feat(mac): add loginhelper entitlement option (#5023)

* Initial commit

Port of changes from electron/osx-sign#210, plus changes to macPackager

* Update logic in sign.js

packages/app-builder-lib/electron-osx-sign/index.d.ts

@@ -9,6 +9,7 @@ interface SignOptions extends BaseSignOptions {
   binaries?: string[];
   entitlements?: string;
   'entitlements-inherit'?: string;
+  'entitlements-loginhelper'?: string;
   'gatekeeper-assess'?: boolean;
   hardenedRuntime?: boolean;
   'identity-validation'?: boolean;

packages/app-builder-lib/electron-osx-sign/sign.js

@@ -206,7 +206,12 @@ function signApplicationAsync (opts) {
             continue
           }
           debuglog('Signing... ' + filePath)
-          await execFileAsync('codesign', args.concat('--entitlements', opts['entitlements-inherit'], filePath))
+          let entitlementsFile = opts['entitlements-inherit']
+          if (filePath.includes('Library/LoginItems')) {
+            entitlementsFile = opts['entitlements-loginhelper']
+          }
+
+          await execFileAsync('codesign', args.concat('--entitlements', entitlementsFile, filePath))
         }
         debuglog('Signing... ' + opts.app)
         await execFileAsync('codesign', args.concat('--entitlements', opts.entitlements, opts.app))
@@ -335,6 +340,12 @@ const signAsync = module.exports.signAsync = function (opts) {
           }
         }
       }
+      if (!opts['entitlements-loginhelper']) {
+        filePath = opts.entitlements
+        debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n',
+          '* Sandbox entitlements file for login helper is default to:', filePath)
+        opts['entitlements-loginhelper'] = filePath
+      }
     })
     .then(async function () {
       // Pre-sign operations

packages/app-builder-lib/scheme.json

@@ -1982,6 +1982,13 @@
             "string"
           ]
         },
+        "entitlementsLoginHelper": {
+          "desciption": "Path to login helper entitlement file. When using App Sandbox, the the `com.apple.security.inherit` key that is normally in the inheritted entitlements cannot be inherited since the login helper is a standalone executable. Defaults to the value provided for `entitlements`.\n\nThis option only applies when signing with `entitlements` provided.",
+          "type": [
+            "null",
+            "string"
+          ]
+        },
         "extendInfo": {
           "description": "The extra entries for `Info.plist`."
         },
@@ -2522,6 +2529,13 @@
             "string"
           ]
         },
+        "entitlementsLoginHelper": {
+          "desciption": "Path to login helper entitlement file. When using App Sandbox, the the `com.apple.security.inherit` key that is normally in the inheritted entitlements cannot be inherited since the login helper is a standalone executable. Defaults to the value provided for `entitlements`.\n\nThis option only applies when signing with `entitlements` provided.",
+          "type": [
+            "null",
+            "string"
+          ]
+        },
         "extendInfo": {
           "description": "The extra entries for `Info.plist`."
         },
@@ -6102,4 +6116,4 @@
     }
   },
   "type": "object"
-}
+}

packages/app-builder-lib/src/macPackager.ts

@@ -252,6 +252,7 @@ export default class MacPackager extends PlatformPackager<MacConfiguration> {
     if (customSignOptions.provisioningProfile != null) {
       signOptions["provisioning-profile"] = customSignOptions.provisioningProfile
     }
+    signOptions['entitlements-loginhelper'] = customSignOptions.entitlementsLoginHelper
   }
 
   //noinspection JSMethodCanBeStatic

packages/app-builder-lib/src/options/macOptions.ts

@@ -43,6 +43,8 @@ export interface MacConfiguration extends PlatformSpecificBuildOptions {
    */
   readonly entitlementsInherit?: string | null
 
+  readonly entitlementsLoginHelper?: string | null
+
   /**
    * The path to the provisioning profile to use when signing, absolute or relative to the app root.
    */