Fix macOS 10.15.4 codesigning crash.

The recent macOS security patch renders our codesigning "fix" of setting the sandbox entitlement to false twice unusable. This patch adds a full provisioning profile and adjusts the signing procedure to not include entitlements for Qt frameworks. The patch also changes the app and bundle ID, so granted accessibility privileges have to be granted again after installing the update. Fixes #4398 Fixes #4515
2025-02-22 23:49:58 -05:00 · 2020-03-25 00:24:27 +01:00 · 2020-03-25 00:24:27 +01:00 · e9754efbbe
commit e9754efbbe
parent f8c962bd25
6 changed files with 27 additions and 41 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -334,12 +334,13 @@ if(MINGW)
    set(PLUGIN_INSTALL_DIR ".")
    set(DATA_INSTALL_DIR "share")
 elseif(APPLE AND WITH_APP_BUNDLE)
-    set(CMAKE_INSTALL_MANDIR "${PROGNAME}.app/Contents/Resources/man")
-    set(CLI_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
-    set(PROXY_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
-    set(BIN_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
-    set(PLUGIN_INSTALL_DIR "${PROGNAME}.app/Contents/PlugIns")
-    set(DATA_INSTALL_DIR "${PROGNAME}.app/Contents/Resources")
+    set(BUNDLE_INSTALL_DIR "${PROGNAME}.app/Contents")
+    set(CMAKE_INSTALL_MANDIR "${BUNDLE_INSTALL_DIR}/Resources/man")
+    set(CLI_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
+    set(PROXY_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
+    set(BIN_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
+    set(PLUGIN_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/PlugIns")
+    set(DATA_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/Resources")
 else()
    include(GNUInstallDirs)

--- a/11
+++ b/11
@ -1200,9 +1200,14 @@ appsign() {
                    exitError "Unpacking failed!"
                fi

-                logInfo "Signing app..."
-                xcrun codesign --sign "${key}" --verbose --deep --entitlements \
-                    "${real_src_dir}/share/macosx/keepassxc.entitlements" ./app/KeePassXC.app
+                logInfo "Signing app bundle..."
+                xcrun codesign --sign "${key}" --verbose --deep --options runtime ./app/KeePassXC.app
+
+                # Sign main binary and libraries independently so we can keep using the convenient --deep
+                # option while avoiding adding entitlements recursively
+                logInfo "Signing main binary..."
+                xcrun codesign --sign "${key}" --verbose --force --options runtime --entitlements \
+                    "${real_src_dir}/share/macosx/keepassxc.entitlements" ./app/KeePassXC.app/Contents/MacOS/KeePassXC

                if [ 0 -ne $? ]; then
                    cd "${orig_dir}"
--- a/share/macosx/Info.plist.cmake
+++ b/share/macosx/Info.plist.cmake
@ -15,7 +15,7 @@
  <key>CFBundleIconFile</key>
  <string>keepassxc.icns</string>
  <key>CFBundleIdentifier</key>
-  <string>org.keepassx.keepassxc</string>
+  <string>org.keepassxc.keepassxc</string>
  <key>CFBundleInfoDictionaryVersion</key>
  <string>6.0</string>
  <key>CFBundleName</key>
@ -25,11 +25,11 @@
  <key>CFBundleShortVersionString</key>
  <string>${KEEPASSXC_VERSION}</string>
  <key>CFBundleSignature</key>
-  <string>KEPX</string>
+  <string>KPXC</string>
  <key>CFBundleVersion</key>
  <string>${KEEPASSXC_VERSION_NUM}</string>
  <key>NSHumanReadableCopyright</key>
-    <string>Copyright 2016-2018 KeePassXC Development Team</string>
+    <string>Copyright 2016-2020 KeePassXC Development Team</string>
    <key>CFBundleDocumentTypes</key>
    <array>
      <dict>
--- a/share/macosx/embedded.provisionprofile
+++ b/share/macosx/embedded.provisionprofile
--- a/share/macosx/keepassxc.entitlements
+++ b/share/macosx/keepassxc.entitlements
@ -3,31 +3,10 @@
 <plist version="1.0">
 <dict>
 	<key>com.apple.application-identifier</key>
-			<string>org.keepassx.keepassxc</string>
-		<key>com.apple.developer.aps-environment</key>
-			<string>production</string>
-
+	<string>G2S7P7J672.org.keepassxc.keepassxc</string>
 	<key>keychain-access-groups</key>
 	<array>
-				<string>org.keepassx.keepassxc</string>
+		<string>G2S7P7J672.org.keepassxc.keepassxc</string>
 	</array>
-
-		<!-- Sandbox entitlements stub for future reference.
-		     For whatever reason, we have to set this twice.
-		     Otherwise a signed application crashes on startup -->
-		<key>com.apple.security.app-sandbox</key>
-			<false/>
-		<key>com.apple.security.app-sandbox</key>
-			<false/>
-		<!--key>com.apple.security.network.client</key>
-			<true/>
-		<key>com.apple.security.files.user-selected.read-write</key>
-			<true/>
-		<key>com.apple.security.device.usb</key>
-			<true/>
-		<key>com.apple.security.print</key>
-			<true/>
-		<key>com.apple.security.files.user-selected.read-only</key>
-			<false/-->
 </dict>
 </plist>
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -354,6 +354,7 @@ target_link_libraries(${PROGNAME} keepassx_core)
 set_target_properties(${PROGNAME} PROPERTIES ENABLE_EXPORTS ON)

 if(APPLE AND WITH_APP_BUNDLE)
+    install(FILES ${CMAKE_SOURCE_DIR}/share/macosx/embedded.provisionprofile DESTINATION ${BUNDLE_INSTALL_DIR})
    configure_file(${CMAKE_SOURCE_DIR}/share/macosx/Info.plist.cmake ${CMAKE_CURRENT_BINARY_DIR}/Info.plist)
    set_target_properties(${PROGNAME} PROPERTIES
            MACOSX_BUNDLE ON