Provide some entitlements on macOS by default

Also, this change configures entitlements for local ad hoc signs on Apple Silicon Fixes #2867 Partial fix of #2887
JetBrains · Apr 4, 2023 · ef2bb46 · ef2bb46
1 parent 51175f7
commit ef2bb46
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 11 deletions.
diff --git a/...s/compose/src/main/kotlin/org/jetbrains/compose/desktop/application/internal/MacSigner.kt b/...s/compose/src/main/kotlin/org/jetbrains/compose/desktop/application/internal/MacSigner.kt
@@ -38,11 +38,13 @@ internal class NoCertificateSigner(runTool: ExternalToolRunner) : MacSigner(runT
             // Apple Silicon requires binaries to be signed
             // For local builds, ad hoc signatures are OK
             // https://wiki.lazarus.freepascal.org/Code_Signing_for_macOS
-            if (entitlements != null) {
-                runTool.codesign("--sign", "-", "-vvvv", "--entitlements", entitlements.absolutePath, file.absolutePath)
-            } else {
-                runTool.codesign("--sign", "-", "-vvvv", file.absolutePath)
+            val args = arrayListOf("-vvvv", "--sign", "-", "--options", "runtime", "--force")
+            entitlements?.let {
+                args.add("--entitlements")
+                args.add(entitlements.absolutePath)
             }
+            args.add(file.absolutePath)
+            runTool.codesign(*args.toTypedArray())
         }
     }
 

diff --git a/...main/kotlin/org/jetbrains/compose/desktop/application/internal/configureJvmApplication.kt b/...main/kotlin/org/jetbrains/compose/desktop/application/internal/configureJvmApplication.kt
@@ -349,11 +349,16 @@ internal fun JvmApplicationContext.configureCommonNotarizationSettings(
     notarizationTask.nonValidatedNotarizationSettings = app.nativeDistributions.macOS.notarization
 }
 
+private fun <T> TaskProvider<AbstractUnpackDefaultComposeApplicationResourcesTask>.get(
+    fn: AbstractUnpackDefaultComposeApplicationResourcesTask.DefaultResourcesProvider.() -> Provider<T>
+) = flatMap { fn(it.resources) }
+
 internal fun JvmApplicationContext.configurePlatformSettings(
     packageTask: AbstractJPackageTask,
-    unpackDefaultResources: TaskProvider<AbstractUnpackDefaultComposeApplicationResourcesTask>
+    defaultResources: TaskProvider<AbstractUnpackDefaultComposeApplicationResourcesTask>
 ) {
-    packageTask.dependsOn(unpackDefaultResources)
+    packageTask.dependsOn(defaultResources)
+
     when (currentOS) {
         OS.Linux -> {
             app.nativeDistributions.linux.also { linux ->
@@ -364,7 +369,7 @@ internal fun JvmApplicationContext.configurePlatformSettings(
                 packageTask.linuxMenuGroup.set(provider { linux.menuGroup })
                 packageTask.linuxPackageName.set(provider { linux.packageName })
                 packageTask.linuxRpmLicenseType.set(provider { linux.rpmLicenseType })
-                packageTask.iconFile.set(linux.iconFile.orElse(unpackDefaultResources.flatMap { it.resources.linuxIcon }))
+                packageTask.iconFile.set(linux.iconFile.orElse(defaultResources.get { linuxIcon }))
                 packageTask.installationPath.set(linux.installationPath)
             }
         }
@@ -377,7 +382,7 @@ internal fun JvmApplicationContext.configurePlatformSettings(
                 packageTask.winMenu.set(provider { win.menu })
                 packageTask.winMenuGroup.set(provider { win.menuGroup })
                 packageTask.winUpgradeUuid.set(provider { win.upgradeUuid })
-                packageTask.iconFile.set(win.iconFile.orElse(unpackDefaultResources.flatMap { it.resources.windowsIcon }))
+                packageTask.iconFile.set(win.iconFile.orElse(defaultResources.get { windowsIcon }))
                 packageTask.installationPath.set(win.installationPath)
             }
         }
@@ -393,15 +398,16 @@ internal fun JvmApplicationContext.configurePlatformSettings(
                 )
                 packageTask.macAppStore.set(mac.appStore)
                 packageTask.macAppCategory.set(mac.appCategory)
-                packageTask.macEntitlementsFile.set(mac.entitlementsFile)
-                packageTask.macRuntimeEntitlementsFile.set(mac.runtimeEntitlementsFile)
+                val defaultEntitlements = defaultResources.get { defaultEntitlements }
+                packageTask.macEntitlementsFile.set(mac.entitlementsFile.orElse(defaultEntitlements))
+                packageTask.macRuntimeEntitlementsFile.set(mac.runtimeEntitlementsFile.orElse(defaultEntitlements))
                 packageTask.packageBuildVersion.set(packageBuildVersionFor(packageTask.targetFormat))
                 packageTask.nonValidatedMacBundleID.set(provider { mac.bundleID })
                 packageTask.macProvisioningProfile.set(mac.provisioningProfile)
                 packageTask.macRuntimeProvisioningProfile.set(mac.runtimeProvisioningProfile)
                 packageTask.macExtraPlistKeysRawXml.set(provider { mac.infoPlistSettings.extraKeysRawXml })
                 packageTask.nonValidatedMacSigningSettings = app.nativeDistributions.macOS.signing
-                packageTask.iconFile.set(mac.iconFile.orElse(unpackDefaultResources.flatMap { it.resources.macIcon }))
+                packageTask.iconFile.set(mac.iconFile.orElse(defaultResources.get { macIcon }))
                 packageTask.installationPath.set(mac.installationPath)
             }
         }

