From e9754efbbe2f6da03b29d42606cb5365e4cd489e Mon Sep 17 00:00:00 2001
From: Janek Bevendorff <janek@jbev.net>
Date: Wed, 25 Mar 2020 00:24:27 +0100
Subject: [PATCH] Fix macOS 10.15.4 codesigning crash.

The recent macOS security patch renders our codesigning
"fix" of setting the sandbox entitlement to false twice
unusable. This patch adds a full provisioning profile
and adjusts the signing procedure to not include
entitlements for Qt frameworks.

The patch also changes the app and bundle ID, so granted
accessibility privileges have to be granted again after
installing the update.

Fixes #4398
Fixes #4515
---
 CMakeLists.txt                         |  13 +++++----
 release-tool                           |  11 ++++++--
 share/macosx/Info.plist.cmake          |   6 ++--
 share/macosx/embedded.provisionprofile | Bin 0 -> 7610 bytes
 share/macosx/keepassxc.entitlements    |  37 ++++++-------------------
 src/CMakeLists.txt                     |   1 +
 6 files changed, 27 insertions(+), 41 deletions(-)
 create mode 100644 share/macosx/embedded.provisionprofile

diff --git a/CMakeLists.txt b/CMakeLists.txt
index ac4c8a9ac..8375dff7b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -334,12 +334,13 @@ if(MINGW)
     set(PLUGIN_INSTALL_DIR ".")
     set(DATA_INSTALL_DIR "share")
 elseif(APPLE AND WITH_APP_BUNDLE)
-    set(CMAKE_INSTALL_MANDIR "${PROGNAME}.app/Contents/Resources/man")
-    set(CLI_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
-    set(PROXY_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
-    set(BIN_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
-    set(PLUGIN_INSTALL_DIR "${PROGNAME}.app/Contents/PlugIns")
-    set(DATA_INSTALL_DIR "${PROGNAME}.app/Contents/Resources")
+    set(BUNDLE_INSTALL_DIR "${PROGNAME}.app/Contents")
+    set(CMAKE_INSTALL_MANDIR "${BUNDLE_INSTALL_DIR}/Resources/man")
+    set(CLI_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
+    set(PROXY_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
+    set(BIN_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
+    set(PLUGIN_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/PlugIns")
+    set(DATA_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/Resources")
 else()
     include(GNUInstallDirs)
 
diff --git a/release-tool b/release-tool
index 6d217ca9d..26fc7fae8 100755
--- a/release-tool
+++ b/release-tool
@@ -1200,9 +1200,14 @@ appsign() {
                     exitError "Unpacking failed!"
                 fi
 
-                logInfo "Signing app..."
-                xcrun codesign --sign "${key}" --verbose --deep --entitlements \
-                    "${real_src_dir}/share/macosx/keepassxc.entitlements" ./app/KeePassXC.app
+                logInfo "Signing app bundle..."
+                xcrun codesign --sign "${key}" --verbose --deep --options runtime ./app/KeePassXC.app
+
+                # Sign main binary and libraries independently so we can keep using the convenient --deep
+                # option while avoiding adding entitlements recursively
+                logInfo "Signing main binary..."
