From 2829412e154935aea563862254ea5aa64941210f Mon Sep 17 00:00:00 2001
From: Eike Ziller <eike.ziller@qt.io>
Date: Thu, 10 Mar 2022 16:42:48 +0100
Subject: [PATCH] macOS: Fix 'disclaim' in packages not passing on DYLD_...
 variables
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed executables with hardened runtime need the entitlement
com.apple.security.cs.allow-dyld-environment-variables
to be able to pass on the DYLD_... variables to subprocesses.

Fixes: QTCREATORBUG-27175
Change-Id: Ibc203487be4d7111fc60b05749cae4e3ad750b3d
Reviewed-by: Tor Arne Vestbø <tor.arne.vestbo@qt.io>
---
 dist/installer/mac/disclaim.entitlements |  8 +++++++
 scripts/common.py                        | 29 ++++++++++++++++--------
 2 files changed, 28 insertions(+), 9 deletions(-)
 create mode 100644 dist/installer/mac/disclaim.entitlements

diff --git a/dist/installer/mac/disclaim.entitlements b/dist/installer/mac/disclaim.entitlements
new file mode 100644
index 00000000000..7760cac65c8
--- /dev/null
+++ b/dist/installer/mac/disclaim.entitlements
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+        <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+        <true/>
+</dict>
+</plist>
diff --git a/scripts/common.py b/scripts/common.py
index a04beb27efc..6851b000e41 100644
--- a/scripts/common.py
+++ b/scripts/common.py
@@ -229,6 +229,16 @@ def codesign_call():
         codesign_call.extend(signing_flags.split())
     return codesign_call
 
+def codesign_executable(path):
+    codesign = codesign_call()
+    if not codesign:
+        return
+    entitlements_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'dist',
+                                     'installer', 'mac', os.path.basename(path) + '.entitlements')
+    if os.path.exists(entitlements_path):
+        codesign.extend(['--entitlements', entitlements_path])
+    subprocess.check_call(codesign + [path])
+
 def os_walk(path, filter, function):
     for r, _, fs in os.walk(path):
         for f in fs:
@@ -237,20 +247,21 @@ def os_walk(path, filter, function):
                 function(ff)
 
 def conditional_sign_recursive(path, filter):
-    codesign = codesign_call()
-    if is_mac_platform() and codesign:
-        os_walk(path, filter, lambda fp: subprocess.check_call(codesign + [fp]))
+    if is_mac_platform():
+        os_walk(path, filter, lambda fp: codesign_executable(fp))
 
 def codesign(app_path):
+    codesign = codesign_call()
+    if not codesign or not is_mac_platform():
+        return
     # sign all executables in Resources
     conditional_sign_recursive(os.path.join(app_path, 'Contents', 'Resources'),
                                lambda ff: os.access(ff, os.X_OK))
     # sign all libraries in Imports
     conditional_sign_recursive(os.path.join(app_path, 'Contents', 'Imports'),
                                lambda ff: ff.endswith('.dylib'))
-    codesign = codesign_call()
-    if is_mac_platform() and codesign:
-        entitlements_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'dist',
-                                         'installer', 'mac', 'entitlements.plist')
-        # sign the whole bundle
-        subprocess.check_call(codesign + ['--deep', app_path, '--entitlements', entitlements_path])
+
+    # sign the whole bundle
+    entitlements_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'dist',
+                                     'installer', 'mac', 'entitlements.plist')
+    subprocess.check_call(codesign + ['--deep', app_path, '--entitlements', entitlements_path])