From be7e3e7c19967d42dc3aba6ff7e150c07881fa27 Mon Sep 17 00:00:00 2001 From: Claudio Cambra Date: Wed, 11 Sep 2024 21:55:52 +0800 Subject: [PATCH] Remove get-task-allow entitlement when code-signing app extensions Signed-off-by: Claudio Cambra --- .../mac-crafter/Sources/Utils/Codesign.swift | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/admin/osx/mac-crafter/Sources/Utils/Codesign.swift b/admin/osx/mac-crafter/Sources/Utils/Codesign.swift index 61dfe1237..c4c985b65 100644 --- a/admin/osx/mac-crafter/Sources/Utils/Codesign.swift +++ b/admin/osx/mac-crafter/Sources/Utils/Codesign.swift @@ -86,4 +86,26 @@ func codesignClientAppBundle( print("Re-codesigning Sparkle library...") try codesign(identity: codeSignIdentity, path: "\(sparkleFrameworkPath)/Sparkle") + + print("Code-signing app extensions (removing get-task-allow entitlements)...") + let fm = FileManager.default + let appExtensionPaths = + try fm.contentsOfDirectory(atPath: "\(clientContentsDir)/PlugIns").filter(isAppExtension) + for appExtension in appExtensionPaths { + let appExtensionPath = "\(clientContentsDir)/PlugIns/\(appExtension)" + let tmpEntitlementXmlPath = + fm.temporaryDirectory.appendingPathComponent(UUID().uuidString).path.appending(".xml") + try saveCodesignEntitlements(target: appExtensionPath, path: tmpEntitlementXmlPath) + // Strip the get-task-allow entitlement from the XML entitlements file + let xmlEntitlements = try String(contentsOfFile: tmpEntitlementXmlPath) + let entitlementKeyValuePair = "com.apple.security.get-task-allow" + let strippedEntitlements = + xmlEntitlements.replacingOccurrences(of: entitlementKeyValuePair, with: "") + try strippedEntitlements.write(toFile: tmpEntitlementXmlPath, + atomically: true, + encoding: .utf8) + try codesign(identity: codeSignIdentity, + path: appExtensionPath, + options: "--timestamp --force --verbose=4 --options runtime --entitlements \(tmpEntitlementXmlPath)") + } }