolExEGPn_o0Kii_HW{T)z
zg;Wp|&ffF3-&X(Mub8{TWqtyQ$TY?Xg@I3#EY%?Mh4@v6m?D#BroQ#@(qHyfIWoi~
z*Gu4p$6~H*-Q;qxrl1Pm_cMJ*kc5*?qKe2TKZin3e+%1)Vcln12oC2s^gM|pmB60S
z;pC>8o<a=uWLgYsRWKqr8w6L%goE|-*us4jxbp{5<oL>HMpW>3s*m?tMOj6FuN1xr
zoq3SX`ir)txEFy)c~hMC2(QJ9)^M|~3|mbEMm~pyKe62Q2vce}_OC)mYv6KCLu6M;
zZUPQBf!yc@jX<$_;-XZjd8yX1(<;6-j^qdcWBK`!Ja%>z9o{uBMN%qz+705f*}r_M
zSTO$2y_q7-qialjCdLdQA~@Jtm&>aP!}x{S=57T~q~;h2aHYaACkkur3p~G_fRVII
z^;;S|3NQvl2hmU;VJyKNvDB~y1W~*IAs??B80T;14n(sH;2I)H^tHW2PMqSP@;RV8
zMuS3T;UsS}oLM>KT&uk41zZPfHkLupQREk1@LkB*@30}BBNCEWs=`V~RU(nj)h#aq
zyy8kzUC85W9_B=j{B~DU7@?7AFV-dHac=C_bu#*n{Sc{~T)=lmZh)g8Oo4Co@@3*K
zgtx}yrrh{FtRo6+HoW~QpiUqRdBi7}x*q|AeueF|VK`39ExJnwLi4nm5JY)RD@zwy
zddI;*(6PRkwTrL&AbzYLRv_bh1)ha)4qAEY1k=hL0ZH}-9h7YJ4n|-Wb81Qe{HFn$
z*-`nZB}8`C1Klxr|9sH<wJBn!1atdkfv)mLjFDGm)4(;+o=`Q~6EBMhKF=$^A_b;}
zI(|tQ#>+jx6yRu#-{>_pf=uv0rG_perrTp@_R9nfBSaqMTUO|6C>MM_BVQmc0LvE#
zwxW9(RozY1*+PGQ82O;SVj5#1AxFMW=XkdPWmI{sAHQUHI!Yq|XmX(jyaaYRb?}KL
zW_EYqb)9yORy0v9?jY)ZOuOkJ&pU2HY)300Vr~ogk5Kl5=TxIz&jy3UF#Z{(&@}93
zqKh0p1278!>;a}NqC_V?OIO0<`<|cpO~PEBD@GuE9Fw$BDr$r9)2^2)wkpuwy$A-7
zI3a*QPFwgF5oes0FQmuN0D5N8K#+^?lRka>PDis1feS(vu~5BRF&+FsU@PaJA@@wq
zF|mkiU6`EJ8R)9uuR%t69%nX5<&KmV<PEd>?3`wp3q)#4!6f03@(7X<Cz*C(=>=sO
zF10vl?u0=eb7q+CmMRn1l*be@mfJ{HQDy#)7PiP4er5UkBM>9EeYjVb?CAQmkw>&h
zWI32X_UkdG=xvs=>5rN$NaMA9Uk_c-_|!IoHw(27)UqN2G&=42?daSynN`N0JP%40
zco0}Tedi->I_IXk5E9zxaw7DW4A8;Xq$6NWb~n6$q-}-s7`IiH)o!aFvLi!q&+e09
zqw`gj%y{I(rs8nZw=N~<?!a-4(d*q#QuVLicZL2PVY?vL!kchh8F{Du?LT*}A{Y8x
zo>uQ4w#(c`6`_ZyOzW*Zo?rG(+sb4@py>07W05`CjFZoV<)JU?UGbfD-qNQ~?++tF
z{ZCcklJO7Ey^`wh!&nz3ew;60m%J#S%b{7bi3Sk^v~UqEt1otJg}GPALlt$0cC{i4
z;(Y%Sn%AqiGzFQj-dk*2g1Vb&XItCl&#f56G6kDROh6g`1zvx&Zs*+E%2{}}qAWN4
zM0(Og4q@<m38RPL?!lnn#&E0Qv#ltu(%VL3AGxAdTSO?&dJd+M`^^f6;HfE{d%{-D
zLc@}IX;;_)$kKJgO|NWM$`<q=9N8@=*$(rXYtOavIaoNT{a`Ki$>c0zN`|N{j!!wd
zw*JT@0!v1bT8Vjf&FS(R1TGe1HE3cC2gihkJ4lktdPZDg?Yy$Yh!GWIKqXm@TuISU
z%YahlEaYjEY=LN{|C-&ReQAq>vtT9<aF@hUfWo1SwX^czRzBnHC$Ohm3|mZ#O`m&-
z42|dB_lIrKCP!sI=QZ%EU^Bu<;3f#cOM}NNcT3#_b{gmhhTDFN#0FmTEPY)D?>+g{
zqjj~sTANh1hLlBhP@Xbf2wq3u?>7u$r|rYj?(7DtR0!VrA58iPfqXQiS&Ru!m1$pw
zjcVIg%#kS1>uJ!Da~-}#l$>3GAqu&FOUeneXP#EYX@PF*1ldwTYG4es_tYO%MQAw(
z{Th$FYQxr{l8ds<Q|HuMMzH>t3}Uud{`l=LVlmcGS%BEQpB~02<vg^sGf3Find=8|
zr=$Tc(b59?Ciuwe{#XICLejSuI<9E&P1$o!wwg3u?deUQMFcQ8)UO4!T=)^huN}Cj
zMCihJrBb{ZkPsppEFa~+@8mUkY2wDwM}3D~dRpfZyJ}?i`RYQ=Li@Y5VJV0e@d!rl
zTTdPsSbc7AR-}$Qil?K;()11ErJ^`MJaSy;n1gVFu)sCtaF}a)23v81kwKGa1etR4
z2v_la*d{m|g}z=tTA|~HeNL}2(sqLcdrY@;>BrU;G%&lshIFG`-7W^?Km5;oT2;IZ
zi@d1Y;UvIu1p}#kX}nNHzsIOs5DSgJ%Uyhn2K!w#!YKXA0I`MiDRJcmw3n{@;={t@
zmOds3C_>jz$XF=Ne%y(+P9eEPK}8*|n}lC$@!uKfTup;)asQDTlxb^ma0pz-6L*A4
z;m2c0j6%!}Ac74|pb`E*!`yFyOQQqx$>@7xH*dMqp2Dx6uOj(`ieBObdt>H&YoJdJ
z%&;~fkq5HqP$6>43~&SAWnZl%t_NA4IGrW(3?h_eCY*S7{h+YY>rM(8LcBZbAC9H~
z+cWD?0P5YwvKtTW9Uo#!Y)rzKJAUe(4s)_LUjE;f+l5#-K6P&OuEyc=tsV49UZ0Et
z$i`5=_H{dyw7=f+0Ddfpxg?R6T`x%Z2iaoCx1FDh84eP7+Zpmfo1~-(RaimUMSHrW
zcZ*h<X}o~o)>U|R+kcmTh(r6{yFo~=GD&m@Mk_88;Fr%Gy2i$1y>d0ue97$_t~M`S
S?IxVO9V8eP)sn=d;AE$8efMSn

