fix: updating SignOptions typesafety and leverage optionsForFile for entitlements (#7491)

Author: mmaietta

.changeset/old-melons-taste.md

@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+fix: updating SignOptions to leverage `optionsForFile` for entitlements

docs/configuration/mac.md

@@ -84,7 +84,7 @@ The top-level [mac](configuration.md#Configuration-mac) key contains set of opti
 <p><code id="MacConfiguration-gatekeeperAssess">gatekeeperAssess</code> = <code>false</code> Boolean - Whether to let @electron/osx-sign validate the signing or not.</p>
 </li>
 <li>
-<p><code id="MacConfiguration-strictVerify">strictVerify</code> = <code>true</code> Array&lt;String&gt; | String | Boolean - Whether to let @electron/osx-sign verify the contents or not.</p>
+<p><code id="MacConfiguration-strictVerify">strictVerify</code> = <code>true</code> Boolean - Whether to let @electron/osx-sign verify the contents or not.</p>
 </li>
 <li>
 <p><code id="MacConfiguration-signIgnore">signIgnore</code> Array&lt;String&gt; | String | “undefined” - Regex or an array of regex’s that signal skipping signing a file.</p>

packages/app-builder-lib/scheme.json

@@ -2776,22 +2776,9 @@
           ]
         },
         "strictVerify": {
-          "anyOf": [
-            {
-              "items": {
-                "type": "string"
-              },
-              "type": "array"
-            },
-            {
-              "type": [
-                "string",
-                "boolean"
-              ]
-            }
-          ],
           "default": true,
-          "description": "Whether to let @electron/osx-sign verify the contents or not."
+          "description": "Whether to let @electron/osx-sign verify the contents or not.",
+          "type": "boolean"
         },
         "target": {
           "anyOf": [
@@ -3414,22 +3401,9 @@
           ]
         },
         "strictVerify": {
-          "anyOf": [
-            {
-              "items": {
-                "type": "string"
-              },
-              "type": "array"
-            },
-            {
-              "type": [
-                "string",
-                "boolean"
-              ]
-            }
-          ],
           "default": true,
-          "description": "Whether to let @electron/osx-sign verify the contents or not."
+          "description": "Whether to let @electron/osx-sign verify the contents or not.",
+          "type": "boolean"
         },
         "target": {
           "anyOf": [

packages/app-builder-lib/src/macPackager.ts

@@ -1,7 +1,7 @@
 import BluebirdPromise from "bluebird-lst"
 import { deepAssign, Arch, AsyncTaskManager, exec, InvalidConfigurationError, log, use, getArchSuffix } from "builder-util"
 import { signAsync } from "@electron/osx-sign"
-import { SignOptions } from "@electron/osx-sign/dist/cjs/types"
+import { PerFileSignOptions, SignOptions } from "@electron/osx-sign/dist/cjs/types"
 import { mkdir, readdir } from "fs/promises"
 import { Lazy } from "lazy-val"
 import * as path from "path"
@@ -268,8 +268,9 @@ export default class MacPackager extends PlatformPackager<MacConfiguration> {
       )
       log.info("Signing addtional user-defined binaries: " + JSON.stringify(binaries, null, 1))
     }
+    const customSignOptions = (isMas ? masOptions : this.platformSpecificBuildOptions) || this.platformSpecificBuildOptions
 
-    const signOptions: any = {
+    const signOptions: SignOptions = {
       identityValidation: false,
       // https://github.com/electron-userland/electron-builder/issues/1699
       // kext are signed by the chipset manufacturers. You need a special certificate (only available on request) from Apple to be able to sign kext.
@@ -297,27 +298,22 @@ export default class MacPackager extends PlatformPackager<MacConfiguration> {
       identity: identity ? identity.name : undefined,
       type,
       platform: isMas ? "mas" : "darwin",
-      version: this.config.electronVersion,
+      version: this.config.electronVersion || undefined,
       app: appPath,
       keychain: keychainFile || undefined,
       binaries,
-      timestamp: isMas ? masOptions?.timestamp : options.timestamp,
-      requirements: isMas || this.platformSpecificBuildOptions.requirements == null ? undefined : await this.getResource(this.platformSpecificBuildOptions.requirements),
-      // https://github.com/electron-userland/electron-osx-sign/issues/196
-      // will fail on 10.14.5+ because a signed but unnotarized app is also rejected.
-      "gatekeeper-assess": options.gatekeeperAssess === true,
       // https://github.com/electron-userland/electron-builder/issues/1480
       strictVerify: options.strictVerify,
-      hardenedRuntime: isMas ? masOptions && masOptions.hardenedRuntime === true : options.hardenedRuntime !== false,
+      optionsForFile: await this.getOptionsForFile(appPath, isMas, customSignOptions),
+      provisioningProfile: customSignOptions.provisioningProfile || undefined,
     }
 
-    await this.adjustSignOptions(signOptions, masOptions)
     log.info(
       {
         file: log.filePath(appPath),
         identityName: identity.name,
         identityHash: identity.hash,
-        provisioningProfile: signOptions["provisioning-profile"] || "none",
+        provisioningProfile: signOptions.provisioningProfile || "none",
       },
       "signing"
     )
@@ -342,37 +338,58 @@ export default class MacPackager extends PlatformPackager<MacConfiguration> {
     return true
   }
 
