feat: enable restrict mode (#198)

* enable restrict mode * fix style * code review feedback
2019-07-25 17:05:13 -07:00 · 2019-07-25 17:05:13 -07:00 · 39b6fe448a
--- a/README.md
+++ b/README.md
@ -173,6 +173,10 @@ Default to `true`.
 Flag to enable the Mojave hardened runtime when signing the app.  Disabled by default, requires Xcode >= 10 and
 macOS >= 10.13.6.

+`restrict` - *Boolean*
+
+Restrict dyld loading. See doc about this [code signature flag](https://developer.apple.com/documentation/security/seccodesignatureflags/kseccodesignaturerestrict?language=objc) for more details. Disabled by default.
+
 `identity` - *String*

 Name of certificate to use when signing.
--- a/bin/electron-osx-sign-usage.txt
+++ b/bin/electron-osx-sign-usage.txt
@ -29,6 +29,9 @@ DESCRIPTION
    Flag to enable the Mojave hardened runtime when signing the app.  Disabled by default, requires Xcode >= 10 and macOS
    >= 10.13.6.

+  --restrict
+    Flag to enable restrict mode. Disabled by default.
+
  --help
    Flag to display all commands.

--- a/bin/electron-osx-sign.js
+++ b/bin/electron-osx-sign.js
@ -8,7 +8,8 @@ var args = require('minimist')(process.argv.slice(2), {
    'pre-auto-entitlements',
    'pre-embed-provisioning-profile',
    'gatekeeper-assess',
-    'hardened-runtime'
+    'hardened-runtime',
+    'restrict'
  ],
  'default': {
    'pre-auto-entitlements': true,
--- a/sign.js
+++ b/sign.js
@ -156,15 +156,25 @@ function signApplicationAsync (opts) {
      if (opts.timestamp) {
        args.push('--timestamp=' + opts.timestamp)
      }
+      const optionsArguments = []
+
      if (opts.hardenedRuntime || opts['hardened-runtime']) {
        // 17.7.0 === 10.13.6
        if (compareVersion(osRelease, '17.7.0') >= 0) {
-          args.push('--options', 'runtime')
+          optionsArguments.push('runtime')
        } else {
          debuglog('Not enabling hardened runtime, current macOS version too low, requires 10.13.6 and higher')
        }
      }

+      if (opts['restrict']) {
+        optionsArguments.push('restrict')
+      }
+
+      if (optionsArguments.length) {
+        args.push('--options', optionsArguments.join(','))
+      }
+
      var promise
      if (opts.entitlements) {
        // Sign with entitlements