From 0794d7fb9040e3ecf599202c27c191215a795f37 Mon Sep 17 00:00:00 2001
From: Micah Lee <micah@micahflee.com>
Date: Sun, 25 Nov 2018 15:52:36 -0800
Subject: [PATCH] Split entitlements files into child and parent, and try using
 them both

---
 install/build_osx.sh                                   |  5 ++++-
 install/macos_sandbox/child.plist                      | 10 ++++++++++
 .../parent.plist}                                      |  4 ++--
 3 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 install/macos_sandbox/child.plist
 rename install/{OnionShare.entitlements => macos_sandbox/parent.plist} (100%)

diff --git a/install/build_osx.sh b/install/build_osx.sh
index ad096139..010e3edb 100755
--- a/install/build_osx.sh
+++ b/install/build_osx.sh
@@ -23,9 +23,12 @@ if [ "$1" = "--release" ]; then
   PKG_PATH="$ROOT/dist/OnionShare.pkg"
   IDENTITY_NAME_APPLICATION="Developer ID Application: Micah Lee"
   IDENTITY_NAME_INSTALLER="Developer ID Installer: Micah Lee"
+  ENTITLEMENTS_CHILD_PATH="$ROOT/install/macos_sandbox/child.plist"
+  ENTITLEMENTS_PARENT_PATH="$ROOT/install/macos_sandbox/parent.plist"
 
   echo "Codesigning the app bundle"
-  codesign --deep -s "$IDENTITY_NAME_APPLICATION" "$APP_PATH" --entitlements "$ROOT/install/OnionShare.entitlements"
+  codesign --deep -s "$IDENTITY_NAME_APPLICATION" -f --entitlements "$ENTITLEMENTS_CHILD_PATH" "$APP_PATH"
+  codesign -s "$IDENTITY_NAME_APPLICATION" -f --entitlements "$ENTITLEMENTS_PARENT_PATH" "$APP_PATH"
 
   echo "Creating an installer"
   productbuild --sign "$IDENTITY_NAME_INSTALLER" --component "$APP_PATH" /Applications "$PKG_PATH"
diff --git a/install/macos_sandbox/child.plist b/install/macos_sandbox/child.plist
new file mode 100644
index 00000000..06d88f66
--- /dev/null
+++ b/install/macos_sandbox/child.plist
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.inherit</key>
+  <true/>
+</dict>
+</plist>
diff --git a/install/OnionShare.entitlements b/install/macos_sandbox/parent.plist
similarity index 100%
rename from install/OnionShare.entitlements
rename to install/macos_sandbox/parent.plist
index fa6a9141..ceecd30a 100644
--- a/install/OnionShare.entitlements
+++ b/install/macos_sandbox/parent.plist
@@ -4,10 +4,10 @@
 <dict>
 	<key>com.apple.security.app-sandbox</key>
 	<true/>
-	<key>com.apple.security.files.user-selected.read-only</key>
-	<true/>
 	<key>com.apple.security.network.client</key>
 	<true/>
+	<key>com.apple.security.files.user-selected.read-only</key>
+	<true/>
 	<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
 	<array>
     <string>/OnionShare</string>