feat: Add option to specify login helper entitlements file #210
Conversation
|
I can confirm this is an issue if you are trying to get a MAS app to start at login. @oNaiPs the fix you propose works (I am currently applying it with electron-osx-sign+0.4.15.patch.zip I think you have some linting issues (semicolons etc) from looking at the circleci failing build. |
|
I'll can get this merged if the checks are passing 😸 Also I think it may be better to default the login helper entitlements to the |
|
@sethlu correct, the login helper should only have the sandbox entitlement to work correctly. If we add inherit (or anything else) - it breaks. With that in mind, I am wondering whether it is overkill to provide a custom plist for login helper entitlements to fix this. Instead we could just change |
|
@greenimpala I agree that it may be a better approach to default to I've pushed some changes to this branch following this approach. |
sign.js
Outdated
| opts['entitlements-inherit'] = filePath | ||
| } | ||
| if (!opts['entitlements-loginhelper']) { | ||
| // Default to App Sandbox enabled | ||
| filePath = path.join(__dirname, 'default.entitlements.mas.plist') |
There was a problem hiding this comment.
Should we keep current behavior here and sign non-mas builds with the empty default.entitlements.darwin.inherit.plist? We know this is currently working and I wouldn't like to assume adding sandbox will be harmless.
There was a problem hiding this comment.
That's a good point 🤔
Since the apps that are not going to be shipped on the Mac App Store can still be sandboxed, we may need to take into consideration too if app sandbox is enabled for the Electron app and then selectively apply sandbox for the login helper by default too?
If users aren't enabling app sandbox on their Electron apps for distribution outside the Mac App Store we can fallback to empty entitlements?
There was a problem hiding this comment.
Isn't that then up to the user to provide a custom entitlements-loginhelper? If they are sandboxing their app then they must have already passed entitlements or entitlements-inherit and be familiar with the custom plist API.
[Edit] Or at this point sign with opts.entitlements. Which would either be a custom plist or the empty default.entitlements.darwin.plist.
There was a problem hiding this comment.
That sounds like a good idea 👌
So it'll either be the same entitlements to sign the app bundle or a specifically specified entitlements for the login helper.
|
Hey @sethlu, if I understand this thread correctly the only change before this is ready to merge is Do you know approximately when you can make that change? I'm eager to have launching on startup work for the Mac store, and also pipe this functionality through to electron-builder as well. |
Port of changes from electron/osx-sign#210, plus changes to macPackager
|
@greenimpala @jack-arms Sorry about the delay! I've pushed some changes to delay assigning the default value for If you have some time to give it a try that'll be awesome 🙌 |
|
@sethlu Tried the branch and the behavior is working as expected:
Perhaps one more addition — if |
|
@greenimpala can you double check if you're running the latest from this branch? For MAS the following is the current expected behavior:
I think your last paragraph is similar to what we discussed in #210 (comment)? |
|
Tested again ( Without any entitlements it signed with the auto-modified |
|
@greenimpala great, I’m merging this now! Will publish a new release on npm tomorrow 😀 |
sethlu
changed the title
|
@greenimpala Release 0.4.17 is available now 🚀 |
|
Great job @sethlu! 🎉 |
* Initial commit Port of changes from electron/osx-sign#210, plus changes to macPackager * Update logic in sign.js
When signing the electron app for App Store, the Login Helper is signed child inherited entitlements. Since the Login Helper is a standalone executable, it crashes on because it shouldn't have the
com.apple.security.inherit.This PR adds an option to specify a custom entitlement file for the login helper.