+                xcrun codesign --sign "${key}" --verbose --force --options runtime --entitlements \
+                    "${real_src_dir}/share/macosx/keepassxc.entitlements" ./app/KeePassXC.app/Contents/MacOS/KeePassXC
 
                 if [ 0 -ne $? ]; then
                     cd "${orig_dir}"
diff --git a/share/macosx/Info.plist.cmake b/share/macosx/Info.plist.cmake
index b38ca2844..53e489742 100644
--- a/share/macosx/Info.plist.cmake
+++ b/share/macosx/Info.plist.cmake
@@ -15,7 +15,7 @@
   <key>CFBundleIconFile</key>
   <string>keepassxc.icns</string>
   <key>CFBundleIdentifier</key>
-  <string>org.keepassx.keepassxc</string>
+  <string>org.keepassxc.keepassxc</string>
   <key>CFBundleInfoDictionaryVersion</key>
   <string>6.0</string>
   <key>CFBundleName</key>
@@ -25,11 +25,11 @@
   <key>CFBundleShortVersionString</key>
   <string>${KEEPASSXC_VERSION}</string>
   <key>CFBundleSignature</key>
-  <string>KEPX</string>
+  <string>KPXC</string>
   <key>CFBundleVersion</key>
   <string>${KEEPASSXC_VERSION_NUM}</string>
   <key>NSHumanReadableCopyright</key>
-    <string>Copyright 2016-2018 KeePassXC Development Team</string>
+    <string>Copyright 2016-2020 KeePassXC Development Team</string>
     <key>CFBundleDocumentTypes</key>
     <array>
       <dict>
diff --git a/share/macosx/embedded.provisionprofile b/share/macosx/embedded.provisionprofile
new file mode 100644
index 0000000000000000000000000000000000000000..6fb14fd57e8c95ebb3a88fb7e69fe06409223f6e
GIT binary patch
literal 7610
zcmdT}d3;k<_HVjSx<C<Vp+F^+MWwWP*_sqe<-M#g`@Vtb%S-yQCr#44B%shT7J({@
zz{qN$6kI`+osPgz72yZUIxG$f18#sKSOFE7o9-yi%wO}FUq7FIUhci;opbKF_k8d7
zybIM9Z0nUVwoY7ks}ChTxuLdT15{hkm`tJ2v!IM#X+?cgl82-vLABZMb&F9NYO~j+
z)@C=9KN<CUs1bWG<n;R{7Sc<gLaN<|`)y7iF|kmu6Bcs|pRC9%AHi4hbY_)+8t^zn
zVX8`x$WR`&u$V@J0|AenM&s-FRFw?X>Zm{mjV4eOQVSj7a9})*Mv`O+mXIpJ{oaIN
zh^7kq1NLAzCIiZf!3!m}u&of7Y1jUMJD}I*#KRSt8Rc$!tOA%r`3lTyFQ+A%pf?l_
z0%t3vcDo7-g-kqZ;z9a@HmV%+VT3(cPU{fqR^f5tSQyM0wb^}PXQk5~R0Zvo&S;lX
zEEvRkY8NrI92G}W%3<`>M(Yww_`(a?+m!OLaJP3h(5PTQ45%1l6+=uNojIP)9?vSX