-  private async adjustSignOptions(signOptions: any, masOptions: MasConfiguration | null) {
+  private async getOptionsForFile(appPath: string, isMas: boolean, customSignOptions: MacConfiguration) {
     const resourceList = await this.resourceList
-    const customSignOptions = masOptions || this.platformSpecificBuildOptions
-    const entitlementsSuffix = masOptions == null ? "mac" : "mas"
+    const entitlementsSuffix = isMas ? "mas" : "mac"
 
-    let entitlements = customSignOptions.entitlements
-    if (entitlements == null) {
-      const p = `entitlements.${entitlementsSuffix}.plist`
-      if (resourceList.includes(p)) {
-        entitlements = path.join(this.info.buildResourcesDir, p)
-      } else {
-        entitlements = getTemplatePath("entitlements.mac.plist")
+    const getEntitlements = (filePath: string) => {
+      // check if root app, then use main entitlements
+      if (filePath === appPath) {
+        if (customSignOptions.entitlements) {
+          return customSignOptions.entitlements
+        }
+        const p = `entitlements.${entitlementsSuffix}.plist`
+        if (resourceList.includes(p)) {
+          return path.join(this.info.buildResourcesDir, p)
+        } else {
+          return getTemplatePath("entitlements.mac.plist")
+        }
       }
-    }
-    signOptions.entitlements = entitlements
 
-    let entitlementsInherit = customSignOptions.entitlementsInherit
-    if (entitlementsInherit == null) {
+      // It's a login helper...
+      if (filePath.includes("Library/LoginItems")) {
+        return customSignOptions.entitlementsLoginHelper
+      }
+
+      // Only remaining option is that it's inherited entitlements
+      if (customSignOptions.entitlementsInherit) {
+        return customSignOptions.entitlementsInherit
+      }
       const p = `entitlements.${entitlementsSuffix}.inherit.plist`
       if (resourceList.includes(p)) {
-        entitlementsInherit = path.join(this.info.buildResourcesDir, p)
+        return path.join(this.info.buildResourcesDir, p)
       } else {
-        entitlementsInherit = getTemplatePath("entitlements.mac.plist")
+        return getTemplatePath("entitlements.mac.plist")
       }
     }
-    signOptions["entitlements-inherit"] = entitlementsInherit
 
-    if (customSignOptions.provisioningProfile != null) {
-      signOptions["provisioning-profile"] = customSignOptions.provisioningProfile
+    const requirements = isMas || this.platformSpecificBuildOptions.requirements == null ? undefined : await this.getResource(this.platformSpecificBuildOptions.requirements)
+
+    // harden by default for mac builds. Only harden mas builds if explicitly true (backward compatibility)
+    const hardenedRuntime = isMas ? customSignOptions.hardenedRuntime === true : customSignOptions.hardenedRuntime !== false
+
+    const optionsForFile: (filePath: string) => PerFileSignOptions = filePath => {
+      const entitlements = getEntitlements(filePath)
+      const args = {
+        entitlements: entitlements || undefined,
+        hardenedRuntime: hardenedRuntime || undefined,
+        timestamp: customSignOptions.timestamp || undefined,
+        requirements: requirements || undefined,
+      }
+      log.debug({ file: log.filePath(filePath), ...args }, "selecting signing options")
+      return args
     }
-    signOptions["entitlements-loginhelper"] = customSignOptions.entitlementsLoginHelper
+    return optionsForFile
   }
 
   //noinspection JSMethodCanBeStatic
@@ -485,12 +502,12 @@ export default class MacPackager extends PlatformPackager<MacConfiguration> {
     if (!appleIdPassword) {
       throw new InvalidConfigurationError(`APPLE_APP_SPECIFIC_PASSWORD env var needs to be set`)
     }
-    const options = this.generateOptions(appPath, appleId, appleIdPassword)
+    const options = this.generateNotarizeOptions(appPath, appleId, appleIdPassword)
     await notarize(options)
     log.info(null, "notarization successful")
   }
 
-  private generateOptions(appPath: string, appleId: string, appleIdPassword: string): NotarizeOptions {
+  private generateNotarizeOptions(appPath: string, appleId: string, appleIdPassword: string): NotarizeOptions {
     const baseOptions = { appPath, appleId, appleIdPassword }
     const options = this.platformSpecificBuildOptions.notarize
     if (typeof options === "boolean") {

packages/app-builder-lib/src/options/macOptions.ts

@@ -167,7 +167,7 @@ export interface MacConfiguration extends PlatformSpecificBuildOptions {
    * Whether to let @electron/osx-sign verify the contents or not.
    * @default true
    */
-  readonly strictVerify?: Array<string> | string | boolean
+  readonly strictVerify?: boolean
 
   /**
    * Regex or an array of regex's that signal skipping signing a file.

