From 32ace9173e8298b270fbf7c883bd327a5d298fce Mon Sep 17 00:00:00 2001 From: Alexey Tsvetkov <654232+AlexeyTsvetkov@users.noreply.github.com> Date: Tue, 4 Apr 2023 18:09:04 +0300 Subject: [PATCH] Provide some entitlements on macOS by default (#2974) Also, this change configures entitlements for local ad hoc signs on Apple Silicon Fixes #2867 Partial fix of #2887 --- .../desktop/application/internal/MacSigner.kt | 8 +++++++- .../internal/configureJvmApplication.kt | 20 ++++++++++++------- ...kDefaultComposeApplicationResourcesTask.kt | 3 +++ .../main/resources/default-entitlements.plist | 12 +++++++++++ 4 files changed, 35 insertions(+), 8 deletions(-) create mode 100644 gradle-plugins/compose/src/main/resources/default-entitlements.plist diff --git a/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/application/internal/MacSigner.kt b/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/application/internal/MacSigner.kt index eb642f5a2a6..778d5436bc9 100644 --- a/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/application/internal/MacSigner.kt +++ b/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/application/internal/MacSigner.kt @@ -38,7 +38,13 @@ internal class NoCertificateSigner(runTool: ExternalToolRunner) : MacSigner(runT // Apple Silicon requires binaries to be signed // For local builds, ad hoc signatures are OK // https://wiki.lazarus.freepascal.org/Code_Signing_for_macOS - runTool.codesign("--sign", "-", "-vvvv", file.absolutePath) + val args = arrayListOf("-vvvv", "--sign", "-", "--options", "runtime", "--force") + entitlements?.let { + args.add("--entitlements") + args.add(entitlements.absolutePath) + } + args.add(file.absolutePath) + runTool.codesign(*args.toTypedArray()) } } diff --git a/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/application/internal/configureJvmApplication.kt b/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/application/internal/configureJvmApplication.kt index 0fa5ae2810b..e248b01fcd5 100644 --- a/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/application/internal/configureJvmApplication.kt +++ b/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/application/internal/configureJvmApplication.kt @@ -349,11 +349,16 @@ internal fun JvmApplicationContext.configureCommonNotarizationSettings( notarizationTask.nonValidatedNotarizationSettings = app.nativeDistributions.macOS.notarization } +private fun TaskProvider.get( + fn: AbstractUnpackDefaultComposeApplicationResourcesTask.DefaultResourcesProvider.() -> Provider +) = flatMap { fn(it.resources) } + internal fun JvmApplicationContext.configurePlatformSettings( packageTask: AbstractJPackageTask, - unpackDefaultResources: TaskProvider + defaultResources: TaskProvider ) { - packageTask.dependsOn(unpackDefaultResources) + packageTask.dependsOn(defaultResources) + when (currentOS) { OS.Linux -> { app.nativeDistributions.linux.also { linux -> @@ -364,7 +369,7 @@ internal fun JvmApplicationContext.configurePlatformSettings( packageTask.linuxMenuGroup.set(provider { linux.menuGroup }) packageTask.linuxPackageName.set(provider { linux.packageName }) packageTask.linuxRpmLicenseType.set(provider { linux.rpmLicenseType }) - packageTask.iconFile.set(linux.iconFile.orElse(unpackDefaultResources.flatMap { it.resources.linuxIcon })) + packageTask.iconFile.set(linux.iconFile.orElse(defaultResources.get { linuxIcon })) packageTask.installationPath.set(linux.installationPath) } } @@ -377,7 +382,7 @@ internal fun JvmApplicationContext.configurePlatformSettings( packageTask.winMenu.set(provider { win.menu }) packageTask.winMenuGroup.set(provider { win.menuGroup }) packageTask.winUpgradeUuid.set(provider { win.upgradeUuid }) - packageTask.iconFile.set(win.iconFile.orElse(unpackDefaultResources.flatMap { it.resources.windowsIcon })) + packageTask.iconFile.set(win.iconFile.orElse(defaultResources.get { windowsIcon })) packageTask.installationPath.set(win.installationPath) } } @@ -393,15 +398,16 @@ internal fun JvmApplicationContext.configurePlatformSettings( ) packageTask.macAppStore.set(mac.appStore) packageTask.macAppCategory.set(mac.appCategory) - packageTask.macEntitlementsFile.set(mac.entitlementsFile) - packageTask.macRuntimeEntitlementsFile.set(mac.runtimeEntitlementsFile) + val defaultEntitlements = defaultResources.get { defaultEntitlements } + packageTask.macEntitlementsFile.set(mac.entitlementsFile.orElse(defaultEntitlements)) + packageTask.macRuntimeEntitlementsFile.set(mac.runtimeEntitlementsFile.orElse(defaultEntitlements)) packageTask.packageBuildVersion.set(packageBuildVersionFor(packageTask.targetFormat)) packageTask.nonValidatedMacBundleID.set(provider { mac.bundleID }) packageTask.macProvisioningProfile.set(mac.provisioningProfile) packageTask.macRuntimeProvisioningProfile.set(mac.runtimeProvisioningProfile) packageTask.macExtraPlistKeysRawXml.set(provider { mac.infoPlistSettings.extraKeysRawXml }) packageTask.nonValidatedMacSigningSettings = app.nativeDistributions.macOS.signing - packageTask.iconFile.set(mac.iconFile.orElse(unpackDefaultResources.flatMap { it.resources.macIcon })) + packageTask.iconFile.set(mac.iconFile.orElse(defaultResources.get { macIcon })) packageTask.installationPath.set(mac.installationPath) } } diff --git a/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/tasks/AbstractUnpackDefaultComposeApplicationResourcesTask.kt b/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/tasks/AbstractUnpackDefaultComposeApplicationResourcesTask.kt index 18677f378a5..ac8c0881ea3 100644 --- a/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/tasks/AbstractUnpackDefaultComposeApplicationResourcesTask.kt +++ b/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/tasks/AbstractUnpackDefaultComposeApplicationResourcesTask.kt @@ -17,6 +17,7 @@ import org.jetbrains.compose.internal.utils.clearDirs import org.jetbrains.compose.internal.utils.ioFile private const val DEFAULT_COMPOSE_PROGUARD_RULES_FILE_NAME = "default-compose-desktop-rules.pro" +private const val DEFAULT_ENTITLEMENTS_FILE_NAME = "default-entitlements.plist" abstract class AbstractUnpackDefaultComposeApplicationResourcesTask : AbstractComposeDesktopTask() { internal class DefaultResourcesProvider(resourcesRootDir: Provider) { @@ -24,6 +25,7 @@ abstract class AbstractUnpackDefaultComposeApplicationResourcesTask : AbstractCo val windowsIcon: Provider = resourcesRootDir.map { it.file("default-icon-windows.ico") } val linuxIcon: Provider = resourcesRootDir.map { it.file("default-icon-linux.png") } val defaultComposeProguardRules: Provider = resourcesRootDir.map { it.file(DEFAULT_COMPOSE_PROGUARD_RULES_FILE_NAME) } + val defaultEntitlements: Provider = resourcesRootDir.map { it.file(DEFAULT_ENTITLEMENTS_FILE_NAME) } } @OutputDirectory @@ -42,6 +44,7 @@ abstract class AbstractUnpackDefaultComposeApplicationResourcesTask : AbstractCo unpack(iconSourcePath("windows", "ico"), resources.windowsIcon) unpack(iconSourcePath("linux", "png"), resources.linuxIcon) unpack(DEFAULT_COMPOSE_PROGUARD_RULES_FILE_NAME, resources.defaultComposeProguardRules) + unpack(DEFAULT_ENTITLEMENTS_FILE_NAME, resources.defaultEntitlements) } private fun iconSourcePath(platformName: String, iconExt: String): String = diff --git a/gradle-plugins/compose/src/main/resources/default-entitlements.plist b/gradle-plugins/compose/src/main/resources/default-entitlements.plist new file mode 100644 index 00000000000..9e24f8edd75 --- /dev/null +++ b/gradle-plugins/compose/src/main/resources/default-entitlements.plist @@ -0,0 +1,12 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-library-validation + + + \ No newline at end of file