mac: enable notarization

.github/workflows/releases-macos.yml

@@ -110,9 +110,40 @@ jobs:
         shell: bash
         run: |
           WITH_CPU=${{ matrix.arch }} ./scripts/build-crashpad.sh
+      - name: Install the Apple certificate
+        if: ${{ github.event_name == 'release' }}
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+          # import certificate and provisioning profile from secrets
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+
+          echo "CODESIGN_IDENTITY=Developer ID Application" >> $GITHUB_ENV
+          echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> $GITHUB_ENV
       - name: Build
         run: |
           ./tools/build --arch ${{ matrix.arch }} -build-benchmark -build-test
+      - name: Clean up keychain and provisioning profile
+        if: ${{ always() }}
+        run: |
+          if [ ! -z $KEYCHAIN_PATH ]; then
+            security delete-keychain $KEYCHAIN_PATH
+          fi
       - name: Run tests
         if: ${{ matrix.arch == 'x64' }}
         run: |

CMakeLists.txt

@@ -318,7 +318,6 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS 1)
 option(CLI "Build with cli." ON)
 option(SERVER "Build with server." ON)
 option(GUI "Build against GUI." OFF)
-option(GUI_SANDBOX "Build against GUI sandbox (MAC Only)." OFF)
 option(BUILD_TESTS "Build with test." OFF)
 option(BUILD_BENCHMARKS "Build with benchmark." OFF)
 option(OPTIMIZED_PROTOC "Force protobuf compiler to be built with optimization" OFF)
@@ -3767,10 +3766,6 @@ if (GUI)
           list(APPEND SRC_FILES
             ${_CRASHPAD_BINARY})
         endif()
-        if (GUI_SANDBOX)
-          list(APPEND SRC_FILES
-            src/mac/yass.entitlements)
-        endif()
         list(APPEND SRC_FILES
           src/mac/yass.icns)
 
@@ -4102,11 +4097,6 @@ if (GUI)
           #XCODE_ATTRIBUTE_CODE_SIGN_INJECT_BASE_ENTITLEMENTS "NO"
           #XCODE_ATTRIBUTE_ASSETCATALOG_COMPILER_APPICON_NAME ${ASSET_CATALOG_ASSETS}
           )
-        if (GUI_SANDBOX)
-          set_target_properties(${APP_NAME} PROPERTIES
-              XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS ${CMAKE_CURRENT_SOURCE_DIR}/src/mac/yass.entitlements
-          )
-        endif()
     elseif(GUI_FLAVOUR STREQUAL "ios")
         if(NOT ${CMAKE_GENERATOR} MATCHES "^Xcode.*")
           # Compile the storyboard file with the ibtool.

src/mac/yass.entitlements → src/mac/entitlements.plist

@@ -2,9 +2,11 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-    <key>com.apple.security.app-sandbox</key>
+    <key>com.apple.security.cs.allow-jit</key>
     <true/>
-    <key>com.apple.security.files.user-selected.read-only</key>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
     <true/>
     <key>com.apple.security.network.server</key>
     <true/>

tools/build.go

@@ -55,6 +55,7 @@ var clangTidyExecutablePathFlag string
 
 var macosxVersionMinFlag string
 var macosxUniversalBuildFlag bool
+var macosxKeychainPathFlag string
 var macosxCodeSignIdentityFlag string
 
 var iosVersionMinFlag string
@@ -165,6 +166,7 @@ func InitFlag() {
 
 	flag.StringVar(&macosxVersionMinFlag, "macosx-version-min", getEnv("MACOSX_DEPLOYMENT_TARGET", "10.14"), "Set Mac OS X deployment target, such as 10.15")
 	flag.BoolVar(&macosxUniversalBuildFlag, "macosx-universal-build", getEnvBool("ENABLE_OSX_UNIVERSAL_BUILD", false), "Enable Mac OS X Universal Build")
+	flag.StringVar(&macosxKeychainPathFlag, "macosx-keychain-path", getEnv("KEYCHAIN_PATH", ""), "During signing, only search for the signing identity in the keychain file specified")
 	flag.StringVar(&macosxCodeSignIdentityFlag, "macosx-codesign-identity", getEnv("CODESIGN_IDENTITY", "-"), "Set Mac OS X CodeSign Identity")
 
 	flag.StringVar(&iosVersionMinFlag, "ios-version-min", getEnv("MACOSX_DEPLOYMENT_TARGET", "13.0"), "Set iOS deployment target, such as 13.0")
@@ -1540,33 +1542,37 @@ func postStateCodeSign() {
 	if cmakeBuildTypeFlag != "Release" || (systemNameFlag != "darwin" && systemNameFlag != "ios") {
 		return
 	}
-
 	// reference https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues?language=objc
 	// Hardened runtime is available in the Capabilities pane of Xcode 10 or later
-	//
 	// code sign crashpad_handler as well if any
 	hasCrashpad := true
 	crashpadPath := filepath.Join(getAppName(), "Contents", "Resources", "crashpad_handler")
 	if _, err := os.Stat(crashpadPath); errors.Is(err, os.ErrNotExist) {
 		hasCrashpad = false
 	}
-	// FIXME crashpad require more entitlements as below
-	// see https://github.com/electron-userland/electron-builder/issues/3989
-	//    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
-	//    <key>com.apple.security.files.user-selected.read-write</key><true/>
-	//    <key>com.apple.security.network.client</key><true/>
-	//    <key>com.apple.security.network.server</key><true/>
+	codesignCmd := []string{
+		"codesign", "-s", macosxCodeSignIdentityFlag,
+		"--deep", "--force", "--options=runtime", "--timestamp",
+		"--entitlements=" + filepath.Join(projectDir, "src", "mac", "entitlements.plist"),
+	}
+	if (macosxKeychainPathFlag != "") {
+		codesignCmd = append(codesignCmd, "--keychain", macosxKeychainPathFlag)
+	}
+
 	if hasCrashpad {
-		cmdRun([]string{"codesign", "--timestamp=none", "--preserve-metadata=entitlements", "--force", "--deep", "--sign", macosxCodeSignIdentityFlag, crashpadPath}, true)
-		cmdRun([]string{"codesign", "-dv", "--deep", "--strict", "--verbose=4",
-			crashpadPath}, true)
-		cmdRun([]string{"codesign", "-d", "--entitlements", ":-", crashpadPath}, true)
+		codesignCmd := append(codesignCmd, crashpadPath)
+		cmdRun(codesignCmd, true)
 	}
-	cmdRun([]string{"codesign", "--timestamp=none", "--preserve-metadata=entitlements", "--options=runtime", "--force", "--deep",
-		"--sign", macosxCodeSignIdentityFlag, getAppName()}, true)
-	cmdRun([]string{"codesign", "-dv", "--deep", "--strict", "--verbose=4",
-		getAppName()}, true)
+
+	codesignCmd = append(codesignCmd, getAppName())
+	cmdRun(codesignCmd, true)
+	cmdRun([]string{"codesign", "-dv", "--deep", "--strict", "--verbose=4", getAppName()}, true)
 	cmdRun([]string{"codesign", "-d", "--entitlements", ":-", getAppName()}, true)
+
+	if hasCrashpad {
+		cmdRun([]string{"codesign", "-d", "--entitlements", ":-", crashpadPath}, true)
+	}
+	cmdRun([]string{"spctl", "-a", "-vvv", "--type", "install", getAppName()}, false)
 }
 
 // Main returns the file name excluding extension.