From f6eb3f9b79816a6467228dad7a254d308cfcec5e Mon Sep 17 00:00:00 2001 From: Claudio Cambra Date: Wed, 20 Nov 2024 16:10:27 +0800 Subject: [PATCH 1/3] Also escape codesign call with saving entitlements Signed-off-by: Claudio Cambra --- admin/osx/mac-crafter/Sources/Utils/Codesign.swift | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin/osx/mac-crafter/Sources/Utils/Codesign.swift b/admin/osx/mac-crafter/Sources/Utils/Codesign.swift index 4df74d68f308a..62ec0e2d81f69 100644 --- a/admin/osx/mac-crafter/Sources/Utils/Codesign.swift +++ b/admin/osx/mac-crafter/Sources/Utils/Codesign.swift @@ -57,7 +57,7 @@ func recursivelyCodesign(path: String, identity: String) throws { } func saveCodesignEntitlements(target: String, path: String) throws { - let command = "codesign -d --entitlements \(path) --xml \(target)" + let command = "codesign -d --entitlements \"\(path)\" --xml \"\(target)\"" guard shell(command) == 0 else { throw CodeSigningError.failedToCodeSign("Failed to save entitlements for \(target).") } From 7c171b8e2042546ce48c5db11677801224448bea Mon Sep 17 00:00:00 2001 From: Claudio Cambra Date: Wed, 20 Nov 2024 16:33:36 +0800 Subject: [PATCH 2/3] Also add options to recursive codesign function Signed-off-by: Claudio Cambra --- admin/osx/mac-crafter/Sources/Utils/Codesign.swift | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/admin/osx/mac-crafter/Sources/Utils/Codesign.swift b/admin/osx/mac-crafter/Sources/Utils/Codesign.swift index 62ec0e2d81f69..47614874c2b64 100644 --- a/admin/osx/mac-crafter/Sources/Utils/Codesign.swift +++ b/admin/osx/mac-crafter/Sources/Utils/Codesign.swift @@ -14,6 +14,8 @@ import Foundation +fileprivate let defaultCodesignOptions = "--timestamp --force --preserve-metadata=entitlements --verbose=4 --options runtime --deep" + enum CodeSigningError: Error { case failedToCodeSign(String) } @@ -30,11 +32,7 @@ func isAppExtension(_ path: String) -> Bool { path.hasSuffix(".appex") } -func codesign( - identity: String, - path: String, - options: String = "--timestamp --force --preserve-metadata=entitlements --verbose=4 --options runtime --deep" -) throws { +func codesign(identity: String, path: String, options: String = defaultCodesignOptions) throws { print("Code-signing \(path)...") let command = "codesign -s \"\(identity)\" \(options) \"\(path)\"" guard shell(command) == 0 else { @@ -42,7 +40,11 @@ func codesign( } } -func recursivelyCodesign(path: String, identity: String) throws { +func recursivelyCodesign( + path: String, + identity: String, + options: String = defaultCodesignOptions +) throws { let fm = FileManager.default guard let pathEnumerator = fm.enumerator(atPath: path) else { throw AppBundleSigningError.couldNotEnumerate( From f5d91953bf628a26c6a3f556fcafe05cd5b17c75 Mon Sep 17 00:00:00 2001 From: Claudio Cambra Date: Wed, 20 Nov 2024 16:34:09 +0800 Subject: [PATCH 3/3] Use recursive codesign instead of broken wildcard path for sparkle Autoupdate app Broken when we starting escaping paths in codesign arguments Signed-off-by: Claudio Cambra --- admin/osx/mac-crafter/Sources/Utils/Codesign.swift | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/admin/osx/mac-crafter/Sources/Utils/Codesign.swift b/admin/osx/mac-crafter/Sources/Utils/Codesign.swift index 47614874c2b64..902b858670609 100644 --- a/admin/osx/mac-crafter/Sources/Utils/Codesign.swift +++ b/admin/osx/mac-crafter/Sources/Utils/Codesign.swift @@ -94,9 +94,9 @@ func codesignClientAppBundle( print("Code-signing Sparkle autoupdater app (without entitlements)...") let sparkleFrameworkPath = "\(frameworksPath)/Sparkle.framework" - try codesign(identity: codeSignIdentity, - path: "\(sparkleFrameworkPath)/Resources/Autoupdate.app/Contents/MacOS/*", - options: "--timestamp --force --verbose=4 --options runtime --deep") + try recursivelyCodesign(path: "\(sparkleFrameworkPath)/Resources/Autoupdate.app", + identity: codeSignIdentity, + options: "--timestamp --force --verbose=4 --options runtime --deep") print("Re-codesigning Sparkle library...") try codesign(identity: codeSignIdentity, path: "\(sparkleFrameworkPath)/Sparkle")