diff --git a/README.md b/README.md index 9e2d0e9..1362e73 100644 --- a/README.md +++ b/README.md @@ -173,10 +173,6 @@ Default to `true`. Flag to enable the Mojave hardened runtime when signing the app. Disabled by default, requires Xcode >= 10 and macOS >= 10.13.6. -`restrict` - *Boolean* - -Restrict dyld loading. See doc about this [code signature flag](https://developer.apple.com/documentation/security/seccodesignatureflags/kseccodesignaturerestrict?language=objc) for more details. Disabled by default. - `identity` - *String* Name of certificate to use when signing. @@ -226,6 +222,13 @@ Specify the criteria that you recommend to be used to evaluate the code signatur See more info from https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/RequirementLang/RequirementLang.html Default to `undefined`. +`restrict` - *Boolean* + +*** To be deprecated, see `signature-flags` *** Restrict dyld loading. See doc about this [code signature flag](https://developer.apple.com/documentation/security/seccodesignatureflags/kseccodesignaturerestrict?language=objc) for more details. Disabled by default. + +`signature-flags` - *String* +comma separated string for [code signature flag](https://developer.apple.com/documentation/security/seccodesignatureflags?language=objc). Default is `underfined` + `strict-verify` - *Boolean|String|Array.* Flag to enable/disable `--strict` flag when verifying the signed application bundle. diff --git a/bin/electron-osx-sign-usage.txt b/bin/electron-osx-sign-usage.txt index 9854e66..b5c87e1 100644 --- a/bin/electron-osx-sign-usage.txt +++ b/bin/electron-osx-sign-usage.txt @@ -29,9 +29,6 @@ DESCRIPTION Flag to enable the Mojave hardened runtime when signing the app. Disabled by default, requires Xcode >= 10 and macOS >= 10.13.6. - --restrict - Flag to enable restrict mode. Disabled by default. - --help Flag to display all commands. @@ -66,6 +63,12 @@ DESCRIPTION --requirements=requirements Specify the criteria that you recommend to be used to evaluate the code signature. + --restrict + Flag to enable restrict mode. Disabled by default. (this will be deprecated soon, see --sign-flags) + + --signature-flags=flags + code signature flags. Default to none + --strict-verify, --strict-verify=options, --no-strict-verify Flag to enable/disable ``--strict'' flag when verifying the signed application bundle. Each component should be separated in ``options'' with comma (``,''). diff --git a/bin/electron-osx-sign.js b/bin/electron-osx-sign.js index ba68df8..a8c9847 100755 --- a/bin/electron-osx-sign.js +++ b/bin/electron-osx-sign.js @@ -3,6 +3,9 @@ var fs = require('fs') var path = require('path') var args = require('minimist')(process.argv.slice(2), { + 'string': [ + 'signature-flags' + ], 'boolean': [ 'help', 'pre-auto-entitlements', diff --git a/sign.js b/sign.js index f29ef68..c7b8e58 100644 --- a/sign.js +++ b/sign.js @@ -158,23 +158,33 @@ function signApplicationAsync (opts) { } else { args.push('--timestamp') } - const optionsArguments = [] + var optionsArguments = [] - if (opts.hardenedRuntime || opts['hardened-runtime']) { + if (opts['signature-flags']) { + var flags = opts['signature-flags'].split(',').map(function (flag) { return flag.trim() }) + flags.forEach(element => { + optionsArguments.push(element) + }) + } + + if (opts.hardenedRuntime || opts['hardened-runtime' || optionsArguments.includes('runtime')]) { // Hardened runtime since darwin 17.7.0 --> macOS 10.13.6 if (compareVersion(osRelease, '17.7.0') >= 0) { optionsArguments.push('runtime') } else { + // Remove runtime if passed in with --signature-flags debuglog('Not enabling hardened runtime, current macOS version too low, requires 10.13.6 and higher') + optionsArguments = optionsArguments.filter(function (element, index) { return element !== 'runtime' }) } } if (opts['restrict']) { optionsArguments.push('restrict') + debugwarn('this flag is to be deprecated, consider using --signature-flags=restrict') } if (optionsArguments.length) { - args.push('--options', optionsArguments.join(',')) + args.push('--options', [...new Set(optionsArguments)].join(',')) } var promise