Merge from 5.x: PR #18789

Fixes #18776
spyder-ide · Jul 22, 2022 · 1e75383 · 1e75383
2 parents a69783a + 519567e
commit 1e75383
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/.github/workflows/installer-macos.yml b/.github/workflows/installer-macos.yml
@@ -91,7 +91,7 @@ jobs:
           pil=$(${pythonLocation} -c "import PIL, os; print(os.path.dirname(PIL.__file__))")
           rm -v ${DISTDIR}/Spyder.app/Contents/Frameworks/liblzma.5.dylib
           cp -v ${pil}/.dylibs/liblzma.5.dylib ${DISTDIR}/Spyder.app/Contents/Frameworks/
-          ./codesign.sh -a "${DISTDIR}/Spyder.app"
+          ./codesign.sh "${DISTDIR}/Spyder.app"
       - name: Test Application Bundle
         run: ./test_app.sh -t 60 -d 10 ${DISTDIR}
       - name: Build Disk Image

diff --git a/installers/macOS/codesign.sh b/installers/macOS/codesign.sh
@@ -10,13 +10,15 @@ Required:
 
 Options:
   -h          Display this help
+  -u          Unsign code
 
 EOF
 }
 
-while getopts ":h" option; do
+while getopts ":hu" option; do
     case $option in
         (h) help; exit ;;
+        (u) unsign=0 ;;
     esac
 done
 shift $(($OPTIND - 1))
@@ -31,12 +33,17 @@ log(){
 
 # Resolve full path; works for both .app and .dmg
 FILE=$(cd $(dirname $1) && pwd -P)/$(basename $1)
+qt_ent_file=$(cd $(dirname $BASH_SOURCE) && pwd -P)/qt_webengine.xml
 
 # --- Get certificate id
 CNAME=$(security find-identity -p codesigning -v | pcregrep -o1 "\(([0-9A-Z]+)\)")
 log "Certificate ID: $CNAME"
 
-csopts=("--force" "--verify" "--verbose" "--timestamp" "--sign" "$CNAME")
+if [[ -n "${unsign}" ]]; then
+    csopts=("--remove-signature")
+else
+    csopts=("--force" "--verify" "--verbose" "--timestamp" "--sign" "$CNAME")
+fi
 
 # --- Helper functions
 code-sign(){
@@ -70,7 +77,7 @@ if [[ "$FILE" = *".app" ]]; then
     for fwk in "$pydir"/PyQt5/Qt5/lib/*.framework; do
         if [[ "$fwk" = *"QtWebEngineCore"* ]]; then
             subapp="$fwk/Helpers/QtWebEngineProcess.app"
-            code-sign ${csopts[@]} -o runtime "$subapp"
+            code-sign ${csopts[@]} -o runtime --entitlements $qt_ent_file "$subapp"
         fi
         sign-dir "$fwk" -type f -perm +111 -not -path *QtWebEngineProcess.app*
         code-sign ${csopts[@]} "$fwk"

diff --git a/installers/macOS/qt_webengine.xml b/installers/macOS/qt_webengine.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+</dict>
+</plist>