From 10f714fb93c44d867470540bbd705562634b1ace Mon Sep 17 00:00:00 2001 From: Jose Pereira Date: Mon, 14 Oct 2019 21:23:20 -0700 Subject: [PATCH 1/4] Add option to specify login helper entitlement --- README.md | 6 ++++++ bin/electron-osx-sign-usage.txt | 4 ++++ index.d.ts | 1 + sign.js | 21 ++++++++++++++++++++- 4 files changed, 31 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3dafe56..6a4fa14 100644 --- a/README.md +++ b/README.md @@ -162,6 +162,12 @@ See [default.entitlements.mas.plist](https://github.com/electron-userland/electr Path to child entitlements which inherit the security settings for signing frameworks and bundles of a distribution. *This option only applies when signing with entitlements.* See [default.entitlements.mas.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.mas.inherit.plist) or [default.entitlements.darwin.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.darwin.inherit.plist) with respect to your platform. +`entitlements-loginhelper` - *String* + +Path to login helper entitlement file. When using app sandboxing the inherited entitlement should not be used since this is a standalone executable. When not set, uses `entitlements-inherit` option. +*This option only applies when signing with entitlements.* +See [default.entitlements.mas.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.mas.inherit.plist) or [default.entitlements.darwin.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.darwin.inherit.plist) with respect to your platform. + `gatekeeper-assess` - *Boolean* Flag to enable/disable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates. diff --git a/bin/electron-osx-sign-usage.txt b/bin/electron-osx-sign-usage.txt index fb47501..58ae61e 100644 --- a/bin/electron-osx-sign-usage.txt +++ b/bin/electron-osx-sign-usage.txt @@ -21,6 +21,10 @@ DESCRIPTION Path to child entitlements which inherit the security settings for signing frameworks and bundles of a distribution. This option only applies when signing with entitlements. + --entitlements-loginhelper=file + Path to login helper entitlement file. When using app sandboxing the inherited entitlement should not be used since this is a standalone executable. When not set, uses `entitlements-inherit` option. + This option only applies when signing with entitlements. + --gatekeeper-assess, --no-gatekeeper-assess Flag to enable/disable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates. Gatekeeper assessment is enabled by default on ``darwin'' platform. diff --git a/index.d.ts b/index.d.ts index dbb823d..d1b4ce1 100644 --- a/index.d.ts +++ b/index.d.ts @@ -10,6 +10,7 @@ declare module "electron-osx-sign" { binaries?: string[]; entitlements?: string; 'entitlements-inherit'?: string; + 'entitlements-loginhelper'?: string; 'gatekeeper-assess'?: boolean; hardenedRuntime?: boolean; 'identity-validation'?: boolean; diff --git a/sign.js b/sign.js index fe57a56..255d56b 100644 --- a/sign.js +++ b/sign.js @@ -206,7 +206,13 @@ function signApplicationAsync (opts) { return } debuglog('Signing... ' + filePath) - return execFileAsync('codesign', args.concat('--entitlements', opts['entitlements-inherit'], filePath)) + + let entitlementsFile = opts['entitlements-inherit']; + if (filePath.includes('Library/LoginItems')) { + entitlementsFile = opts['entitlements-loginhelper']; + } + + return execFileAsync('codesign', args.concat('--entitlements', entitlementsFile, filePath)) }) .then(function () { debuglog('Signing... ' + opts.app) @@ -330,6 +336,12 @@ var signAsync = module.exports.signAsync = function (opts) { '* Sandbox entitlements file for enclosing app files is default to:', filePath) opts['entitlements-inherit'] = filePath } + if (!opts['entitlements-loginhelper']) { + filePath = path.join(__dirname, 'default.entitlements.mas.inherit.plist') + debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n', + '* Sandbox entitlements file for login helper is default to:', filePath) + opts['entitlements-loginhelper'] = filePath + } } else { // Not necessary to have entitlements for non Mac App Store distribution if (!opts.entitlements) { @@ -350,6 +362,12 @@ var signAsync = module.exports.signAsync = function (opts) { '* Sandbox entitlements file for enclosing app files is default to:', filePath) opts['entitlements-inherit'] = filePath } + if (!opts['entitlements-loginhelper']) { + filePath = path.join(__dirname, 'default.entitlements.darwin.inherit.plist') + debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n', + '* Sandbox entitlements file for enclosing app files is default to:', filePath) + opts['entitlements-loginhelper'] = filePath + } } } }) @@ -387,6 +405,7 @@ var signAsync = module.exports.signAsync = function (opts) { '> Platform:', opts.platform, '\n', '> Entitlements:', opts.entitlements, '\n', '> Child entitlements:', opts['entitlements-inherit'], '\n', + '> Login helper entitlement:', opts['entitlements-loginhelper'], '\n', '> Additional binaries:', opts.binaries, '\n', '> Identity:', opts.identity) return signApplicationAsync(opts) From 1b64c5856287f54436ec5d57051770897e4095a1 Mon Sep 17 00:00:00 2001 From: Zhuo Lu Date: Mon, 4 May 2020 00:43:09 -0700 Subject: [PATCH 2/4] fix: Use default mas entitlements for login helper On both darwin and mas --- README.md | 5 ++--- bin/electron-osx-sign-usage.txt | 2 +- sign.js | 16 +++++++++------- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 6a4fa14..3bc304f 100644 --- a/README.md +++ b/README.md @@ -164,9 +164,8 @@ See [default.entitlements.mas.inherit.plist](https://github.com/electron-userlan `entitlements-loginhelper` - *String* -Path to login helper entitlement file. When using app sandboxing the inherited entitlement should not be used since this is a standalone executable. When not set, uses `entitlements-inherit` option. -*This option only applies when signing with entitlements.* -See [default.entitlements.mas.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.mas.inherit.plist) or [default.entitlements.darwin.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.darwin.inherit.plist) with respect to your platform. +Path to login helper entitlement file. When using App Sandbox, the inherited entitlement should not be used since this is a standalone executable. *This option only applies when signing with entitlements.* +Default to [default.entitlements.mas.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.mas.inherit.plist). `gatekeeper-assess` - *Boolean* diff --git a/bin/electron-osx-sign-usage.txt b/bin/electron-osx-sign-usage.txt index 58ae61e..1d61018 100644 --- a/bin/electron-osx-sign-usage.txt +++ b/bin/electron-osx-sign-usage.txt @@ -22,7 +22,7 @@ DESCRIPTION This option only applies when signing with entitlements. --entitlements-loginhelper=file - Path to login helper entitlement file. When using app sandboxing the inherited entitlement should not be used since this is a standalone executable. When not set, uses `entitlements-inherit` option. + Path to login helper entitlement file. When using App Sandbox, the inherited entitlement should not be used since this is a standalone executable. This option only applies when signing with entitlements. --gatekeeper-assess, --no-gatekeeper-assess diff --git a/sign.js b/sign.js index 255d56b..9dabee5 100644 --- a/sign.js +++ b/sign.js @@ -333,11 +333,12 @@ var signAsync = module.exports.signAsync = function (opts) { if (!opts['entitlements-inherit']) { filePath = path.join(__dirname, 'default.entitlements.mas.inherit.plist') debugwarn('No `entitlements-inherit` passed in arguments:', '\n', - '* Sandbox entitlements file for enclosing app files is default to:', filePath) + '* Sandbox entitlements file for enclosed app files is default to:', filePath) opts['entitlements-inherit'] = filePath } if (!opts['entitlements-loginhelper']) { - filePath = path.join(__dirname, 'default.entitlements.mas.inherit.plist') + // Default to App Sandbox enabled + filePath = path.join(__dirname, 'default.entitlements.mas.plist') debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n', '* Sandbox entitlements file for login helper is default to:', filePath) opts['entitlements-loginhelper'] = filePath @@ -348,24 +349,25 @@ var signAsync = module.exports.signAsync = function (opts) { debugwarn('No `entitlements` passed in arguments:', '\n', '* Provide `entitlements` to specify entitlements file for codesign.') } else { - // If entitlements is provided as a flag, fallback to default + // If entitlements is provided as a boolean flag, fallback to default if (opts.entitlements === true) { filePath = path.join(__dirname, 'default.entitlements.darwin.plist') debugwarn('`entitlements` not specified in arguments:', '\n', '* Provide `entitlements` to specify entitlements file for codesign.', '\n', - '* Sandbox entitlements file for enclosing app files is default to:', filePath) + '* Entitlements file is default to:', filePath) opts.entitlements = filePath } if (!opts['entitlements-inherit']) { filePath = path.join(__dirname, 'default.entitlements.darwin.inherit.plist') debugwarn('No `entitlements-inherit` passed in arguments:', '\n', - '* Sandbox entitlements file for enclosing app files is default to:', filePath) + '* Entitlements file for enclosed app files is default to:', filePath) opts['entitlements-inherit'] = filePath } if (!opts['entitlements-loginhelper']) { - filePath = path.join(__dirname, 'default.entitlements.darwin.inherit.plist') + // Default to App Sandbox enabled + filePath = path.join(__dirname, 'default.entitlements.mas.plist') debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n', - '* Sandbox entitlements file for enclosing app files is default to:', filePath) + '* Entitlements file for login helper is default to:', filePath) opts['entitlements-loginhelper'] = filePath } } From 51ecaee03614815f827b3bae30ab4313befad34f Mon Sep 17 00:00:00 2001 From: Zhuo Lu Date: Mon, 4 May 2020 00:47:19 -0700 Subject: [PATCH 3/4] fix: Style --- sign.