From 284c112686b3aa569c4017156d5b254066e5660c Mon Sep 17 00:00:00 2001 From: Keeyou Date: Tue, 16 Jan 2024 14:23:35 +0800 Subject: [PATCH 1/2] mac: enable notarization --- CMakeLists.txt | 10 ----- .../{yass.entitlements => entitlements.plist} | 6 ++- tools/build.go | 38 +++++++++++-------- 3 files changed, 26 insertions(+), 28 deletions(-) rename src/mac/{yass.entitlements => entitlements.plist} (63%) diff --git a/CMakeLists.txt b/CMakeLists.txt index 492ec6243..52d50c2e6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -318,7 +318,6 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS 1) option(CLI "Build with cli." ON) option(SERVER "Build with server." ON) option(GUI "Build against GUI." OFF) -option(GUI_SANDBOX "Build against GUI sandbox (MAC Only)." OFF) option(BUILD_TESTS "Build with test." OFF) option(BUILD_BENCHMARKS "Build with benchmark." OFF) option(OPTIMIZED_PROTOC "Force protobuf compiler to be built with optimization" OFF) @@ -3767,10 +3766,6 @@ if (GUI) list(APPEND SRC_FILES ${_CRASHPAD_BINARY}) endif() - if (GUI_SANDBOX) - list(APPEND SRC_FILES - src/mac/yass.entitlements) - endif() list(APPEND SRC_FILES src/mac/yass.icns) @@ -4102,11 +4097,6 @@ if (GUI) #XCODE_ATTRIBUTE_CODE_SIGN_INJECT_BASE_ENTITLEMENTS "NO" #XCODE_ATTRIBUTE_ASSETCATALOG_COMPILER_APPICON_NAME ${ASSET_CATALOG_ASSETS} ) - if (GUI_SANDBOX) - set_target_properties(${APP_NAME} PROPERTIES - XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS ${CMAKE_CURRENT_SOURCE_DIR}/src/mac/yass.entitlements - ) - endif() elseif(GUI_FLAVOUR STREQUAL "ios") if(NOT ${CMAKE_GENERATOR} MATCHES "^Xcode.*") # Compile the storyboard file with the ibtool. diff --git a/src/mac/yass.entitlements b/src/mac/entitlements.plist similarity index 63% rename from src/mac/yass.entitlements rename to src/mac/entitlements.plist index 6c1a2dd14..6fd3137f5 100644 --- a/src/mac/yass.entitlements +++ b/src/mac/entitlements.plist @@ -2,9 +2,11 @@ - com.apple.security.app-sandbox + com.apple.security.cs.allow-jit - com.apple.security.files.user-selected.read-only + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-library-validation com.apple.security.network.server diff --git a/tools/build.go b/tools/build.go index 70a5dd477..72e56721d 100644 --- a/tools/build.go +++ b/tools/build.go @@ -55,6 +55,7 @@ var clangTidyExecutablePathFlag string var macosxVersionMinFlag string var macosxUniversalBuildFlag bool +var macosxKeychainPathFlag string var macosxCodeSignIdentityFlag string var iosVersionMinFlag string @@ -165,6 +166,7 @@ func InitFlag() { flag.StringVar(&macosxVersionMinFlag, "macosx-version-min", getEnv("MACOSX_DEPLOYMENT_TARGET", "10.14"), "Set Mac OS X deployment target, such as 10.15") flag.BoolVar(&macosxUniversalBuildFlag, "macosx-universal-build", getEnvBool("ENABLE_OSX_UNIVERSAL_BUILD", false), "Enable Mac OS X Universal Build") + flag.StringVar(&macosxKeychainPathFlag, "macosx-keychain-path", getEnv("KEYCHAIN_PATH", ""), "During signing, only search for the signing identity in the keychain file specified") flag.StringVar(&macosxCodeSignIdentityFlag, "macosx-codesign-identity", getEnv("CODESIGN_IDENTITY", "-"), "Set Mac OS X CodeSign Identity") flag.StringVar(&iosVersionMinFlag, "ios-version-min", getEnv("MACOSX_DEPLOYMENT_TARGET", "13.0"), "Set iOS deployment target, such as 13.0") @@ -1540,33 +1542,37 @@ func postStateCodeSign() { if cmakeBuildTypeFlag != "Release" || (systemNameFlag != "darwin" && systemNameFlag != "ios") { return } - // reference https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues?language=objc // Hardened runtime is available in the Capabilities pane of Xcode 10 or later - // // code sign crashpad_handler as well if any hasCrashpad := true crashpadPath := filepath.Join(getAppName(), "Contents", "Resources", "crashpad_handler") if _, err := os.Stat(crashpadPath); errors.Is(err, os.ErrNotExist) { hasCrashpad = false } - // FIXME crashpad require more entitlements as below - // see https://github.com/electron-userland/electron-builder/issues/3989 - // com.apple.security.cs.allow-dyld-environment-variables - // com.apple.security.files.user-selected.read-write - // com.apple.security.network.client - // com.apple.security.network.server + codesignCmd := []string{ + "codesign", "-s", macosxCodeSignIdentityFlag, + "--deep", "--force", "--options=runtime", "--timestamp", + "--entitlements=" + filepath.Join(projectDir, "src", "mac", "entitlements.plist"), + } + if (macosxKeychainPathFlag != "") { + codesignCmd = append(codesignCmd, "--keychain", macosxKeychainPathFlag) + } + if hasCrashpad { - cmdRun([]string{"codesign", "--timestamp=none", "--preserve-metadata=entitlements", "--force", "--deep", "--sign", macosxCodeSignIdentityFlag, crashpadPath}, true) - cmdRun([]string{"codesign", "-dv", "--deep", "--strict", "--verbose=4", - crashpadPath}, true) - cmdRun([]string{"codesign", "-d", "--entitlements", ":-", crashpadPath}, true) + codesignCmd := append(codesignCmd, crashpadPath) + cmdRun(codesignCmd, true) } - cmdRun([]string{"codesign", "--timestamp=none", "--preserve-metadata=entitlements", "--options=runtime", "--force", "--deep", - "--sign", macosxCodeSignIdentityFlag, getAppName()}, true) - cmdRun([]string{"codesign", "-dv", "--deep", "--strict", "--verbose=4", - getAppName()}, true) + + codesignCmd = append(codesignCmd, getAppName()) + cmdRun(codesignCmd, true) + cmdRun([]string{"codesign", "-dv", "--deep", "--strict", "--verbose=4", getAppName()}, true) cmdRun([]string{"codesign", "-d", "--entitlements", ":-", getAppName()}, true) + + if hasCrashpad { + cmdRun([]string{"codesign", "-d", "--entitlements", ":-", crashpadPath}, true) + } + cmdRun([]string{"spctl", "-a", "-vvv", "--type", "install", getAppName()}, false) } // Main returns the file name excluding extension. From 48e8f196fc6bc922a38128115094dfcbe320d4c6 Mon Sep 17 00:00:00 2001 From: Keeyou Date: Tue, 16 Jan 2024 14:40:20 +0800 Subject: [PATCH 2/2] gh actions: use secrets to sign mac bundle --- .github/workflows/releases-macos.yml | 31 ++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/.github/workflows/releases-macos.yml b/.github/workflows/releases-macos.yml index 0e37d5b93..f536c43d3 100644 --- a/.github/workflows/releases-macos.yml +++ b/.github/workflows/releases-macos.yml @@ -110,9 +110,40 @@ jobs: shell: bash run: | WITH_CPU=${{ matrix.arch }} ./scripts/build-crashpad.sh + - name: Install the Apple certificate + if: ${{ github.event_name == 'release' }} + env: + BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} + P12_PASSWORD: ${{ secrets.P12_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + run: | + # create variables + CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + + # import certificate and provisioning profile from secrets + echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH + + # create temporary keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + # import certificate to keychain + security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + security list-keychain -d user -s $KEYCHAIN_PATH + + echo "CODESIGN_IDENTITY=Developer ID Application" >> $GITHUB_ENV + echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> $GITHUB_ENV - name: Build run: | ./tools/build --arch ${{ matrix.arch }} -build-benchmark -build-test + - name: Clean up keychain and provisioning profile + if: ${{ always() }} + run: | + if [ ! -z $KEYCHAIN_PATH ]; then + security delete-keychain $KEYCHAIN_PATH + fi - name: Run tests if: ${{ matrix.arch == 'x64' }} run: |