diff --git a/.travis.yml b/.travis.yml
index 40805750..5fc078e0 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -75,11 +75,10 @@ before_install:
         brew update;
         brew uninstall libtool;
         brew install libtool;
-        brew install gengetopt help2man cmocka ccache;
+        brew install gengetopt help2man cmocka ccache git-lfs;
         export PATH="/usr/local/opt/ccache/libexec:$PATH";
         openssl aes-256-cbc -K $encrypted_3b9f0b9d36d1_key -iv $encrypted_3b9f0b9d36d1_iv -in .github/secrets.tar.enc -out .github/secrets.tar -d;
         .github/add_signing_key.sh;
-        export OTHER_CODE_SIGN_FLAGS=--timestamp CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual;
         git clone https://github.com/frankmorgner/OpenSCToken.git;
     fi
   - if [ "${DO_SIMULATION}" = "javacard" ]; then
diff --git a/MacOSX/OpenSC_Uninstaller.entitlements b/MacOSX/OpenSC_Uninstaller.entitlements
new file mode 100644
index 00000000..548ce436
--- /dev/null
+++ b/MacOSX/OpenSC_Uninstaller.entitlements
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.app-sandbox</key>
+    <false/>
+    <key>com.apple.security.automation.apple-events</key>
+    <true/>
+  </dict>
+</plist>
diff --git a/MacOSX/build-package.in b/MacOSX/build-package.in
index c729dd8b..ed6125d1 100755
--- a/MacOSX/build-package.in
+++ b/MacOSX/build-package.in
@@ -19,13 +19,6 @@ SDK_PATH=$(xcrun --sdk macosx --show-sdk-path)
 # Set SDK path
 export CFLAGS="$CFLAGS -isysroot $SDK_PATH -arch x86_64"
 
