solenv/bin/macosx-codesign-app-bundle | 6 +++++- sysui/desktop/macosx/sandbox_inherit.entitlements | 10 ++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-)
New commits: commit 99ce6ffc2a9a672bc3df32419e5e6d7b09e5ea08 Author: Christian Lohmaier <[email protected]> AuthorDate: Thu Nov 2 10:30:34 2023 +0100 Commit: Christian Lohmaier <[email protected]> CommitDate: Fri Nov 3 17:52:44 2023 +0100 tdf#158038 fix opening pdf files in appstore ver (sandbox issue w/ helper tool) https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app "Adding other entitlements to the tool can cause problems. If the tool immediately crashes with a code signing error when your app runs the tool, check that the tool is signed with just these two entitlements: com.apple.security.app-sandbox and com.apple.security.inherit." This is indeed what happened.. Change-Id: Id03948c03b7d453aae4ca58719f582576e30a16f Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158790 Tested-by: Christian Lohmaier <[email protected]> Reviewed-by: Christian Lohmaier <[email protected]> (cherry picked from commit 2c3fe12e0ffc59be7c28d9b9908db881adb0f1ea) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158709 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> diff --git a/solenv/bin/macosx-codesign-app-bundle b/solenv/bin/macosx-codesign-app-bundle index b1b17dbf7393..6f13f4c0c2c3 100755 --- a/solenv/bin/macosx-codesign-app-bundle +++ b/solenv/bin/macosx-codesign-app-bundle @@ -25,10 +25,13 @@ done APP_BUNDLE="$1" entitlements= +entitlements_helper= application_identifier= if test -n "$ENABLE_MACOSX_SANDBOX"; then # In a sandboxed build executables need the entitlements entitlements="--entitlements $BUILDDIR/lo.xcent" + # helper utilities must be signed with only the sandbox and inherit entitlements + entitlements_helper="--entitlements $SRCDIR/sysui/desktop/macosx/sandbox_inherit.entitlements" application_identifier=`/usr/libexec/PlistBuddy -c "print com.apple.application-identifier" $BUILDDIR/lo.xcent` # remove the key from the entitlement - only use it when signing the whole bundle in the final step /usr/libexec/PlistBuddy -c "delete com.apple.application-identifier" $BUILDDIR/lo.xcent @@ -40,6 +43,7 @@ if test -n "$ENABLE_MACOSX_SANDBOX"; then else # We then want to sign data files, too, hmm. entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent" + entitlements_helper=$entitlements other_files="\ -or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \ -or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \ @@ -114,7 +118,7 @@ while read file; do ;; *) id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'` - codesign --force --timestamp --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" || exit 1 + codesign --force --timestamp --options=runtime --identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign "$MACOSX_CODESIGNING_IDENTITY" $entitlements_helper "$file" || exit 1 ;; esac done diff --git a/sysui/desktop/macosx/sandbox_inherit.entitlements b/sysui/desktop/macosx/sandbox_inherit.entitlements new file mode 100644 index 000000000000..794eada1cad3 --- /dev/null +++ b/sysui/desktop/macosx/sandbox_inherit.entitlements @@ -0,0 +1,10 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";> +<plist version="1.0"> +<dict> + <key>com.apple.security.app-sandbox</key> + <true/> + <key>com.apple.security.inherit</key> + <true/> +</dict> +</plist>