zl+)UVI($-juyCb6=>44oUGr0FO@C|}4Vl22+1n><>rzsQc|vwtXXyC$h~1NjI}d~&
zOd5p19_o_qoJvMH@C&Puqo~mC;_(oXlz>STfe92v4OYZ#D)pFDT#~OgOQe1a>WJV9
zSS^qtYM8X^1YtQZB!cOB0Zfu^jmW^T7^4wfWQd^xj{p@YJh)F2uy{Q#vq=-MGFXJ#
zWPmVHSqw92*mA9zl)z@bL9LeY5juj4k&s1;@GT|@gc&UXGeZcTW!0!aNVkcAWv>SU
zHg$4D&}NfIkW#e?A*~`kp*6ByGM7Lmhuv*sh(pdZ804hbfh*)XJSuky;&L4km%GrY
zG0_K}pbzTmbMX*wT!6_DLc}AyT8ZDQ<2s{mFjqOxjmPwHn_2<+8HzX>RrBE@gisg|
zST0vU8jsCu2w9nk2X`V84G(FX2WC__Y$8v@>hcp>udv!;3=wK?B0g-ll_~LBoUmUL
zm*^C9n5lJ{nR2H)Du~0HcD<qB*%awuQ~Q`-E)WD9R<9w53M2{J)fNy>i`N|G#bHUi
zj9CYJ3_7r;2<n0r2;r`BxSgUh5<<XygfOh+!D=p?80QgE@LK>^VHS2Ipw&X9a%UAc
zXfVW#`qIj<f~?|@0gk}PLEJ@Zjf3fx+w20;O$Ozt-&h*K>~2pHlhnImBipOgFq~C<
zW6+JMz47WOn+OXzs+eD1E%rw+k3fZn4LogFSf%C^Nw`XOkwGOgF=GrH<gJ#)HAb*g
zoQU01Dk3T!I)_k7vzUb(p-B+&LXM~lwOG`UFoIWGU3d|y4igTY(8l19YPzdR993KG
zvNFsscd=<&O#n9Y=mK@fD09$wVFJ}jLqT=Ks^=&wz12#UoF->^oS0J24=OZOo`3^Z
z<FKzRgc0UYKw5>W5Whs|Hewh<AK=;)UK-|*F!8vhRF3+JL{_JREebikG=>4;n5wE`
zWo15*TkiHtkuoVaWJV1DgK#yQR0OKkC?8hCh@XWbEFF&r+aOX!m{BQdMi8}L4B{@3
zyI@kzV~Kc)JW}h0NE}8SPKn<p){sgkH(~`l4(G8Q?YY5rSs74AAKh&+SppV59F-$b
zV$a+7gxZK8S}|4@@$utau}CDr%a{hPBq)JNqmq#8V6eRv2C+ttz?ED9?1DiDx9we&
zRGZ}p1`CC_iG#^hOmWQY*YF9NtW+%1#$&9gO`q5=d;;XF1|ksf8%fMbEg*?X;J>y?
zq(!YvGea$ebv%U2hy4ga1Q9|YMASGB)|hcjtbuU8KO$q=n6}u1b27K(vB6~q?~-JX
z7!fE*Sj}?6s?Y*#37A2i1B{4Roe01YPaG9JfH59aBw?c>VYOY0kY<1*;OW4b3cA&3
z0J1`tnPDJpVBE~m6IO<q0J!2o#TviG$RgT(09a*|BycF6kh6${F$)iY049a;7y|N6
zO_&*Fpx@JmO`tDgaUyh_p%4Ae7cuZt<Z&f@Xn)TT1DN3L!UiWo;$EQ(^d;t$um@R;
zbdS}iiOXEDvTd!@+_tp>Si?hDFez-0zXw)}X$SyaUeEnR%1HrfmbT-x&1Hej2wyEg
zXr!8#!0U%#IG-Q{2rQJsMzh9(BQkr01sPC-*5pyEVG|UHS7Pp{G$3+AsKex?bEHI2
z%O>Nn*A-+NrFaO5$xAUuQ4vEdhIqD8EsYLYxDuU#24aN!Sgv@f2j*zZ+E`SC8xf+~
z=M{L!YK|NdGm4m1MQVXcpr{sC!hEl|)QtHY(ID5w*GXMsXN2Wsi1}s@12Hi~2$K~S
z(&!3(DakPzkWjQ*?6yUta*0+LVM*LL*UF9td}NHNbh=@QAXe%t5^Ff3>Npz;GJRD-
zuSO@qSyCa!)(iDMD+)ORsLEjra6J(>ZgZHUzCb1EEEAXcxn4!sz$dvjrJIOXdUR@M
zl?08jB}G;m#<TmP0l&zkv{?iaOci9f2(b!dFr=8kZ&7*tN`x-vLn1e+^_hy?`iX5v
zK9)F+JBdSPM%!Np2@n7-686}=fRl8e%N^tg$h8T#ks!dMIv7=gS9NfiVrLhb={(fC
