Add option to specify login helper entitlement

2019-10-14 21:23:20 -07:00 · 2019-10-14 21:23:20 -07:00 · 10f714fb93
--- a/README.md
+++ b/README.md
@ -162,6 +162,12 @@ See [default.entitlements.mas.plist](https://github.com/electron-userland/electr
 Path to child entitlements which inherit the security settings for signing frameworks and bundles of a distribution. *This option only applies when signing with entitlements.*
 See [default.entitlements.mas.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.mas.inherit.plist) or [default.entitlements.darwin.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.darwin.inherit.plist) with respect to your platform.

+`entitlements-loginhelper` - *String*
+
+Path to login helper entitlement file. When using app sandboxing the inherited entitlement should not be used since this is a standalone executable. When not set, uses `entitlements-inherit` option.
+*This option only applies when signing with entitlements.*
+See [default.entitlements.mas.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.mas.inherit.plist) or [default.entitlements.darwin.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.darwin.inherit.plist) with respect to your platform.
+
 `gatekeeper-assess` - *Boolean*

 Flag to enable/disable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates.
--- a/bin/electron-osx-sign-usage.txt
+++ b/bin/electron-osx-sign-usage.txt
@ -21,6 +21,10 @@ DESCRIPTION
    Path to child entitlements which inherit the security settings for signing frameworks and bundles of a distribution.
    This option only applies when signing with entitlements.

+  --entitlements-loginhelper=file
+    Path to login helper entitlement file. When using app sandboxing the inherited entitlement should not be used since this is a standalone executable. When not set, uses `entitlements-inherit` option.
+    This option only applies when signing with entitlements.
+
  --gatekeeper-assess, --no-gatekeeper-assess
    Flag to enable/disable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates.
    Gatekeeper assessment is enabled by default on ``darwin'' platform.
--- a/index.d.ts
+++ b/index.d.ts
@ -10,6 +10,7 @@ declare module "electron-osx-sign" {
    binaries?: string[];
    entitlements?: string;
    'entitlements-inherit'?: string;
+    'entitlements-loginhelper'?: string;
    'gatekeeper-assess'?: boolean;
    hardenedRuntime?: boolean;
    'identity-validation'?: boolean;
--- a/sign.js
+++ b/sign.js
@ -206,7 +206,13 @@ function signApplicationAsync (opts) {
            return
          }
          debuglog('Signing... ' + filePath)
-          return execFileAsync('codesign', args.concat('--entitlements', opts['entitlements-inherit'], filePath))
+
+          let entitlementsFile = opts['entitlements-inherit'];
+          if (filePath.includes('Library/LoginItems')) {
+            entitlementsFile = opts['entitlements-loginhelper'];
+          }
+
+          return execFileAsync('codesign', args.concat('--entitlements', entitlementsFile, filePath))
        })
          .then(function () {
            debuglog('Signing... ' + opts.app)
@ -330,6 +336,12 @@ var signAsync = module.exports.signAsync = function (opts) {
            '* Sandbox entitlements file for enclosing app files is default to:', filePath)
          opts['entitlements-inherit'] = filePath
        }
+        if (!opts['entitlements-loginhelper']) {
+          filePath = path.join(__dirname, 'default.entitlements.mas.inherit.plist')
+          debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n',
+            '* Sandbox entitlements file for login helper is default to:', filePath)
+          opts['entitlements-loginhelper'] = filePath
+        }
      } else {
        // Not necessary to have entitlements for non Mac App Store distribution
        if (!opts.entitlements) {
@ -350,6 +362,12 @@ var signAsync = module.exports.signAsync = function (opts) {
              '* Sandbox entitlements file for enclosing app files is default to:', filePath)
            opts['entitlements-inherit'] = filePath
          }
+          if (!opts['entitlements-loginhelper']) {
+            filePath = path.join(__dirname, 'default.entitlements.darwin.inherit.plist')
+            debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n',
+              '* Sandbox entitlements file for enclosing app files is default to:', filePath)
+            opts['entitlements-loginhelper'] = filePath
+          }
        }
      }
    })
@ -387,6 +405,7 @@ var signAsync = module.exports.signAsync = function (opts) {
        '> Platform:', opts.platform, '\n',
        '> Entitlements:', opts.entitlements, '\n',
        '> Child entitlements:', opts['entitlements-inherit'], '\n',
+        '> Login helper entitlement:', opts['entitlements-loginhelper'], '\n',
        '> Additional binaries:', opts.binaries, '\n',
        '> Identity:', opts.identity)
      return signApplicationAsync(opts)