test/fixtures/test-app-one/build/entitlements.mac.inherit.plist

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.inherit</key>
+    <true/>
+  </dict>
+</plist>

test/fixtures/test-app-one/build/entitlements.mac.login.plist

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.inherit</key>
+    <true/>
+  </dict>
+</plist>

test/fixtures/test-app-one/build/entitlements.mac.plist

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <!-- https://github.com/electron/electron-notarize#prerequisites -->
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <!-- https://github.com/electron-userland/electron-builder/issues/3940 -->
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+  </dict>
+</plist>

test/src/PublishManagerTest.ts

@@ -1,4 +1,4 @@
-import { createTargets, Platform } from "electron-builder"
+import { Arch, createTargets, Platform } from "electron-builder"
 import { outputFile } from "fs-extra"
 import * as path from "path"
 import { GithubOptions, GenericServerOptions, SpacesOptions, KeygenOptions } from "builder-util-runtime"
@@ -39,7 +39,7 @@ function keygenPublisher(): KeygenOptions {
 test.ifNotWindows.ifDevOrLinuxCi(
   "generic, github and spaces",
   app({
-    targets: Platform.MAC.createTarget("zip"),
+    targets: Platform.MAC.createTarget("zip", Arch.x64),
     config: {
       generateUpdatesFilesForAllChannels: true,
       mac: {
@@ -67,7 +67,7 @@ test.ifMac(
   "mac artifactName ",
   app(
     {
-      targets: Platform.MAC.createTarget("zip"),
+      targets: Platform.MAC.createTarget("zip", Arch.x64),
       config: {
         // tslint:disable-next-line:no-invalid-template-strings
         artifactName: "${productName}_${version}_${os}.${ext}",

test/src/mac/dmgTest.ts

@@ -1,4 +1,4 @@
-import { exec } from "builder-util"
+import { Arch, exec } from "builder-util"
 import { copyFile } from "builder-util/out/fs"
 import { attachAndExecute, getDmgTemplatePath } from "dmg-builder/out/dmgUtil"
 import { Platform } from "electron-builder"
@@ -8,7 +8,8 @@ import * as fs from "fs/promises"
 import { assertThat } from "../helpers/fileAssert"
 import { app, assertPack, copyTestAsset } from "../helpers/packTester"
 
-const dmgTarget = Platform.MAC.createTarget("dmg")
+const dmgTarget = Platform.MAC.createTarget("dmg", Arch.x64)
+const defaultTarget = Platform.MAC.createTarget(undefined, Arch.x64)
 
 test.ifMac(
   "dmg",
@@ -79,7 +80,7 @@ test.ifMac("custom background - new way", () => {
   return assertPack(
     "test-app-one",
     {
-      targets: Platform.MAC.createTarget(),
+      targets: defaultTarget,
       config: {
         publish: null,
         mac: {
@@ -116,7 +117,7 @@ test.ifAll.ifMac("retina background as 2 png", () => {
   return assertPack(
     "test-app-one",
     {
-      targets: Platform.MAC.createTarget(),
+      targets: defaultTarget,
       config: {
         publish: null,
       },
@@ -149,7 +150,7 @@ test.ifAll.ifMac("retina background as 2 png", () => {
 
 test.skip.ifMac.ifAll("no Applications link", () => {
   return assertPack("test-app-one", {
-    targets: Platform.MAC.createTarget(),
+    targets: defaultTarget,
     config: {
       publish: null,
       productName: "NoApplicationsLink",
@@ -258,7 +259,7 @@ test.ifAll.ifMac(
 
 test.ifAll.ifMac("disable dmg icon (light), bundleVersion", () => {
   return assertPack("test-app-one", {
-    targets: Platform.MAC.createTarget(),
+    targets: defaultTarget,
     config: {
       publish: null,
       dmg: {

test/src/mac/macArchiveTest.ts

@@ -1,4 +1,4 @@
-import { exec } from "builder-util"
+import { Arch, exec } from "builder-util"
 import { parseXml } from "builder-util-runtime"
 import { Platform } from "electron-builder"
 import { outputFile } from "fs-extra"
@@ -22,7 +22,7 @@ test.ifAll.ifMac(
   "empty installLocation",
   app(
     {
-      targets: Platform.MAC.createTarget("pkg"),
+      targets: Platform.MAC.createTarget("pkg", Arch.x64),
       config: {
         pkg: {
           installLocation: "",
@@ -42,7 +42,7 @@ test.ifAll.ifMac(
   "extraDistFiles",
   app(
     {
-      targets: Platform.MAC.createTarget("zip"),
+      targets: Platform.MAC.createTarget("zip", Arch.x64),
       config: {
         mac: {
           extraDistFiles: "extra.txt",
@@ -62,7 +62,7 @@ test.ifAll.ifMac(
   "pkg extended configuration",
   app(
     {
-      targets: Platform.MAC.createTarget("pkg"),
+      targets: Platform.MAC.createTarget("pkg", Arch.x64),
       config: {
         pkg: {
           isRelocatable: false,
@@ -110,7 +110,7 @@ test.ifAll.ifMac(
   "pkg scripts",
   app(
     {
-      targets: Platform.MAC.createTarget("pkg"),
+      targets: Platform.MAC.createTarget("pkg", Arch.x64),
     },
     {
       signed: false,