feat: Added support for overriding ‘preAutoEntitlements’ for electron/osx-sign

[taozhou-glean]

We recently upgraded from v22 to v24, and start getting Not available for testing in testflight, after comparing the entitlements, it looks like the issue is due to auto entitlements from osx-sign, after disabling it locally the issue is resolved.

Also this should address #7579

default should be true as osx-sign is checking for false with ===: https://github.com/electron/osx-sign/blob/cd9e8f1146610fb0f1bb0d88a5219b208594e5b1/src/sign.ts#L211

[changeset-bot]

🦋 Changeset detected

Latest commit: 2263e6e

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 8 packages

Name	Type
app-builder-lib	Minor
dmg-builder	Minor
electron-builder-squirrel-windows	Minor
electron-builder	Minor
electron-forge-maker-appimage	Minor
electron-forge-maker-nsis-web	Minor
electron-forge-maker-nsis	Minor
electron-forge-maker-snap	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[netlify]

✅ Deploy Preview for car-park-attendant-cleat-11576 ready!

Name	Link
🔨 Latest commit	2263e6e
🔍 Latest deploy log	https://app.netlify.com/sites/car-park-attendant-cleat-11576/deploys/64a3dc0d620cab00080ee5f3
😎 Deploy Preview	https://deploy-preview-7642--car-park-attendant-cleat-11576.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[mmaietta]

@taozhou-glean I'm checking this again as I'm not sure about the purpose of preAutoEntitlements being true. Should it always be false for mas builds? Wondering if false should be the default value.

[taozhou-glean]

@taozhou-glean I'm checking this again as I'm not sure about the purpose of preAutoEntitlements being true. Should it always be false for mas builds? Wondering if false should be the default value.

Honestly I did not dig too deep on what auto entitlement does for mas, but it default to true from osx-sign (which is existing behavior as well), and I do know one attribute it added and required for mas is the ElectronTeamId: https://www.electronjs.org/docs/latest/tutorial/mac-app-store-submission-guide#extra-steps-without-electron-osx-sign, so if disable preAutoEntitlements, then ElectronTeamId should be provided through extendInfo.

[pushkin-]

I'm trying to follow along, but am confused. Is the current thought that preAutoEntitlements should be disabled for apps we want to upload to to the app store, but we don't exactly know why? From experimentation, keeping it enabled causes TestFlight to fail the verification step, but if I disable it, it goes through. But I don't know if I should keep it disabled since it seems to work, or figure out how to make it work with auto entitlements being enabled.

[taozhou-glean]

From experimentation, keeping it enabled causes TestFlight to fail the verification step, but if I disable it, it goes through.

this is exactly what happened to me before and what triggered me to send out this change. My assumption and also after comparing the final entitlements between two builds are, the autoentitlement adds the team id to every file but essentially it should just add it to the app file only. So to me it seems something with the osx-sign package, but did not have time to dig deeper, and also we want to have more granular control over entitlement, so disabling auto entitlement just fits us better. But feel free to dig deeper and propose some fix to the osx-sign ;)