feat: Add option to specify login helper entitlements file

README.md

@@ -162,6 +162,11 @@ See [default.entitlements.mas.plist](https://github.com/electron-userland/electr
 Path to child entitlements which inherit the security settings for signing frameworks and bundles of a distribution. *This option only applies when signing with entitlements.*
 See [default.entitlements.mas.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.mas.inherit.plist) or [default.entitlements.darwin.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.darwin.inherit.plist) with respect to your platform.
 
+`entitlements-loginhelper` - *String*
+
+Path to login helper entitlement file. When using App Sandbox, the inherited entitlement should not be used since this is a standalone executable. *This option only applies when signing with entitlements.*
+Default to the same entitlements file used for signing the app bundle.
+
 `gatekeeper-assess` - *Boolean*
 
 Flag to enable/disable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates.

bin/electron-osx-sign-usage.txt

@@ -21,6 +21,10 @@ DESCRIPTION
     Path to child entitlements which inherit the security settings for signing frameworks and bundles of a distribution.
     This option only applies when signing with entitlements.
 
+  --entitlements-loginhelper=file
+    Path to login helper entitlement file. When using App Sandbox, the inherited entitlement should not be used since this is a standalone executable.
+    This option only applies when signing with entitlements.
+
   --gatekeeper-assess, --no-gatekeeper-assess
     Flag to enable/disable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates.
     Gatekeeper assessment is enabled by default on ``darwin'' platform.

index.d.ts

@@ -10,6 +10,7 @@ declare module "electron-osx-sign" {
     binaries?: string[];
     entitlements?: string;
     'entitlements-inherit'?: string;
+    'entitlements-loginhelper'?: string;
     'gatekeeper-assess'?: boolean;
     hardenedRuntime?: boolean;
     'identity-validation'?: boolean;

sign.js

@@ -206,7 +206,13 @@ function signApplicationAsync (opts) {
             return
           }
           debuglog('Signing... ' + filePath)
-          return execFileAsync('codesign', args.concat('--entitlements', opts['entitlements-inherit'], filePath))
+
+          let entitlementsFile = opts['entitlements-inherit']
+          if (filePath.includes('Library/LoginItems')) {
+            entitlementsFile = opts['entitlements-loginhelper']
+          }
+
+          return execFileAsync('codesign', args.concat('--entitlements', entitlementsFile, filePath))
         })
           .then(function () {
             debuglog('Signing... ' + opts.app)
@@ -327,29 +333,31 @@ var signAsync = module.exports.signAsync = function (opts) {
         if (!opts['entitlements-inherit']) {
           filePath = path.join(__dirname, 'default.entitlements.mas.inherit.plist')
           debugwarn('No `entitlements-inherit` passed in arguments:', '\n',
-            '* Sandbox entitlements file for enclosing app files is default to:', filePath)
+            '* Sandbox entitlements file for enclosed app files is default to:', filePath)
           opts['entitlements-inherit'] = filePath
         }
+        // The default value for opts['entitlements-file'] will be processed later
       } else {
         // Not necessary to have entitlements for non Mac App Store distribution
         if (!opts.entitlements) {
           debugwarn('No `entitlements` passed in arguments:', '\n',
             '* Provide `entitlements` to specify entitlements file for codesign.')
         } else {
-          // If entitlements is provided as a flag, fallback to default
+          // If entitlements is provided as a boolean flag, fallback to default
           if (opts.entitlements === true) {
             filePath = path.join(__dirname, 'default.entitlements.darwin.plist')
             debugwarn('`entitlements` not specified in arguments:', '\n',
               '* Provide `entitlements` to specify entitlements file for codesign.', '\n',
-              '* Sandbox entitlements file for enclosing app files is default to:', filePath)
+              '* Entitlements file is default to:', filePath)
             opts.entitlements = filePath
           }
           if (!opts['entitlements-inherit']) {
             filePath = path.join(__dirname, 'default.entitlements.darwin.inherit.plist')
             debugwarn('No `entitlements-inherit` passed in arguments:', '\n',
-              '* Sandbox entitlements file for enclosing app files is default to:', filePath)
+              '* Entitlements file for enclosed app files is default to:', filePath)
             opts['entitlements-inherit'] = filePath
           }
+          // The default value for opts['entitlements-file'] will be processed later
         }
       }
     })
@@ -377,6 +385,20 @@ var signAsync = module.exports.signAsync = function (opts) {
         }
       }
 
+      // preAutoEntitlements may update opts.entitlements,
+      // so we wait after it's done before giving opts['entitlements-loginhelper'] its default value
+      preSignOperations.push(function (opts) {
+        if (opts.entitlements) {
+          if (!opts['entitlements-loginhelper']) {
+            // Default to App Sandbox enabled
+            const filePath = opts.entitlements
+            debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n',
+              '* Entitlements file for login helper is default to:', filePath)
+            opts['entitlements-loginhelper'] = filePath
+          }
+        }
+      })
+
       return Promise.mapSeries(preSignOperations, function (preSignOperation) {
         return preSignOperation(opts)
       })
@@ -387,6 +409,7 @@ var signAsync = module.exports.signAsync = function (opts) {
         '> Platform:', opts.platform, '\n',
         '> Entitlements:', opts.entitlements, '\n',
         '> Child entitlements:', opts['entitlements-inherit'], '\n',
+        '> Login helper entitlements:', opts['entitlements-loginhelper'], '\n',
         '> Additional binaries:', opts.binaries, '\n',
         '> Identity:', opts.identity)
       return signApplicationAsync(opts)