From 06b32b5e8955c95203882ff7ae7f08ae84764a26 Mon Sep 17 00:00:00 2001
From: Quang Lam <quang.lam@circle.com>
Date: Fri, 18 Aug 2023 15:47:30 -0400
Subject: [PATCH] fix: only apply `preAutoEntitlements` to top-level app bundle
 (#292)

---
 src/sign.ts | 46 +++++++++++++++++++++++++---------------------
 1 file changed, 25 insertions(+), 21 deletions(-)

diff --git a/src/sign.ts b/src/sign.ts
index 9464715..b00c819 100644
--- a/src/sign.ts
+++ b/src/sign.ts
@@ -208,27 +208,31 @@ async function signApplication (opts: ValidatedSignOptions, identity: Identity)
       defaultOptionsForFile(filePath, opts.platform)
     );
 
-    if (opts.preAutoEntitlements === false) {
-      debugWarn('Pre-sign operation disabled for entitlements automation.');
-    } else {
-      debugLog(
-        'Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`:',
-        '\n',
-        '* Disable by setting `pre-auto-entitlements` to `false`.'
-      );
-      if (!opts.version || compareVersion(opts.version, '1.1.1') >= 0) {
-        // Enable Mac App Store sandboxing without using temporary-exception, introduced in Electron v1.1.1. Relates to electron#5601
-        const newEntitlements = await preAutoEntitlements(opts, perFileOptions, {
-          identity,
-          provisioningProfile: opts.provisioningProfile
-            ? await getProvisioningProfile(opts.provisioningProfile, opts.keychain)
-            : undefined
-        });
-
-        // preAutoEntitlements may provide us new entitlements, if so we update our options
-        // and ensure that entitlements-loginhelper has a correct default value
-        if (newEntitlements) {
-          perFileOptions.entitlements = newEntitlements;
+    // preAutoEntitlements should only be applied to the top level app bundle.
+    // Applying it other files will cause the app to crash and be rejected by Apple.
+    if (!filePath.includes('.app/')) {
+      if (opts.preAutoEntitlements === false) {
+        debugWarn('Pre-sign operation disabled for entitlements automation.');
+      } else {
+        debugLog(
+          'Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`:',
+          '\n',
+          '* Disable by setting `pre-auto-entitlements` to `false`.'
+        );
+        if (!opts.version || compareVersion(opts.version, '1.1.1') >= 0) {
+          // Enable Mac App Store sandboxing without using temporary-exception, introduced in Electron v1.1.1. Relates to electron#5601
+          const newEntitlements = await preAutoEntitlements(opts, perFileOptions, {
+            identity,
+            provisioningProfile: opts.provisioningProfile
+              ? await getProvisioningProfile(opts.provisioningProfile, opts.keychain)
+              : undefined
+          });
+
+          // preAutoEntitlements may provide us new entitlements, if so we update our options
+          // and ensure that entitlements-loginhelper has a correct default value
+          if (newEntitlements) {
+            perFileOptions.entitlements = newEntitlements;
+          }
         }
       }
     }