diff --git a/...g/jetbrains/compose/desktop/tasks/AbstractUnpackDefaultComposeApplicationResourcesTask.kt b/...g/jetbrains/compose/desktop/tasks/AbstractUnpackDefaultComposeApplicationResourcesTask.kt
@@ -17,13 +17,15 @@ import org.jetbrains.compose.internal.utils.clearDirs
 import org.jetbrains.compose.internal.utils.ioFile
 
 private const val DEFAULT_COMPOSE_PROGUARD_RULES_FILE_NAME = "default-compose-desktop-rules.pro"
+private const val DEFAULT_ENTITLEMENTS_FILE_NAME = "default-entitlements.plist"
 
 abstract class AbstractUnpackDefaultComposeApplicationResourcesTask : AbstractComposeDesktopTask() {
     internal class DefaultResourcesProvider(resourcesRootDir: Provider<Directory>) {
         val macIcon: Provider<RegularFile> = resourcesRootDir.map { it.file("default-icon-mac.icns") }
         val windowsIcon: Provider<RegularFile> = resourcesRootDir.map { it.file("default-icon-windows.ico") }
         val linuxIcon: Provider<RegularFile> = resourcesRootDir.map { it.file("default-icon-linux.png") }
         val defaultComposeProguardRules: Provider<RegularFile> = resourcesRootDir.map { it.file(DEFAULT_COMPOSE_PROGUARD_RULES_FILE_NAME) }
+        val defaultEntitlements: Provider<RegularFile> = resourcesRootDir.map { it.file(DEFAULT_ENTITLEMENTS_FILE_NAME) }
     }
 
     @OutputDirectory
@@ -42,6 +44,7 @@ abstract class AbstractUnpackDefaultComposeApplicationResourcesTask : AbstractCo
         unpack(iconSourcePath("windows", "ico"), resources.windowsIcon)
         unpack(iconSourcePath("linux", "png"), resources.linuxIcon)
         unpack(DEFAULT_COMPOSE_PROGUARD_RULES_FILE_NAME, resources.defaultComposeProguardRules)
+        unpack(DEFAULT_ENTITLEMENTS_FILE_NAME, resources.defaultEntitlements)
     }
 
     private fun iconSourcePath(platformName: String, iconExt: String): String =

diff --git a/gradle-plugins/compose/src/main/resources/default-entitlements.plist b/gradle-plugins/compose/src/main/resources/default-entitlements.plist
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+    </dict>
+</plist>