Remove get-task-allow entitlement when code-signing app extensions

Signed-off-by: Claudio Cambra <claudio.cambra@nextcloud.com>
2024-11-26 06:55:59 +03:00 · 2024-09-11 21:55:52 +08:00 · 2024-09-11 21:55:52 +08:00 · be7e3e7c19
commit be7e3e7c19
parent 355f5f9237
1 changed files with 22 additions and 0 deletions
--- a/admin/osx/mac-crafter/Sources/Utils/Codesign.swift
+++ b/admin/osx/mac-crafter/Sources/Utils/Codesign.swift
@ -86,4 +86,26 @@ func codesignClientAppBundle(

    print("Re-codesigning Sparkle library...")
    try codesign(identity: codeSignIdentity, path: "\(sparkleFrameworkPath)/Sparkle")
+
+    print("Code-signing app extensions (removing get-task-allow entitlements)...")
+    let fm = FileManager.default
+    let appExtensionPaths =
+        try fm.contentsOfDirectory(atPath: "\(clientContentsDir)/PlugIns").filter(isAppExtension)
+    for appExtension in appExtensionPaths {
+        let appExtensionPath = "\(clientContentsDir)/PlugIns/\(appExtension)"
+        let tmpEntitlementXmlPath =
+            fm.temporaryDirectory.appendingPathComponent(UUID().uuidString).path.appending(".xml")
+        try saveCodesignEntitlements(target: appExtensionPath, path: tmpEntitlementXmlPath)
+        // Strip the get-task-allow entitlement from the XML entitlements file
+        let xmlEntitlements = try String(contentsOfFile: tmpEntitlementXmlPath)
+        let entitlementKeyValuePair = "<key>com.apple.security.get-task-allow</key><true/>"
+        let strippedEntitlements =
+            xmlEntitlements.replacingOccurrences(of: entitlementKeyValuePair, with: "")
+        try strippedEntitlements.write(toFile: tmpEntitlementXmlPath,
+                                       atomically: true,
+                                       encoding: .utf8)
+        try codesign(identity: codeSignIdentity,
+                     path: appExtensionPath,
+                     options: "--timestamp --force --verbose=4 --options runtime --entitlements \(tmpEntitlementXmlPath)")
+    }
 }