z$U`@MDe(u161UwR03<1jcmL|aEgmohhz;(*oW5cV$L*m|F%k4v2fDn=DDR>T84oiy
zwx`;zStsWFu*uju2}()Wj(PvH`E(mdgtaGA6hs5g;2#n)CKs@=VkY!QgzR5Z%x<IY
zq!iHEh%>>UL$JpKXqFR%s&fs>!@=rq4yFSW>n5FDGF?&ZWV781*3(w!wrRJT(Dg7k
zC793drXnDiKAS&SS=m!Vf~V@7Uc1gOb4I#Zs?!&?1EyS2%H}}jw9Zz?w$$rUewU{m
zRJxMR#OO90FXrGJb}@^~<rZU1MrpB?!zyF5uu6I<{Q;(&uxn_qGP+cCnxXfw*tvw|
zw6;>9qM^3$Sg1C&5UNedY)DC_Bq#T#oNsO^^EUK@`gGMZlr&J_SljBI6n$#10m*tT
zeE{@GFVM&wkl9wDP*ERVLLUQ-N_1uoC}{8OX2M|csBm@I;SV~)F?t>}Fd>&RpijG;
z#_tbPc`)?opgwdaAoCmsoyBEwEQ9(mdN!e&r4M%^yQdT5ps{UEWRGlDZuAE|HWFkn
zwTq!sHFi)CBsLVC4<T)?WKZ}Hq^W-}A*hy8*fU;~w4{_;N)D(BDVfQ&6iU)Tu5SGy
z!y5-im5INp|L*G3J7$bo*v!(#k4(pBVx(<qQ~JnlW%pFYxdv09__-F}KFRYHwCm^p
zG-QqO<4w~B-*^3-+aJyCo&VMw=f*OwEyW$0+==ybukLXVUh+lCTa;)2oJJh!`}`7)
z>srRPjl^NK?bQ#b9BnrG2=>fK>AKl9KJNU}MY)P;qfcA*C}!<@@z~2Jhg5BSX5}iT
zLVu^fDZ6e*UY~uJNx_RM@vfrcON*bs@O8_o4;@YKH2z9F7uc0-mXgTAvYoAmFUY>%
zJ3(B({_=>Y?z&vNH{`LOIrin-H-%4p{Pq5M-^BL1Fe3Ne>vu0ZnypX!K3Vqn?}y^|
z7TMoSPN5`G8f(@=HH}aKh<8EX)V$PzFFZCV<MnNWpP6^{%C4V8<_|Qw#_do}Vt4?B
zaz8Z<N&ydOc%oxu>R>2u=D?y)oub8&jC()2Uo4rl{+38SqxV#(Bq1<7^)YBPG_qkt
z!|=L-j>;GhdU{mGL9oe6Ko`_EA)k}5kP5bZ9n`N^W?Oxa+j=EaQj@`6e{k!ArKBV&
zKl$GL{<zk6J+%4X4VcaNI*t9BZ{D*XJF|D58PrUUJ3(B$yWBh8JmvFQl)t>YaV!?x
zyy@_M0W`mHR-YpUqAfqXJhw5tV%`2%g0m-7Y!YNG((PpIUNBhe&Q$c<cBVk(88I_+
zj>1^)o?Je0{oV7o`iv~dl8l-C<gSH_Wb5+#=X;H<antN+j=7iW>Lph$q66P(`nx{q
z^^Low(8dc5o134Q`DF%q`F++}%E1|*UCjJ)!j9cncUhO*OvB;Y!#NWQWJ}had-Kl6
zOTJNFl7BU3S<N@iceXrnj1sTBP*VTXh`Ar!j$WwQxaatSRj<E&bJJb!kfj7POx-l)
zYSrA@EuNh0+~EKvb_0}XY)1)7@^51F-+~9I6k;*h03IM_DS!ti8=ys5NAthp!@tY)
zOABAm7{2h_qaxLnv};pie=5FGy4EPuU!9jf=lmV1r#1b}LMZv`!4<bv8OLY9uf1~T
z=)uaBquh^t+PM4D(6Rf6FIgSWUMHG2`9vOvd8j2veq^BY=*RiN)~EWOobmLE8>3Tp
z>F3Lz>hpt*Ju+9CYc6<i@vWa$uKq-|YoAF)%<sL0dh5_z<EZ|?wkIi2{dV3bIjbh#
zEJ7b2a^T*PtvmaknL6y$p^00^zx`uQ-=sxZn@8l8gin_DIcLp#v$1NCNUPtsi3Y!S
z`<H(N4u9Dw6FfIu=2k6*=d^^aS^Z|gvzc>iHbbVXmQ+T)<GuL>=k1~U#8i7TdOGqd
zbD(_<x%lJa_Drv(!~yn2ev@jwexKakVDQk?{<pbbOGz9<1=Q49N^f8>75pc4oLjgp
zjRMu&0H;CkqF&$#OHZccJ(@s<(C<E)VTsRYI7WkN_IC*<Lp9rm)Vv2y3Mb~n?No4p
zg&oci74QDKL$$`Jm@h^RVBlLD6)?VPuRTOfFu6du{hdnijy>`3qb6(sDrxoDsUa|G
