Add option to specify login helper entitlement

electron · May 4, 2020 · 10f714f · 10f714f
1 parent caef6a5
commit 10f714f
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -162,6 +162,12 @@ See [default.entitlements.mas.plist](https://github.com/electron-userland/electr
 Path to child entitlements which inherit the security settings for signing frameworks and bundles of a distribution. *This option only applies when signing with entitlements.*
 See [default.entitlements.mas.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.mas.inherit.plist) or [default.entitlements.darwin.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.darwin.inherit.plist) with respect to your platform.
 
+`entitlements-loginhelper` - *String*
+
+Path to login helper entitlement file. When using app sandboxing the inherited entitlement should not be used since this is a standalone executable. When not set, uses `entitlements-inherit` option.
+*This option only applies when signing with entitlements.*
+See [default.entitlements.mas.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.mas.inherit.plist) or [default.entitlements.darwin.inherit.plist](https://github.com/electron-userland/electron-osx-sign/blob/master/default.entitlements.darwin.inherit.plist) with respect to your platform.
+
 `gatekeeper-assess` - *Boolean*
 
 Flag to enable/disable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates.

diff --git a/bin/electron-osx-sign-usage.txt b/bin/electron-osx-sign-usage.txt
@@ -21,6 +21,10 @@ DESCRIPTION
     Path to child entitlements which inherit the security settings for signing frameworks and bundles of a distribution.
     This option only applies when signing with entitlements.
 
+  --entitlements-loginhelper=file
+    Path to login helper entitlement file. When using app sandboxing the inherited entitlement should not be used since this is a standalone executable. When not set, uses `entitlements-inherit` option.
+    This option only applies when signing with entitlements.
+
   --gatekeeper-assess, --no-gatekeeper-assess
     Flag to enable/disable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates.
     Gatekeeper assessment is enabled by default on ``darwin'' platform.

diff --git a/index.d.ts b/index.d.ts
@@ -10,6 +10,7 @@ declare module "electron-osx-sign" {
     binaries?: string[];
     entitlements?: string;
     'entitlements-inherit'?: string;
+    'entitlements-loginhelper'?: string;
     'gatekeeper-assess'?: boolean;
     hardenedRuntime?: boolean;
     'identity-validation'?: boolean;

diff --git a/sign.js b/sign.js
@@ -206,7 +206,13 @@ function signApplicationAsync (opts) {
             return
           }
           debuglog('Signing... ' + filePath)
-          return execFileAsync('codesign', args.concat('--entitlements', opts['entitlements-inherit'], filePath))
+
+          let entitlementsFile = opts['entitlements-inherit'];
+          if (filePath.includes('Library/LoginItems')) {
+            entitlementsFile = opts['entitlements-loginhelper'];
+          }
+
+          return execFileAsync('codesign', args.concat('--entitlements', entitlementsFile, filePath))
         })
           .then(function () {
             debuglog('Signing... ' + opts.app)
@@ -330,6 +336,12 @@ var signAsync = module.exports.signAsync = function (opts) {
             '* Sandbox entitlements file for enclosing app files is default to:', filePath)
           opts['entitlements-inherit'] = filePath
         }
+        if (!opts['entitlements-loginhelper']) {
+          filePath = path.join(__dirname, 'default.entitlements.mas.inherit.plist')
+          debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n',
+            '* Sandbox entitlements file for login helper is default to:', filePath)
+          opts['entitlements-loginhelper'] = filePath
+        }
       } else {
         // Not necessary to have entitlements for non Mac App Store distribution
         if (!opts.entitlements) {
@@ -350,6 +362,12 @@ var signAsync = module.exports.signAsync = function (opts) {
               '* Sandbox entitlements file for enclosing app files is default to:', filePath)
             opts['entitlements-inherit'] = filePath
           }
+          if (!opts['entitlements-loginhelper']) {
+            filePath = path.join(__dirname, 'default.entitlements.darwin.inherit.plist')
+            debugwarn('No `entitlements-loginhelper` passed in arguments:', '\n',
+              '* Sandbox entitlements file for enclosing app files is default to:', filePath)
+            opts['entitlements-loginhelper'] = filePath
+          }
         }
       }
     })
@@ -387,6 +405,7 @@ var signAsync = module.exports.signAsync = function (opts) {
         '> Platform:', opts.platform, '\n',
         '> Entitlements:', opts.entitlements, '\n',
         '> Child entitlements:', opts['entitlements-inherit'], '\n',
+        '> Login helper entitlement:', opts['entitlements-loginhelper'], '\n',
         '> Additional binaries:', opts.binaries, '\n',
         '> Identity:', opts.identity)
       return signApplicationAsync(opts)