feedc0de/qt-creator
1
0
Fork 0
forked from qt-creator/qt-creator
Code Pull Requests Activity

macOS: Fix 'disclaim' in packages not passing on DYLD_... variables

Browse Source 
Signed executables with hardened runtime need the entitlement
com.apple.security.cs.allow-dyld-environment-variables
to be able to pass on the DYLD_... variables to subprocesses.

Fixes: QTCREATORBUG-27175
Change-Id: Ibc203487be4d7111fc60b05749cae4e3ad750b3d
Reviewed-by: Tor Arne Vestbø <tor.arne.vestbo@qt.io>
This commit is contained in:
Eike Ziller
2022-03-10 16:42:48 +01:00
parent 18e57ba886
commit 2829412e15
2 changed files with 28 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
dist/installer/mac/disclaim.entitlements vendored Normal file
View File

@@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
</dict>
</plist>

23
scripts/common.py
View File

@@ -229,6 +229,16 @@ def codesign_call():
codesign_call.extend(signing_flags.split()) codesign_call.extend(signing_flags.split())
return codesign_call return codesign_call
def codesign_executable(path):
codesign = codesign_call()
if not codesign:
return
entitlements_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'dist',
'installer', 'mac', os.path.basename(path) + '.entitlements')
if os.path.exists(entitlements_path):
codesign.extend(['--entitlements', entitlements_path])
subprocess.check_call(codesign + [path])
def os_walk(path, filter, function): def os_walk(path, filter, function):
for r, _, fs in os.walk(path): for r, _, fs in os.walk(path):
for f in fs: for f in fs:
@@ -237,20 +247,21 @@ def os_walk(path, filter, function):
function(ff) function(ff)
def conditional_sign_recursive(path, filter): def conditional_sign_recursive(path, filter):
codesign = codesign_call() if is_mac_platform():
if is_mac_platform() and codesign: os_walk(path, filter, lambda fp: codesign_executable(fp))
os_walk(path, filter, lambda fp: subprocess.check_call(codesign + [fp]))
def codesign(app_path): def codesign(app_path):
codesign = codesign_call()
if not codesign or not is_mac_platform():
return
# sign all executables in Resources # sign all executables in Resources
conditional_sign_recursive(os.path.join(app_path, 'Contents', 'Resources'), conditional_sign_recursive(os.path.join(app_path, 'Contents', 'Resources'),
lambda ff: os.access(ff, os.X_OK)) lambda ff: os.access(ff, os.X_OK))
# sign all libraries in Imports # sign all libraries in Imports
conditional_sign_recursive(os.path.join(app_path, 'Contents', 'Imports'), conditional_sign_recursive(os.path.join(app_path, 'Contents', 'Imports'),
lambda ff: ff.endswith('.dylib')) lambda ff: ff.endswith('.dylib'))
codesign = codesign_call()
if is_mac_platform() and codesign: # sign the whole bundle
entitlements_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'dist', entitlements_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'dist',
'installer', 'mac', 'entitlements.plist') 'installer', 'mac', 'entitlements.plist')
# sign the whole bundle
subprocess.check_call(codesign + ['--deep', app_path, '--entitlements', entitlements_path]) subprocess.check_call(codesign + ['--deep', app_path, '--entitlements', entitlements_path])