Fix macOS 10.15.4 codesigning crash.

The recent macOS security patch renders our codesigning "fix" of setting the sandbox entitlement to false twice unusable. This patch adds a full provisioning profile and adjusts the signing procedure to not include entitlements for Qt frameworks. The patch also changes the app and bundle ID, so granted accessibility privileges have to be granted again after installing the update. Fixes #4398 Fixes #4515
keepassxreboot · Apr 9, 2020 · da7ba8a · da7ba8a
1 parent f8c962b
commit da7ba8a
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 41 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -334,12 +334,13 @@ if(MINGW)
     set(PLUGIN_INSTALL_DIR ".")
     set(DATA_INSTALL_DIR "share")
 elseif(APPLE AND WITH_APP_BUNDLE)
-    set(CMAKE_INSTALL_MANDIR "${PROGNAME}.app/Contents/Resources/man")
-    set(CLI_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
-    set(PROXY_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
-    set(BIN_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
-    set(PLUGIN_INSTALL_DIR "${PROGNAME}.app/Contents/PlugIns")
-    set(DATA_INSTALL_DIR "${PROGNAME}.app/Contents/Resources")
+    set(BUNDLE_INSTALL_DIR "${PROGNAME}.app/Contents")
+    set(CMAKE_INSTALL_MANDIR "${BUNDLE_INSTALL_DIR}/Resources/man")
+    set(CLI_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
+    set(PROXY_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
+    set(BIN_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
+    set(PLUGIN_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/PlugIns")
+    set(DATA_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/Resources")
 else()
     include(GNUInstallDirs)
 

diff --git a/release-tool b/release-tool
@@ -1200,9 +1200,14 @@ appsign() {
                     exitError "Unpacking failed!"
                 fi
 
-                logInfo "Signing app..."
-                xcrun codesign --sign "${key}" --verbose --deep --entitlements \
-                    "${real_src_dir}/share/macosx/keepassxc.entitlements" ./app/KeePassXC.app
+                logInfo "Signing app bundle..."
+                xcrun codesign --sign "${key}" --verbose --deep --options runtime ./app/KeePassXC.app
+
+                # Sign main binary and libraries independently so we can keep using the convenient --deep
+                # option while avoiding adding entitlements recursively
+                logInfo "Signing main binary..."
+                xcrun codesign --sign "${key}" --verbose --force --options runtime --entitlements \
+                    "${real_src_dir}/share/macosx/keepassxc.entitlements" ./app/KeePassXC.app/Contents/MacOS/KeePassXC
 
                 if [ 0 -ne $? ]; then
                     cd "${orig_dir}"

diff --git a/share/macosx/Info.plist.cmake b/share/macosx/Info.plist.cmake
@@ -15,7 +15,7 @@
   <key>CFBundleIconFile</key>
   <string>keepassxc.icns</string>
   <key>CFBundleIdentifier</key>
-  <string>org.keepassx.keepassxc</string>
+  <string>org.keepassxc.keepassxc</string>
   <key>CFBundleInfoDictionaryVersion</key>
   <string>6.0</string>
   <key>CFBundleName</key>
@@ -25,11 +25,11 @@
   <key>CFBundleShortVersionString</key>
   <string>${KEEPASSXC_VERSION}</string>
   <key>CFBundleSignature</key>
-  <string>KEPX</string>
+  <string>KPXC</string>
   <key>CFBundleVersion</key>
   <string>${KEEPASSXC_VERSION_NUM}</string>
   <key>NSHumanReadableCopyright</key>
-    <string>Copyright 2016-2018 KeePassXC Development Team</string>
+    <string>Copyright 2016-2020 KeePassXC Development Team</string>
     <key>CFBundleDocumentTypes</key>
     <array>
       <dict>

diff --git a/share/macosx/embedded.provisionprofile b/share/macosx/embedded.provisionprofile
diff --git a/share/macosx/keepassxc.entitlements b/share/macosx/keepassxc.entitlements
@@ -1,33 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
-	<dict>
-		<key>com.apple.application-identifier</key>
-			<string>org.keepassx.keepassxc</string>
-		<key>com.apple.developer.aps-environment</key>
-			<string>production</string>
-
-		<key>keychain-access-groups</key>
-			<array>
-				<string>org.keepassx.keepassxc</string>
-			</array>
-
-		<!-- Sandbox entitlements stub for future reference.
-		     For whatever reason, we have to set this twice.
-		     Otherwise a signed application crashes on startup -->
-		<key>com.apple.security.app-sandbox</key>
-			<false/>
-		<key>com.apple.security.app-sandbox</key>
-			<false/>
-		<!--key>com.apple.security.network.client</key>
-			<true/>
-		<key>com.apple.security.files.user-selected.read-write</key>
-			<true/>
-		<key>com.apple.security.device.usb</key>
-			<true/>
-		<key>com.apple.security.print</key>
-			<true/>
-		<key>com.apple.security.files.user-selected.read-only</key>
-			<false/-->
-	</dict>
+<dict>
+	<key>com.apple.application-identifier</key>
+	<string>G2S7P7J672.org.keepassxc.keepassxc</string>
+	<key>keychain-access-groups</key>
+	<array>
+		<string>G2S7P7J672.org.keepassxc.keepassxc</string>
+	</array>
+</dict>
 </plist>
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -354,6 +354,7 @@ target_link_libraries(${PROGNAME} keepassx_core)
 set_target_properties(${PROGNAME} PROPERTIES ENABLE_EXPORTS ON)
 
 if(APPLE AND WITH_APP_BUNDLE)
+    install(FILES ${CMAKE_SOURCE_DIR}/share/macosx/embedded.provisionprofile DESTINATION ${BUNDLE_INSTALL_DIR})
     configure_file(${CMAKE_SOURCE_DIR}/share/macosx/Info.plist.cmake ${CMAKE_CURRENT_BINARY_DIR}/Info.plist)
     set_target_properties(${PROGNAME} PROPERTIES
             MACOSX_BUNDLE ON