From bba30fe5a668ed5aba9bfd5f75b65dbdcd587fcf Mon Sep 17 00:00:00 2001
From: Clifton Hensley <chensley@slack-corp.com>
Date: Tue, 19 Mar 2024 11:12:04 -0500
Subject: [PATCH] Adding support for specifying per-file requirements as a
 string

---
 README.md   | 2 +-
 src/sign.ts | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 68167e4..ffb8788 100644
--- a/README.md
+++ b/README.md
@@ -72,7 +72,7 @@ object this function returns can include any of the following optional keys.
 |-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|
 | `entitlements`    | String specifying the path to an `entitlements.plist` file. Will default to built-in entitlements files. Can also be an array of entitlement keys that osx-sign will write to an entitlements file for you.                               | `'path/to/entitlements'`                                        |
 | `hardenedRuntime` | Boolean flag to enable the Hardened Runtime when signing the app. Enabled by default.                                                                                                                                                     | `false`                                                         |
-| `requirements`    | String specifying a path to a text file with [requirements](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/RequirementLang/RequirementLang.html) that you recommend to be used to evaluate the code signature.       | `'path/to/requirements.rqset'` |
+| `requirements`    | Either a string beginning with `=` which specifies in plain text the [signing requirements](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/RequirementLang/RequirementLang.html) that you recommend to be used to evaluate the code signature, or a string specifying a path to a text or properly encoded `.rqset` file which contains those requirements.       | `=designated => identifier com.github.Electron`<br> or <br> `'path/to/requirements.rqset'` |
 | `signatureFlags`  | List of [code signature flags](https://developer.apple.com/documentation/security/seccodesignatureflags?language=objc). Accepts an array of strings or a comma-separated string.                                                          | `['kSecCodeSignatureRestrict']`                                 |
 | `timestamp`       | String specifying the URL of the timestamp authority server. Defaults to the server provided by Apple. Please note that this default server may not support signatures not furnished by Apple. Disable the timestamp service with `none`. | `'https://different.timeserver'`                                |
 
diff --git a/src/sign.ts b/src/sign.ts
index b00c819..06a3b84 100644
--- a/src/sign.ts
+++ b/src/sign.ts
@@ -242,7 +242,11 @@ async function signApplication (opts: ValidatedSignOptions, identity: Identity)
     const perFileArgs = [...args];
 
     if (perFileOptions.requirements) {
-      perFileArgs.push('--requirements', perFileOptions.requirements);
+      if (perFileOptions.requirements.charAt(0) === '=') {
+        perFileArgs.push(`-r${perFileOptions.requirements}`);
+      } else {
+        perFileArgs.push('--requirements', perFileOptions.requirements);
+      }
     }
     if (perFileOptions.timestamp) {
       perFileArgs.push('--timestamp=' + perFileOptions.timestamp);