feat(mac): set hardenedRuntime to true by default, set gatekeeper-ass…

…ess by default to false

Close #3383

packages/app-builder-lib/src/codeSign/macCodeSign.ts

@@ -9,7 +9,6 @@ import { homedir } from "os"
 import * as path from "path"
 import { getTempName } from "temp-file"
 import { isAutoDiscoveryCodeSignIdentity } from "../util/flags"
-import { isMacOsSierra } from "../util/macosVersion"
 import { downloadCertificate } from "./codesign"
 
 export const appleCertificatePrefixes = ["Developer ID Application:", "Developer ID Installer:", "3rd Party Mac Developer Application:", "3rd Party Mac Developer Installer:"]
@@ -186,9 +185,7 @@ async function importCerts(keychainName: string, paths: Array<string>, keyPasswo
 
     // https://stackoverflow.com/questions/39868578/security-codesign-in-sierra-keychain-ignores-access-control-settings-and-ui-p
     // https://github.com/electron-userland/electron-packager/issues/701#issuecomment-322315996
-    if (await isMacOsSierra()) {
-      await exec("security", ["set-key-partition-list", "-S", "apple-tool:,apple:", "-s", "-k", password, keychainName])
-    }
+    await exec("security", ["set-key-partition-list", "-S", "apple-tool:,apple:", "-s", "-k", password, keychainName])
   }
 
   return {

packages/app-builder-lib/src/macPackager.ts

@@ -1,7 +1,7 @@
 import BluebirdPromise from "bluebird-lst"
 import { deepAssign, Arch, AsyncTaskManager, exec, InvalidConfigurationError, log, use } from "builder-util"
 import { signAsync, SignOptions } from "electron-osx-sign"
-import { ensureDir, readdir } from "fs-extra-p"
+import { mkdirs, readdir } from "fs-extra"
 import { Lazy } from "lazy-val"
 import * as path from "path"
 import { copyFile, unlinkIfExists } from "builder-util/out/fs"
@@ -16,6 +16,8 @@ import { chooseNotNull, PlatformPackager } from "./platformPackager"
 import { ArchiveTarget } from "./targets/ArchiveTarget"
 import { PkgTarget, prepareProductBuildArgs } from "./targets/pkg"
 import { createCommonTarget, NoOpTarget } from "./targets/targetFactory"
+import { isMacOsHighSierra } from "./util/macosVersion"
+import { getTemplatePath } from "./util/pathManager"
 
 export default class MacPackager extends PlatformPackager<MacConfiguration> {
   readonly codeSigningInfo = new Lazy<CodeSigningInfo>(() => {
@@ -156,6 +158,10 @@ export default class MacPackager extends PlatformPackager<MacConfiguration> {
       }
     }
 
+    if (!isMacOsHighSierra()) {
+      throw new InvalidConfigurationError("macOS High Sierra 10.13.6 is required to sign")
+    }
+
     const signOptions: any = {
       "identity-validation": false,
       // https://github.com/electron-userland/electron-builder/issues/1699
@@ -175,8 +181,8 @@ export default class MacPackager extends PlatformPackager<MacConfiguration> {
       requirements: isMas || macOptions.requirements == null ? undefined : await this.getResource(macOptions.requirements),
       // https://github.com/electron-userland/electron-osx-sign/issues/196
       // will fail on 10.14.5+ because a signed but unnotarized app is also rejected.
-      "gatekeeper-assess": macOptions.gatekeeperAssess,
-      "hardened-runtime": macOptions.hardenedRuntime,
+      "gatekeeper-assess": macOptions.gatekeeperAssess === true,
+      hardenedRuntime: macOptions.hardenedRuntime !== false,
     }
 
     await this.adjustSignOptions(signOptions, masOptions)
@@ -206,34 +212,32 @@ export default class MacPackager extends PlatformPackager<MacConfiguration> {
 
   private async adjustSignOptions(signOptions: any, masOptions: MasConfiguration | null) {
     const resourceList = await this.resourceList
-    if (resourceList.includes(`entitlements.osx.plist`)) {
-      throw new InvalidConfigurationError("entitlements.osx.plist is deprecated name, please use entitlements.mac.plist")
-    }
-    if (resourceList.includes(`entitlements.osx.inherit.plist`)) {
-      throw new InvalidConfigurationError("entitlements.osx.inherit.plist is deprecated name, please use entitlements.mac.inherit.plist")
-    }
-
     const customSignOptions = masOptions || this.platformSpecificBuildOptions
     const entitlementsSuffix = masOptions == null ? "mac" : "mas"
-    if (customSignOptions.entitlements == null) {
+
+    let entitlements = customSignOptions.entitlements
+    if (entitlements == null) {
       const p = `entitlements.${entitlementsSuffix}.plist`
       if (resourceList.includes(p)) {
-        signOptions.entitlements = path.join(this.info.buildResourcesDir, p)
+        entitlements = path.join(this.info.buildResourcesDir, p)
+      }
+      else {
+        entitlements = getTemplatePath("entitlements.mac.plist")
       }
     }
-    else {
-      signOptions.entitlements = customSignOptions.entitlements
-    }
+    signOptions.entitlements = entitlements
 