-# xcodebuild doesn't read the environment variables
-# transform them into parameters
-P1="${CODE_SIGN_IDENTITY:+CODE_SIGN_IDENTITY=${CODE_SIGN_IDENTITY}}"
-P2="${OTHER_CODE_SIGN_FLAGS:+OTHER_CODE_SIGN_FLAGS=${OTHER_CODE_SIGN_FLAGS}}"
-P3="${CODE_SIGN_INJECT_BASE_ENTITLEMENTS:+CODE_SIGN_INJECT_BASE_ENTITLEMENTS=${CODE_SIGN_INJECT_BASE_ENTITLEMENTS}}"
-P4="${CODE_SIGN_STYLE:+CODE_SIGN_STYLE=${CODE_SIGN_STYLE}}"
-
 export SED=/usr/bin/sed
 PREFIX=/Library/OpenSC
 export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/lib/pkgconfig
@@ -97,13 +90,17 @@ fi
 if ! test -e NotificationProxy; then
 	git clone http://github.com/frankmorgner/NotificationProxy.git
 fi
-if test -n "${CODE_SIGN_IDENTITY}"; then
-	xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/ "$P1" "$P2" "$P3" "$P4"
+if test -n "${CODE_SIGN_IDENTITY}" -a -n "${DEVELOPMENT_TEAM}"; then
+	xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/ \
+		CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" DEVELOPMENT_TEAM="${DEVELOPMENT_TEAM}" OTHER_CODE_SIGN_FLAGS="--timestamp --options=runtime" CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual
 else
 	xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/
 fi
 mkdir -p "$BUILDPATH/target/Applications/Utilities"
 osacompile -o "$BUILDPATH/target/Applications/Utilities/OpenSC Notify.app" "MacOSX/OpenSC_Notify.applescript"
+if test -n "${CODE_SIGN_IDENTITY}"; then
+	codesign --force --sign "${CODE_SIGN_IDENTITY}" --entitlements MacOSX/OpenSC_Uninstaller.entitlements --deep --timestamp --options runtime "$BUILDPATH/target/Applications/Utilities/OpenSC Notify.app"
+fi
 
 
 # Build OpenSC.tokend when XCode version < 10
@@ -117,8 +114,9 @@ if (( $(xcodebuild -version | sed -En 's/Xcode[[:space:]]+([0-9]+)(\.[0-9]*)*/\1
 	test -L OpenSC.tokend/build/opensc-src || ln -sf ${BUILDPATH}/src OpenSC.tokend/build/opensc-src
 
 	# Build and copy OpenSC.tokend
-	if test -n "${CODE_SIGN_IDENTITY}"; then
-		xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend "$P1" $P2 "$P3" "$P4"
+	if test -n "${CODE_SIGN_IDENTITY}" -a -n "${DEVELOPMENT_TEAM}"; then
+		xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend \
+		CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" DEVELOPMENT_TEAM="${DEVELOPMENT_TEAM}" OTHER_CODE_SIGN_FLAGS="--timestamp --options=runtime" CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual
 	else
 		xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend
 	fi
@@ -150,7 +148,7 @@ cp src/tools/pkcs11-register.plist ${BUILDPATH}/target_startup/Library/LaunchAge
 cp src/tools/opensc-notify.plist ${BUILDPATH}/target_startup/Library/LaunchAgents
 