z!@w7`us!GnFZgU!-0!nF+fF2^zmi%VvX6VfP{0q~O&9}`UG@`aY9NT=VZetHI>YVM
zw&XXd*#=)zN|(usqua05ulVdHx#C9T7zru&4S#;t^Fx<S6mf36zGBi#<4$Z|(Es%N
zKZaI(cg&V^D5hkcUR!Y|df$B@{pz!2v*u~3$GI(=_bgXty6+eLYTl5RF@4Y^!y}J|
zk8htha)PMwq<_@KD@V5nKF<+cc<kU0-srWjwhkKf+Go!dvJZ|vc_!zS`^4H&BOkf7
z=B@dmnrA*7Iyr;3=-u0V@%3l8t8-f?jv=UXnXX%XYCk!DrIB_=>zZuai!;ev<I~3(
zuAI#o(f91GP`+~OnbH~iX6w&vShkaa{Brta)#~TgXtodi%ge~9{$oGNDcB}oITb%3
zojFML#@v%<Fa7#yMmp!6>go|tZ5j+9?1>JNQ$1z!&+*2S@AM2+76AVLS%Q&ZMx_v)
z!G$0?i^cpMGtz*syyHM7q^4w#mSZ?osim5zUA!55z)dtNonZ56orDjxy9nF^+$r%%
z8z^a`cp#PjHL3X`x7;}QVy13n-p;b%md_`T;tYRs_A6g!Wqr8m=I5rBNpH{k+5g(C
zs+m<ww}fQZWz^H_d(D5P|G}3woZT@d<J%qmbkq^86CYb=-O(6Z2)#J{m%5h^-;*y~
zGwYc86XQ$Y?v&HYRb$3o{&UOX;z<`)RbIRmI{dBr=ox2Ozq?1sZ?}&9Xm*T&Hy!<2
ztI5A~WWlA=&im|?B-=YF*Zsy}U%bkjxouj8ZQR-q>fWDBKV5L=X>`l}bB)I+_va43
zuyjhrQvM}qVElux&QmXY9SfSK?``DX`1Y%UQ{^0nF!K!l{ag7rG}J|-c3mDn^{-Pe
zuIF3c=qso|&+$JWv|A~Q`v0EvC1*`1)SUp4`V@My6FDf9R3=1+Xq|0{Qa7@LkofUX
zpa&yKG(nX_lC~gJ)`J(lw0uBrPE8I`7Q0PZb#3hcWQQ~WWhZd1jTa?DNe_^shtjB8
z%CJsg902^w0smPK0OQ@?f?f9iPq1Tm#u>o-6A!%-=|)UD)>(o)crvBW1SeDbB@b>(
z&H60|1jx_^qSG3eEGbCyFL37_TO=8uGp`Arlrs9K=D!|%Pia_RuVB8w&pJg}3}?>U
zbmFCRZ`RJg`O)8Kr9YvAcdhxpwJ`WRWsg{S<@kzMZs$-AH1;2`I{SnE^%I+#UzoXg
z{%GktriB^lHCxH7arZB#{JP1p`obfOqFNpO?2xfPk98c+YEo>f*>~uLQRydlEiyUy
zt{e3^WK+uQi%ai0Z!P=3&A<G}`(+Oj(l_mNKf2}eaqR`>BLf%CUyv3nCO6#BV&93H
zR~}a0KEwP%?O5{|vuN7%;`NSasz-gk_$is9#nJm8PLp!yjmEO2%}351*m&&hi~R-|
zPyI0c%QNYDdvE1W!apErYx9rOYm?uAYLnN4%dZ5H|6c{m<lbHI-hDyWQ1clyxT~Vg
zNTGLT1Gv?rK*PF6(&#y$?1Uh|FzHM>8(bwpBfCda>7Z_r4WEA^V-Mrk$Hh%Qi(iFx
zf%<V7&=cK4Ec!5LNRP|GH9hJHP#Qv-ZqXdN0OCQJy?VFbFs7t~joJA-IXO9LCODzG
z+muOAdi#}Q`h)$C_dLje2|$OET568(Stm36x@!62U+T`JzFPI;!9LQD^3jPuRF*8y
zzloyLW-R*C&GS_){VG}xw6?Zft(z2U-Pg2{BWO(?e2l=g<fKJ)dS>-@dcRZaUT=7M
zwfXYJ=f0W4T>nkphx@X27k{+)1!2X^hQH;aIpuqF*Izrfp<?B*Lz+r>SY33*>PYKd
ze46^ho6^5dIJ&p`t0jlOq9r{R`Nys`E&H>t4IQc()n|lsillYr#RbgIepoVHT0Ezr
z-%}S(j97j)bN~IcXXmIKi^lAIynN@W_jg=BaxdwAEWg=xq3YtAgHrT}a?at$y_c6O
j5wdrkzJ^@(J*VjOw|tH)z4rw5)6>$`>F4_P;;#HBoXtvq

literal 0