-    if (customSignOptions.entitlementsInherit == null) {
+    let entitlementsInherit = customSignOptions.entitlementsInherit
+    if (entitlementsInherit == null) {
       const p = `entitlements.${entitlementsSuffix}.inherit.plist`
       if (resourceList.includes(p)) {
-        signOptions["entitlements-inherit"] = path.join(this.info.buildResourcesDir, p)
+        entitlementsInherit = path.join(this.info.buildResourcesDir, p)
+      }
+      else {
+        entitlementsInherit = getTemplatePath("entitlements.mac.plist")
       }
     }
-    else {
-      signOptions["entitlements-inherit"] = customSignOptions.entitlementsInherit
-    }
+    signOptions["entitlements-inherit"] = entitlementsInherit
 
     if (customSignOptions.provisioningProfile != null) {
       signOptions["provisioning-profile"] = customSignOptions.provisioningProfile
@@ -248,7 +252,7 @@ export default class MacPackager extends PlatformPackager<MacConfiguration> {
   //noinspection JSMethodCanBeStatic
   protected async doFlat(appPath: string, outFile: string, identity: Identity, keychain: string | null | undefined): Promise<any> {
     // productbuild doesn't created directory for out file
-    await ensureDir(path.dirname(outFile))
+    await mkdirs(path.dirname(outFile))
 
     const args = prepareProductBuildArgs(identity, keychain)
     args.push("--component", appPath, "/Applications")

packages/app-builder-lib/src/options/macOptions.ts

@@ -113,7 +113,7 @@ export interface MacConfiguration extends PlatformSpecificBuildOptions {
 
   /**
    * Whether your app has to be signed with hardened runtime.
-   * @default false
+   * @default true
    */
   readonly hardenedRuntime?: boolean
 

packages/app-builder-lib/src/util/macosVersion.ts

@@ -1,7 +1,8 @@
-import { readFile } from "fs-extra-p"
+import { readFile } from "fs-extra"
 import { Lazy } from "lazy-val"
 import * as semver from "semver"
 import { log } from "builder-util/out/log"
+import { release as osRelease } from "os"
 
 const macOsVersion = new Lazy<string>(async () => {
   const file = await readFile("/System/Library/CoreServices/SystemVersion.plist", "utf8")
@@ -21,8 +22,9 @@ async function isOsVersionGreaterThanOrEqualTo(input: string) {
   return semver.gte(await macOsVersion.value, clean(input))
 }
 
-export function getMacOsVersion() {
-  return macOsVersion.value
+export function isMacOsHighSierra(): boolean {
+  // 17.7.0 === 10.13.6
+  return process.platform === "darwin" && semver.gte(osRelease(), "17.7.0")
 }
 
 export async function isMacOsSierra() {

packages/app-builder-lib/src/winPackager.ts

@@ -3,7 +3,7 @@ import { Arch, asArray, InvalidConfigurationError, log, use } from "builder-util
 import { parseDn } from "builder-util-runtime"
 import { CopyFileTransformer, FileTransformer, walk } from "builder-util/out/fs"
 import { createHash } from "crypto"
-import { readdir } from "fs-extra-p"
+import { readdir } from "fs-extra"
 import isCI from "is-ci"
 import { Lazy } from "lazy-val"
 import * as path from "path"

packages/app-builder-lib/templates/entitlements.mac.plist

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+  </dict>
+</plist>

packages/dmg-builder/src/dmg.ts

@@ -64,7 +64,7 @@ export class DmgTarget extends Target {
       await packager.packagerOptions.effectiveOptionComputed({licenseData})
     }
 
-    if (this.options.sign) {
+    if (this.options.sign === true) {
       await this.signDmg(artifactPath)
     }
 

test/out/__snapshots__/BuildTest.js.snap

@@ -305,6 +305,23 @@ Object {
             "bl.js": Object {
               "size": 6400,
             },
+            "node_modules": Object {
+              "files": Object {
+                "safe-buffer": Object {
+                  "files": Object {
+                    "LICENSE": Object {
+                      "size": 1081,
+                    },
+                    "index.js": Object {
+                      "size": 1585,
+                    },
+                    "package.json": Object {
+                      "size": 500,
+                    },
+                  },
+                },
+              },
+            },
             "package.json": Object {
               "size": 741,
             },
@@ -1565,6 +1582,23 @@ Object {
             "index.js": Object {
               "size": 6884,
             },
+            "node_modules": Object {
+              "files": Object {
+                "safe-buffer": Object {
+                  "files": Object {
+                    "LICENSE": Object {
+                      "size": 1081,
+                    },
+                    "index.js": Object {
+                      "size": 1585,
+                    },
+                    "package.json": Object {
+                      "size": 500,
+                    },
+                  },
+                },
+              },
+            },
             "package.json": Object {
               "size": 542,
             },