 # Build OpenSCToken if possible
-if test -e OpenSCToken -a -n "${CODE_SIGN_IDENTITY}"; then
+if test -e OpenSCToken -a -n "${CODE_SIGN_IDENTITY}" -a -n "${DEVELOPMENT_TEAM}"; then
 	cd OpenSCToken
 	# make sure OpenSCToken builds with the same dependencies as before
 	if ! test -e OpenSC; then
@@ -172,26 +170,44 @@ if test -e OpenSCToken -a -n "${CODE_SIGN_IDENTITY}"; then
 	BP=${BUILDPATH}
 	. ./bootstrap
 	BUILDPATH=${BP}
-	xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token "$P1" "$P2" "$P3" "$P4"
-	mkdir ${BUILDPATH}/target_token/Applications/Utilities
-	mv ${BUILDPATH}/target_token/Applications/OpenSCTokenApp.app ${BUILDPATH}/target_token/Applications/Utilities
+	xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token \
+		CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" DEVELOPMENT_TEAM="${DEVELOPMENT_TEAM}" OTHER_CODE_SIGN_FLAGS="--timestamp --options=runtime" CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual
 	cd ..
 else
 	# if no OpenSCToken is checked out, then we create a dummy package
 	mkdir -p ${BUILDPATH}/target_token
 fi
 
+if test -n "${CODE_SIGN_IDENTITY}"; then
+	for d in ${BUILDPATH}/target/Library/OpenSC/bin ${BUILDPATH}/target/Library/OpenSC/lib
+	do
+		# find executable files and run codesign on them
+		find ${d} -type f -perm +111 -print -exec \
+			codesign --force --sign "${CODE_SIGN_IDENTITY}" --entitlements MacOSX/OpenSC_Uninstaller.entitlements --deep --timestamp --options runtime {} \;
+	done
+fi
+
+
 # Build package
-pkgbuild --root ${BUILDPATH}/target --scripts MacOSX/scripts --identifier org.opensc-project.mac --version @PACKAGE_VERSION@ --install-location / OpenSC.pkg
-pkgbuild --root ${BUILDPATH}/target_tokend --identifier org.opensc-project.tokend --version @PACKAGE_VERSION@ --install-location / OpenSC-tokend.pkg
-pkgbuild --root ${BUILDPATH}/target_token --identifier org.opensc-project.mac.opensctoken --version @PACKAGE_VERSION@ --install-location / OpenSCToken.pkg
-pkgbuild --root ${BUILDPATH}/target_startup --identifier org.opensc-project.startup --version @PACKAGE_VERSION@ --install-location / OpenSC-startup.pkg
+pkgbuild --root ${BUILDPATH}/target --component-plist MacOSX/target.plist --scripts MacOSX/scripts --identifier org.opensc-project.mac --version @PACKAGE_VERSION@ --install-location / OpenSC.pkg
+pkgbuild --root ${BUILDPATH}/target_tokend --component-plist MacOSX/target_tokend.plist --identifier org.opensc-project.tokend --version @PACKAGE_VERSION@ --install-location / OpenSC-tokend.pkg
+pkgbuild --root ${BUILDPATH}/target_token --component-plist MacOSX/target_token.plist --identifier org.opensc-project.mac.opensctoken --version @PACKAGE_VERSION@ --install-location / OpenSCToken.pkg
+pkgbuild --root ${BUILDPATH}/target_startup --component-plist MacOSX/target_startup.plist --identifier org.opensc-project.startup --version @PACKAGE_VERSION@ --install-location / OpenSC-startup.pkg
 
 # Build product
 productbuild --distribution MacOSX/Distribution.xml --package-path . --resources MacOSX/resources "${imagedir}/OpenSC @PACKAGE_VERSION@.pkg"
 