HcmV?d00001

diff --git a/share/macosx/keepassxc.entitlements b/share/macosx/keepassxc.entitlements
index 2645a2031..7126b7ac5 100644
--- a/share/macosx/keepassxc.entitlements
+++ b/share/macosx/keepassxc.entitlements
@@ -1,33 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
-	<dict>
-		<key>com.apple.application-identifier</key>
-			<string>org.keepassx.keepassxc</string>
-		<key>com.apple.developer.aps-environment</key>
-			<string>production</string>
-
-		<key>keychain-access-groups</key>
-			<array>
-				<string>org.keepassx.keepassxc</string>
-			</array>
-
-		<!-- Sandbox entitlements stub for future reference.
-		     For whatever reason, we have to set this twice.
-		     Otherwise a signed application crashes on startup -->
-		<key>com.apple.security.app-sandbox</key>
-			<false/>
-		<key>com.apple.security.app-sandbox</key>
-			<false/>
-		<!--key>com.apple.security.network.client</key>
-			<true/>
-		<key>com.apple.security.files.user-selected.read-write</key>
-			<true/>
-		<key>com.apple.security.device.usb</key>
-			<true/>
-		<key>com.apple.security.print</key>
-			<true/>
-		<key>com.apple.security.files.user-selected.read-only</key>
-			<false/-->
-	</dict>
+<dict>
+	<key>com.apple.application-identifier</key>
+	<string>G2S7P7J672.org.keepassxc.keepassxc</string>
+	<key>keychain-access-groups</key>
+	<array>
+		<string>G2S7P7J672.org.keepassxc.keepassxc</string>
+	</array>
+</dict>
 </plist>
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index af9b9bb58..1982a3c4c 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -354,6 +354,7 @@ target_link_libraries(${PROGNAME} keepassx_core)
 set_target_properties(${PROGNAME} PROPERTIES ENABLE_EXPORTS ON)
 
 if(APPLE AND WITH_APP_BUNDLE)
+    install(FILES ${CMAKE_SOURCE_DIR}/share/macosx/embedded.provisionprofile DESTINATION ${BUNDLE_INSTALL_DIR})
     configure_file(${CMAKE_SOURCE_DIR}/share/macosx/Info.plist.cmake ${CMAKE_CURRENT_BINARY_DIR}/Info.plist)
     set_target_properties(${PROGNAME} PROPERTIES
             MACOSX_BUNDLE ON