diff options
| author | Christian Lohmaier <lohmaier+LibreOffice@googlemail.com> | 2023-11-02 10:30:34 +0100 |
|---|---|---|
| committer | Andras Timar <andras.timar@collabora.com> | 2023-12-04 14:52:36 +0100 |
| commit | 6254b06c3c17f109bfa837c82d09807e093d3c10 (patch) | |
| tree | 56ee82bf739cbf09650e4f5f7ee5174c463280c9 | |
| parent | 27513676ab639961f03123116d4cab4204096ee4 (diff) | |
tdf#158038 fix opening pdf files in appstore ver (sandbox issue w/ helper tool)
https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app
"Adding other entitlements to the tool can cause problems. If the tool
immediately crashes with a code signing error when your app runs the
tool, check that the tool is signed with just these two entitlements:
com.apple.security.app-sandbox and com.apple.security.inherit."
This is indeed what happened..
Change-Id: Id03948c03b7d453aae4ca58719f582576e30a16f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158790
Tested-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
(cherry picked from commit 2c3fe12e0ffc59be7c28d9b9908db881adb0f1ea)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158709
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
| -rwxr-xr-x | solenv/bin/macosx-codesign-app-bundle | 6 | ||||
| -rw-r--r-- | sysui/desktop/macosx/sandbox_inherit.entitlements | 10 |
2 files changed, 15 insertions, 1 deletions
diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle index b1b17dbf7393..6f13f4c0c2c3 100755 --- a/solenv/bin/macosx-codesign-app-bundle +++ b/solenv/bin/macosx-codesign-app-bundle @@ -25,10 +25,13 @@ done APP_BUNDLE="$1" entitlements= +entitlements_helper= application_identifier= if test -n "$ENABLE_MACOSX_SANDBOX"; then # In a sandboxed build executables need the entitlements entitlements="--entitlements $BUILDDIR/lo.xcent" + # helper utilities must be signed with only the sandbox and inherit entitlements + entitlements_helper="--entitlements $SRCDIR/sysui/desktop/macosx/sandbox_inherit.entitlements" application_identifier=`/usr/libexec/PlistBuddy -c "print com.apple.application-identifier" $BUILDDIR/lo.xcent` # remove the key from the entitlement - only use it when signing the whole bundle in the final step /usr/libexec/PlistBuddy -c "delete com.apple.application-identifier" $BUILDDIR/lo.xcent @@ -40,6 +43,7 @@ if test -n "$ENABLE_MACOSX_SANDBOX"; then else # We then want to sign data files, too, hmm. entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent" + entitlements_helper=$entitlements other_files="\ -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \ -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \ @@ -114,7 +118,7 @@ while read file; do ;; *) id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` - codesign --force --timestamp --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" || exit 1 + codesign --force --timestamp --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements_helper "$file" || exit 1 ;; esac done diff --git a/sysui/desktop/macosx/sandbox_inherit.entitlements b/sysui/desktop/macosx/sandbox_inherit.entitlements new file mode 100644 index 000000000000..794eada1cad3 --- /dev/null +++ b/sysui/desktop/macosx/sandbox_inherit.entitlements @@ -0,0 +1,10 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>com.apple.security.app-sandbox</key> + <true/> + <key>com.apple.security.inherit</key> + <true/> +</dict> +</plist> |