Fix macOS 10.15.4 codesigning crash.

The recent macOS security patch renders our codesigning "fix" of setting the sandbox entitlement to false twice unusable. This patch adds a full provisioning profile and adjusts the signing procedure to not include entitlements for Qt frameworks. The patch also changes the app and bundle ID, so granted accessibility privileges have to be granted again after installing the update. Fixes #4398 Fixes #4515
2025-02-23 07:59:54 -05:00 · 2020-03-25 00:24:27 +01:00 · 2020-03-25 00:24:27 +01:00 · e9754efbbe
commit e9754efbbe
parent f8c962bd25
6 changed files with 27 additions and 41 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -334,12 +334,13 @@ if(MINGW)
    set(PLUGIN_INSTALL_DIR ".")
    set(DATA_INSTALL_DIR "share")
 elseif(APPLE AND WITH_APP_BUNDLE)
-    set(CMAKE_INSTALL_MANDIR "${PROGNAME}.app/Contents/Resources/man")
+    set(BUNDLE_INSTALL_DIR "${PROGNAME}.app/Contents")
-    set(CLI_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
+    set(CMAKE_INSTALL_MANDIR "${BUNDLE_INSTALL_DIR}/Resources/man")
-    set(PROXY_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
+    set(CLI_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
-    set(BIN_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
+    set(PROXY_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
-    set(PLUGIN_INSTALL_DIR "${PROGNAME}.app/Contents/PlugIns")
+    set(BIN_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
-    set(DATA_INSTALL_DIR "${PROGNAME}.app/Contents/Resources")
+    set(PLUGIN_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/PlugIns")
    set(DATA_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/Resources")
 else()
    include(GNUInstallDirs)
--- a/11
+++ b/11
@ -1200,9 +1200,14 @@ appsign() {
                    exitError "Unpacking failed!"
                fi
-                logInfo "Signing app..."
+                logInfo "Signing app bundle..."
-                xcrun codesign --sign "${key}" --verbose --deep --entitlements \
+                xcrun codesign --sign "${key}" --verbose --deep --options runtime ./app/KeePassXC.app
-                    "${real_src_dir}/share/macosx/keepassxc.entitlements" ./app/KeePassXC.app
+
                # Sign main binary and libraries independently so we can keep using the convenient --deep
                # option while avoiding adding entitlements recursively
                logInfo "Signing main binary..."
                xcrun codesign --sign "${key}" --verbose --force --options runtime --entitlements \
                    "${real_src_dir}/share/macosx/keepassxc.entitlements" ./app/KeePassXC.app/Contents/MacOS/KeePassXC
                if [ 0 -ne $? ]; then
                    cd "${orig_dir}"
--- a/share/macosx/Info.plist.cmake
+++ b/share/macosx/Info.plist.cmake
@ -15,7 +15,7 @@
  <key>CFBundleIconFile</key>
  <string>keepassxc.icns</string>
  <key>CFBundleIdentifier</key>
-  <string>org.keepassx.keepassxc</string>
+  <string>org.keepassxc.keepassxc</string>
  <key>CFBundleInfoDictionaryVersion</key>
  <string>6.0</string>
  <key>CFBundleName</key>
@ -25,11 +25,11 @@
  <key>CFBundleShortVersionString</key>
  <string>${KEEPASSXC_VERSION}</string>
  <key>CFBundleSignature</key>
-  <string>KEPX</string>
+  <string>KPXC</string>
  <key>CFBundleVersion</key>
  <string>${KEEPASSXC_VERSION_NUM}</string>
  <key>NSHumanReadableCopyright</key>
-    <string>Copyright 2016-2018 KeePassXC Development Team</string>
+    <string>Copyright 2016-2020 KeePassXC Development Team</string>
    <key>CFBundleDocumentTypes</key>
    <array>
      <dict>
--- a/share/macosx/embedded.provisionprofile
+++ b/share/macosx/embedded.provisionprofile
--- a/share/macosx/keepassxc.entitlements
+++ b/share/macosx/keepassxc.entitlements
@ -1,33 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
-	<dict>
+<dict>
 	<key>com.apple.application-identifier</key>
-			<string>org.keepassx.keepassxc</string>
+	<string>G2S7P7J672.org.keepassxc.keepassxc</string>
 		<key>com.apple.developer.aps-environment</key>
 			<string>production</string>
 	<key>keychain-access-groups</key>
 	<array>
-				<string>org.keepassx.keepassxc</string>
+		<string>G2S7P7J672.org.keepassxc.keepassxc</string>
 	</array>
-
+</dict>
 		<!-- Sandbox entitlements stub for future reference.
 		     For whatever reason, we have to set this twice.
 		     Otherwise a signed application crashes on startup -->
 		<key>com.apple.security.app-sandbox</key>
 			<false/>
 		<key>com.apple.security.app-sandbox</key>
 			<false/>
 		<!--key>com.apple.security.network.client</key>
 			<true/>
 		<key>com.apple.security.files.user-selected.read-write</key>
 			<true/>
 		<key>com.apple.security.device.usb</key>
 			<true/>
 		<key>com.apple.security.print</key>
 			<true/>
 		<key>com.apple.security.files.user-selected.read-only</key>
 			<false/-->
 	</dict>
 </plist>
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -354,6 +354,7 @@ target_link_libraries(${PROGNAME} keepassx_core)
 set_target_properties(${PROGNAME} PROPERTIES ENABLE_EXPORTS ON)
 if(APPLE AND WITH_APP_BUNDLE)
    install(FILES ${CMAKE_SOURCE_DIR}/share/macosx/embedded.provisionprofile DESTINATION ${BUNDLE_INSTALL_DIR})
    configure_file(${CMAKE_SOURCE_DIR}/share/macosx/Info.plist.cmake ${CMAKE_CURRENT_BINARY_DIR}/Info.plist)
    set_target_properties(${PROGNAME} PROPERTIES
            MACOSX_BUNDLE ON