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sign.js b/sign.js index 9dabee5..5eee7e9 100644 --- a/sign.js +++ b/sign.js @@ -207,9 +207,9 @@ function signApplicationAsync (opts) { } debuglog('Signing... ' + filePath) - let entitlementsFile = opts['entitlements-inherit']; + let entitlementsFile = opts['entitlements-inherit'] if (filePath.includes('Library/LoginItems')) { - entitlementsFile = opts['entitlements-loginhelper']; + entitlementsFile = opts['entitlements-loginhelper'] } return execFileAsync('codesign', args.concat('--entitlements', entitlementsFile, filePath)) From ef288c319b871fcca3988b4ce9246ce9266b524a Mon Sep 17 00:00:00 2001 From: Zhuo Lu Date: Mon, 8 Jun 2020 02:19:10 -0700 Subject: [PATCH 4/4] Update login helper entitlements default value --- README.md | 2 +- sign.js | 32 +++++++++++++++++--------------- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 3bc304f..d8c2c30 100644 --- a/README.md +++ b/README.md @@ -165,7 +165,7 @@ See [default.entitlements.mas.inherit.plist](https://github.com/electron-userlan `entitlements-loginhelper` - *String* Path to login helper entitlement file. When using App Sandbox, the inherited entitlement should not be used since this is a standalone executable. *This option only applies when signing with entitlements.* -Default to [default.entitlements.mas.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.mas.inherit.plist). +Default to the same entitlements file used for signing the app bundle. `gatekeeper-assess` - *Boolean* diff --git a/sign.js b/sign.js index 5eee7e9..cf0c626 100644 --- a/sign.js +++ b/sign.js @@ -336,13 +336,7 @@ var signAsync = module.exports.signAsync = function (opts) { '* Sandbox entitlements file for enclosed app files is default to:', filePath) opts['entitlements-inherit'] = filePath } - if (!opts['entitlements-loginhelper']) { - // Default to App Sandbox enabled - filePath = path.join(__dirname, 'default.entitlements.mas.plist') - debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n', - '* Sandbox entitlements file for login helper is default to:', filePath) - opts['entitlements-loginhelper'] = filePath - } + // The default value for opts['entitlements-file'] will be processed later } else { // Not necessary to have entitlements for non Mac App Store distribution if (!opts.entitlements) { @@ -363,13 +357,7 @@ var signAsync = module.exports.signAsync = function (opts) { '* Entitlements file for enclosed app files is default to:', filePath) opts['entitlements-inherit'] = filePath } - if (!opts['entitlements-loginhelper']) { - // Default to App Sandbox enabled - filePath = path.join(__dirname, 'default.entitlements.mas.plist') - debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n', - '* Entitlements file for login helper is default to:', filePath) - opts['entitlements-loginhelper'] = filePath - } + // The default value for opts['entitlements-file'] will be processed later } } }) @@ -397,6 +385,20 @@ var signAsync = module.exports.signAsync = function (opts) { } } + // preAutoEntitlements may update opts.entitlements, + // so we wait after it's done before giving opts['entitlements-loginhelper'] its default value + preSignOperations.push(function (opts) { + if (opts.entitlements) { + if (!opts['entitlements-loginhelper']) { + // Default to App Sandbox enabled + const filePath = opts.entitlements + debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n', + '* Entitlements file for login helper is default to:', filePath) + opts['entitlements-loginhelper'] = filePath + } + } + }) + return Promise.mapSeries(preSignOperations, function (preSignOperation) { return preSignOperation(opts) }) @@ -407,7 +409,7 @@ var signAsync = module.exports.signAsync = function (opts) { '> Platform:', opts.platform, '\n', '> Entitlements:', opts.entitlements, '\n', '> Child entitlements:', opts['entitlements-inherit'], '\n', - '> Login helper entitlement:', opts['entitlements-loginhelper'], '\n', + '> Login helper entitlements:', opts['entitlements-loginhelper'], '\n', '> Additional binaries:', opts.binaries, '\n', '> Identity:', opts.identity) return signApplicationAsync(opts)