diff --git a/packages/app-builder-lib/electron-osx-sign/index.d.ts b/packages/app-builder-lib/electron-osx-sign/index.d.ts index 49e853de768..9988c64f681 100644 --- a/packages/app-builder-lib/electron-osx-sign/index.d.ts +++ b/packages/app-builder-lib/electron-osx-sign/index.d.ts @@ -9,6 +9,7 @@ interface SignOptions extends BaseSignOptions { binaries?: string[]; entitlements?: string; 'entitlements-inherit'?: string; + 'entitlements-loginhelper'?: string; 'gatekeeper-assess'?: boolean; hardenedRuntime?: boolean; 'identity-validation'?: boolean; diff --git a/packages/app-builder-lib/electron-osx-sign/sign.js b/packages/app-builder-lib/electron-osx-sign/sign.js index 87da4e57c77..adedad3ef85 100644 --- a/packages/app-builder-lib/electron-osx-sign/sign.js +++ b/packages/app-builder-lib/electron-osx-sign/sign.js @@ -206,7 +206,12 @@ function signApplicationAsync (opts) { continue } debuglog('Signing... ' + filePath) - await execFileAsync('codesign', args.concat('--entitlements', opts['entitlements-inherit'], filePath)) + let entitlementsFile = opts['entitlements-inherit'] + if (filePath.includes('Library/LoginItems')) { + entitlementsFile = opts['entitlements-loginhelper'] + } + + await execFileAsync('codesign', args.concat('--entitlements', entitlementsFile, filePath)) } debuglog('Signing... ' + opts.app) await execFileAsync('codesign', args.concat('--entitlements', opts.entitlements, opts.app)) @@ -335,6 +340,12 @@ const signAsync = module.exports.signAsync = function (opts) { } } } + if (!opts['entitlements-loginhelper']) { + filePath = opts.entitlements + debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n', + '* Sandbox entitlements file for login helper is default to:', filePath) + opts['entitlements-loginhelper'] = filePath + } }) .then(async function () { // Pre-sign operations diff --git a/packages/app-builder-lib/scheme.json b/packages/app-builder-lib/scheme.json index 6741837d37e..e30971023ef 100644 --- a/packages/app-builder-lib/scheme.json +++ b/packages/app-builder-lib/scheme.json @@ -1982,6 +1982,13 @@ "string" ] }, + "entitlementsLoginHelper": { + "desciption": "Path to login helper entitlement file. When using App Sandbox, the the `com.apple.security.inherit` key that is normally in the inheritted entitlements cannot be inherited since the login helper is a standalone executable. Defaults to the value provided for `entitlements`.\n\nThis option only applies when signing with `entitlements` provided.", + "type": [ + "null", + "string" + ] + }, "extendInfo": { "description": "The extra entries for `Info.plist`." }, @@ -2522,6 +2529,13 @@ "string" ] }, + "entitlementsLoginHelper": { + "desciption": "Path to login helper entitlement file. When using App Sandbox, the the `com.apple.security.inherit` key that is normally in the inheritted entitlements cannot be inherited since the login helper is a standalone executable. Defaults to the value provided for `entitlements`.\n\nThis option only applies when signing with `entitlements` provided.", + "type": [ + "null", + "string" + ] + }, "extendInfo": { "description": "The extra entries for `Info.plist`." }, @@ -6084,4 +6098,4 @@ } }, "type": "object" -} \ No newline at end of file +} diff --git a/packages/app-builder-lib/src/macPackager.ts b/packages/app-builder-lib/src/macPackager.ts index d88851fd7ba..2b37e58f943 100644 --- a/packages/app-builder-lib/src/macPackager.ts +++ b/packages/app-builder-lib/src/macPackager.ts @@ -252,6 +252,7 @@ export default class MacPackager extends PlatformPackager { if (customSignOptions.provisioningProfile != null) { signOptions["provisioning-profile"] = customSignOptions.provisioningProfile } + signOptions['entitlements-loginhelper'] = customSignOptions.entitlementsLoginHelper } //noinspection JSMethodCanBeStatic diff --git a/packages/app-builder-lib/src/options/macOptions.ts b/packages/app-builder-lib/src/options/macOptions.ts index e09edf2c9e2..428b4a9b430 100644 --- a/packages/app-builder-lib/src/options/macOptions.ts +++ b/packages/app-builder-lib/src/options/macOptions.ts @@ -43,6 +43,8 @@ export interface MacConfiguration extends PlatformSpecificBuildOptions { */ readonly entitlementsInherit?: string | null + readonly entitlementsLoginHelper?: string | null + /** * The path to the provisioning profile to use when signing, absolute or relative to the app root. */