-
Notifications
You must be signed in to change notification settings - Fork 756
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Entitlement to sign the QtWebEngineProcess with an exception. #2445
Conversation
122cdad
to
53e5c6d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great catch! :-)
Sad we have to opt-out from some protection here but of course that's not surprising.
Dropping this link for documentation:
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_disable-executable-page-protection
/rebase |
Fix for #1793: The problem seems to be related enabling hardened runtime. This exception allows the webview to load. Signed-off-by: Camila San <hello@camila.codes>
53e5c6d
to
9c5a51b
Compare
AppImage file: Nextcloud-PR-2445-9c5a51bb07bb2a1a1730bab9144d5d6e674edad5-x86_64.AppImage |
/backport to stable-3.0 |
@@ -16,3 +16,4 @@ configure_file(create_mac.sh.cmake ${CMAKE_CURRENT_BINARY_DIR}/create_mac.sh) | |||
configure_file(macosx.pkgproj.cmake ${CMAKE_CURRENT_BINARY_DIR}/macosx.pkgproj) | |||
configure_file(pre_install.sh.cmake ${CMAKE_CURRENT_BINARY_DIR}/pre_install.sh) | |||
configure_file(post_install.sh.cmake ${CMAKE_CURRENT_BINARY_DIR}/post_install.sh) | |||
configure_file(QtWebEngineProcess.entitlements ${CMAKE_CURRENT_BINARY_DIR}/QtWebEngineProcess.entitlements) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this line is unneeded, cmake is not doing any processing on that file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to be honest I was following what is been done for the other files and this path in the build folder is what is being used in our daily build script and brander to execute the sh files and now to sign the QtWebEngineProcess. Or should I have also called it QtWebEngineProcess.entitlements.cmake? I am not sure I know why that is done with the other files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I guess our build script and sh files are a bit limited then. It'd be better if they'd knew about the source dir as well.
As for the other files, if you got something .cmake used with configure_file, it will generate a new file (usually dropping the .cmake extension) in which CMake variables are expanded (@VARIABLE_NAME@
syntax). In this case it's a bit surprising to process a file containing no such variable.
Now looking at the doc, I see there's COPYONLY
option I didn't know about which would have been fitting here. For details: https://cmake.org/cmake/help/latest/command/configure_file.html
Oh well, in that particular case no harm done apart from processing the file while it wasn't needed.
Fix for #1793: The problem seems to be related enabling hardened runtime.
This exception allows the webview to load.