macOS: Fix 'disclaim' in packages not passing on DYLD_... variables

Signed executables with hardened runtime need the entitlement com.apple.security.cs.allow-dyld-environment-variables to be able to pass on the DYLD_... variables to subprocesses. Fixes: QTCREATORBUG-27175 Change-Id: Ibc203487be4d7111fc60b05749cae4e3ad750b3d Reviewed-by: Tor Arne Vestbø <tor.arne.vestbo@qt.io>
2022-03-10 16:42:48 +01:00
parent 18e57ba886
commit 2829412e15
2 changed files with 28 additions and 9 deletions
--- a/dist/installer/mac/disclaim.entitlements
+++ b/dist/installer/mac/disclaim.entitlements
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+        <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+        <true/>
+</dict>
+</plist>
--- a/scripts/common.py
+++ b/scripts/common.py
@@ -229,6 +229,16 @@ def codesign_call():
        codesign_call.extend(signing_flags.split())
    return codesign_call

+def codesign_executable(path):
+    codesign = codesign_call()
+    if not codesign:
+        return
+    entitlements_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'dist',
+                                     'installer', 'mac', os.path.basename(path) + '.entitlements')
+    if os.path.exists(entitlements_path):
+        codesign.extend(['--entitlements', entitlements_path])
+    subprocess.check_call(codesign + [path])
+
 def os_walk(path, filter, function):
    for r, _, fs in os.walk(path):
        for f in fs:
@@ -237,20 +247,21 @@ def os_walk(path, filter, function):
                function(ff)

 def conditional_sign_recursive(path, filter):
-    codesign = codesign_call()
-    if is_mac_platform() and codesign:
-        os_walk(path, filter, lambda fp: subprocess.check_call(codesign + [fp]))
+    if is_mac_platform():
+        os_walk(path, filter, lambda fp: codesign_executable(fp))

 def codesign(app_path):
+    codesign = codesign_call()
+    if not codesign or not is_mac_platform():
+        return
    # sign all executables in Resources
    conditional_sign_recursive(os.path.join(app_path, 'Contents', 'Resources'),
                               lambda ff: os.access(ff, os.X_OK))
    # sign all libraries in Imports
    conditional_sign_recursive(os.path.join(app_path, 'Contents', 'Imports'),
                               lambda ff: ff.endswith('.dylib'))
-    codesign = codesign_call()
-    if is_mac_platform() and codesign:
-        entitlements_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'dist',
-                                         'installer', 'mac', 'entitlements.plist')
-        # sign the whole bundle
-        subprocess.check_call(codesign + ['--deep', app_path, '--entitlements', entitlements_path])
+
+    # sign the whole bundle
+    entitlements_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'dist',
+                                     'installer', 'mac', 'entitlements.plist')
+    subprocess.check_call(codesign + ['--deep', app_path, '--entitlements', entitlements_path])