+# Sign installer
+if test -n "${INSTALLER_SIGN_IDENTITY}"; then
+	productsign --sign "${INSTALLER_SIGN_IDENTITY}" "${imagedir}/OpenSC @PACKAGE_VERSION@.pkg" "${BUILDPATH}/OpenSC @PACKAGE_VERSION@.pkg"
+	mv "${BUILDPATH}/OpenSC @PACKAGE_VERSION@.pkg" "${imagedir}/OpenSC @PACKAGE_VERSION@.pkg"
+fi
+
 # Build "Uninstaller"
 osacompile -o "${imagedir}/OpenSC Uninstaller.app" "MacOSX/OpenSC_Uninstaller.applescript"
+if test -n "${CODE_SIGN_IDENTITY}"; then
+	codesign --force --sign "${CODE_SIGN_IDENTITY}" --entitlements MacOSX/OpenSC_Uninstaller.entitlements --deep --timestamp --options runtime "${imagedir}/OpenSC Uninstaller.app"
+fi
 
 # Create .dmg
 rm -f OpenSC-@PACKAGE_VERSION@.dmg
@@ -205,3 +221,6 @@ do
 	fi
 done
 rm -rf ${imagedir}
+
+#if [ "$TRAVIS_EVENT_TYPE" != "pull_request" ]; then xcrun altool --notarize-app --file $(pwd)/vorteil_darwin-x86.dmg --username $OSX_NOTARIZE_USERNAME --primary-bundle-id com.vorteil.cli -p $OSX_NOTARIZE_PW -- >> /dev/null; fi;
+#if [ "$TRAVIS_EVENT_TYPE" != "pull_request" ]; then for ((i=1;i<=30;i+=1)); do xcrun stapler staple $(pwd)/vorteil_darwin-x86.dmg >> /dev/null; if [ $? = 65 ]; then echo "Waiting for notarization to complete..." && sleep 10; fi; done; fi;
diff --git a/MacOSX/target.plist b/MacOSX/target.plist
new file mode 100644
index 00000000..ef1b4b82
--- /dev/null
+++ b/MacOSX/target.plist
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+	<dict>
+		<key>BundleHasStrictIdentifier</key>
+		<true/>
+		<key>BundleIsRelocatable</key>
+		<false/>
+		<key>BundleIsVersionChecked</key>
+		<true/>
+		<key>BundleOverwriteAction</key>
+		<string>upgrade</string>
+		<key>RootRelativeBundlePath</key>
+		<string>Library/OpenSC/Applications/NotificationProxy.app</string>
+	</dict>
+</array>
+</plist>
diff --git a/MacOSX/target_startup.plist b/MacOSX/target_startup.plist
new file mode 100644
index 00000000..5dd5da85
--- /dev/null
+++ b/MacOSX/target_startup.plist
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array/>
+</plist>
diff --git a/MacOSX/target_token.plist b/MacOSX/target_token.plist
new file mode 100644
index 00000000..2c2aa16f
--- /dev/null
+++ b/MacOSX/target_token.plist
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+	<dict>
+		<key>BundleHasStrictIdentifier</key>
+		<true/>
+		<key>BundleIsRelocatable</key>
+		<false/>
+		<key>BundleIsVersionChecked</key>
+		<true/>
+		<key>BundleOverwriteAction</key>
+		<string>upgrade</string>
+		<key>ChildBundles</key>
+		<array>
+			<dict>
+				<key>BundleOverwriteAction</key>
+				<string></string>
+				<key>RootRelativeBundlePath</key>
+				<string>Applications/Utilities/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex</string>
+			</dict>
+		</array>
+		<key>RootRelativeBundlePath</key>
+		<string>Applications/Utilities/OpenSCTokenApp.app</string>
+	</dict>
+</array>
+</plist>
diff --git a/MacOSX/target_tokend.plist b/MacOSX/target_tokend.plist
new file mode 100644
index 00000000..5dd5da85
--- /dev/null
+++ b/MacOSX/target_tokend.plist
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array/>
+</plist>