From 3be25045715b3743463b3b7910f19021cccfbbf2 Mon Sep 17 00:00:00 2001 From: Jack Armstrong Date: Wed, 27 May 2020 17:42:29 -0700 Subject: [PATCH 1/2] Initial commit Port of changes from https://github.com/electron/electron-osx-sign/pull/210, plus changes to macPackager --- .../app-builder-lib/electron-osx-sign/index.d.ts | 1 + .../app-builder-lib/electron-osx-sign/sign.js | 13 ++++++++++++- packages/app-builder-lib/scheme.json | 16 +++++++++++++++- packages/app-builder-lib/src/macPackager.ts | 1 + .../app-builder-lib/src/options/macOptions.ts | 2 ++ 5 files changed, 31 insertions(+), 2 deletions(-) diff --git a/packages/app-builder-lib/electron-osx-sign/index.d.ts b/packages/app-builder-lib/electron-osx-sign/index.d.ts index 49e853de768..9988c64f681 100644 --- a/packages/app-builder-lib/electron-osx-sign/index.d.ts +++ b/packages/app-builder-lib/electron-osx-sign/index.d.ts @@ -9,6 +9,7 @@ interface SignOptions extends BaseSignOptions { binaries?: string[]; entitlements?: string; 'entitlements-inherit'?: string; + 'entitlements-loginhelper'?: string; 'gatekeeper-assess'?: boolean; hardenedRuntime?: boolean; 'identity-validation'?: boolean; diff --git a/packages/app-builder-lib/electron-osx-sign/sign.js b/packages/app-builder-lib/electron-osx-sign/sign.js index 87da4e57c77..9e9a989aa32 100644 --- a/packages/app-builder-lib/electron-osx-sign/sign.js +++ b/packages/app-builder-lib/electron-osx-sign/sign.js @@ -206,7 +206,12 @@ function signApplicationAsync (opts) { continue } debuglog('Signing... ' + filePath) - await execFileAsync('codesign', args.concat('--entitlements', opts['entitlements-inherit'], filePath)) + let entitlementsFile = opts['entitlements-inherit'] + if (filePath.includes('Library/LoginItems')) { + entitlementsFile = opts['entitlements-loginhelper'] + } + + return execFileAsync('codesign', args.concat('--entitlements', entitlementsFile, filePath)) } debuglog('Signing... ' + opts.app) await execFileAsync('codesign', args.concat('--entitlements', opts.entitlements, opts.app)) @@ -335,6 +340,12 @@ const signAsync = module.exports.signAsync = function (opts) { } } } + if (!opts['entitlements-loginhelper']) { + filePath = opts.entitlements + debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n', + '* Sandbox entitlements file for login helper is default to:', filePath) + opts['entitlements-loginhelper'] = filePath + } }) .then(async function () { // Pre-sign operations diff --git a/packages/app-builder-lib/scheme.json b/packages/app-builder-lib/scheme.json index 6741837d37e..e30971023ef 100644 --- a/packages/app-builder-lib/scheme.json +++ b/packages/app-builder-lib/scheme.json @@ -1982,6 +1982,13 @@ "string" ] }, + "entitlementsLoginHelper": { + "desciption": "Path to login helper entitlement file. When using App Sandbox, the the `com.apple.security.inherit` key that is normally in the inheritted entitlements cannot be inherited since the login helper is a standalone executable. Defaults to the value provided for `entitlements`.\n\nThis option only applies when signing with `entitlements` provided.", + "type": [ + "null", + "string" + ] + }, "extendInfo": { "description": "The extra entries for `Info.plist`." }, @@ -2522,6 +2529,13 @@ "string" ] }, + "entitlementsLoginHelper": { + "desciption": "Path to login helper entitlement file. When using App Sandbox, the the `com.apple.security.inherit` key that is normally in the inheritted entitlements cannot be inherited since the login helper is a standalone executable. Defaults to the value provided for `entitlements`.\n\nThis option only applies when signing with `entitlements` provided.", + "type": [ + "null", + "string" + ] + }, "extendInfo": { "description": "The extra entries for `Info.plist`." }, @@ -6084,4 +6098,4 @@ } }, "type": "object" -} \ No newline at end of file +} diff --git a/packages/app-builder-lib/src/macPackager.ts b/packages/app-builder-lib/src/macPackager.ts index d88851fd7ba..2b37e58f943 100644 --- a/packages/app-builder-lib/src/macPackager.ts +++ b/packages/app-builder-lib/src/macPackager.ts @@ -252,6 +252,7 @@ export default class MacPackager extends PlatformPackager { if (customSignOptions.provisioningProfile != null) { signOptions["provisioning-profile"] = customSignOptions.provisioningProfile } + signOptions['entitlements-loginhelper'] = customSignOptions.entitlementsLoginHelper } //noinspection JSMethodCanBeStatic diff --git a/packages/app-builder-lib/src/options/macOptions.ts b/packages/app-builder-lib/src/options/macOptions.ts index e09edf2c9e2..428b4a9b430 100644 --- a/packages/app-builder-lib/src/options/macOptions.ts +++ b/packages/app-builder-lib/src/options/macOptions.ts @@ -43,6 +43,8 @@ export interface MacConfiguration extends PlatformSpecificBuildOptions { */ readonly entitlementsInherit?: string | null + readonly entitlementsLoginHelper?: string | null + /** * The path to the provisioning profile to use when signing, absolute or relative to the app root. */ From 3996e513b48d66a4a6617545a6976c0c26820b62 Mon Sep 17 00:00:00 2001 From: Jack Armstrong Date: Mon, 1 Jun 2020 12:05:43 -0700 Subject: [PATCH 2/2] Update logic in sign.js --- packages/app-builder-lib/electron-osx-sign/sign.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/app-builder-lib/electron-osx-sign/sign.js b/packages/app-builder-lib/electron-osx-sign/sign.js index 9e9a989aa32..adedad3ef85 100644 --- a/packages/app-builder-lib/electron-osx-sign/sign.js +++ b/packages/app-builder-lib/electron-osx-sign/sign.js @@ -211,7 +211,7 @@ function signApplicationAsync (opts) { entitlementsFile = opts['entitlements-loginhelper'] } - return execFileAsync('codesign', args.concat('--entitlements', entitlementsFile, filePath)) + await execFileAsync('codesign', args.concat('--entitlements', entitlementsFile, filePath)) } debuglog('Signing... ' + opts.app) await execFileAsync('codesign', args.concat('--entitlements', opts.entitlements, opts.app))