adding signature-flags

README.md

@@ -173,10 +173,6 @@ Default to `true`.
 Flag to enable the Mojave hardened runtime when signing the app.  Disabled by default, requires Xcode >= 10 and
 macOS >= 10.13.6.
 
-`restrict` - *Boolean*
-
-Restrict dyld loading. See doc about this [code signature flag](https://developer.apple.com/documentation/security/seccodesignatureflags/kseccodesignaturerestrict?language=objc) for more details. Disabled by default.
-
 `identity` - *String*
 
 Name of certificate to use when signing.
@@ -226,6 +222,13 @@ Specify the criteria that you recommend to be used to evaluate the code signatur
 See more info from https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/RequirementLang/RequirementLang.html
 Default to `undefined`.
 
+`restrict` - *Boolean*
+
+*** To be deprecated, see `signature-flags` *** Restrict dyld loading. See doc about this [code signature flag](https://developer.apple.com/documentation/security/seccodesignatureflags/kseccodesignaturerestrict?language=objc) for more details. Disabled by default.
+
+`signature-flags` - *String*
+comma separated string for [code signature flag](https://developer.apple.com/documentation/security/seccodesignatureflags?language=objc). Default is `underfined`
+
 `strict-verify` - *Boolean|String|Array.<String>*
 
 Flag to enable/disable `--strict` flag when verifying the signed application bundle.

bin/electron-osx-sign-usage.txt

@@ -29,9 +29,6 @@ DESCRIPTION
     Flag to enable the Mojave hardened runtime when signing the app.  Disabled by default, requires Xcode >= 10 and macOS
     >= 10.13.6.
 
-  --restrict
-    Flag to enable restrict mode. Disabled by default.
-
   --help
     Flag to display all commands.
 
@@ -66,6 +63,12 @@ DESCRIPTION
   --requirements=requirements
     Specify the criteria that you recommend to be used to evaluate the code signature.
 
+  --restrict
+    Flag to enable restrict mode. Disabled by default. (this will be deprecated soon, see --sign-flags)
+
+  --signature-flags=flags
+    code signature flags. Default to none
+
   --strict-verify, --strict-verify=options, --no-strict-verify
     Flag to enable/disable ``--strict'' flag when verifying the signed application bundle.
     Each component should be separated in ``options'' with comma (``,'').

bin/electron-osx-sign.js

@@ -3,6 +3,9 @@
 var fs = require('fs')
 var path = require('path')
 var args = require('minimist')(process.argv.slice(2), {
+  'string': [
+    'signature-flags'
+  ],
   'boolean': [
     'help',
     'pre-auto-entitlements',

sign.js

@@ -158,23 +158,33 @@ function signApplicationAsync (opts) {
       } else {
         args.push('--timestamp')
       }
-      const optionsArguments = []
+      var optionsArguments = []
 
-      if (opts.hardenedRuntime || opts['hardened-runtime']) {
+      if (opts['signature-flags']) {
+        var flags = opts['signature-flags'].split(',').map(function (flag) { return flag.trim() })
+        flags.forEach(element => {
+          optionsArguments.push(element)
+        })
+      }
+
+      if (opts.hardenedRuntime || opts['hardened-runtime' || optionsArguments.includes('runtime')]) {
         // Hardened runtime since darwin 17.7.0 --> macOS 10.13.6
         if (compareVersion(osRelease, '17.7.0') >= 0) {
           optionsArguments.push('runtime')
         } else {
+          // Remove runtime if passed in with --signature-flags
           debuglog('Not enabling hardened runtime, current macOS version too low, requires 10.13.6 and higher')
+          optionsArguments = optionsArguments.filter(function (element, index) { return element !== 'runtime' })
         }
       }
 
       if (opts['restrict']) {
         optionsArguments.push('restrict')
+        debugwarn('this flag is to be deprecated, consider using --signature-flags=restrict')
       }
 
       if (optionsArguments.length) {
-        args.push('--options', optionsArguments.join(','))
+        args.push('--options', [...new Set(optionsArguments)].join(','))
       }
 
       var promise