From da7ba8a4e8d79200ecead5227b2950b53594bae3 Mon Sep 17 00:00:00 2001
From: Janek Bevendorff <janek@jbev.net>
Date: Wed, 25 Mar 2020 00:24:27 +0100
Subject: [PATCH] Fix macOS 10.15.4 codesigning crash.

The recent macOS security patch renders our codesigning
"fix" of setting the sandbox entitlement to false twice
unusable. This patch adds a full provisioning profile
and adjusts the signing procedure to not include
entitlements for Qt frameworks.

The patch also changes the app and bundle ID, so granted
accessibility privileges have to be granted again after
installing the update.

Fixes #4398
Fixes #4515
---
 CMakeLists.txt                         |  13 +++++----
 release-tool                           |  11 ++++++--
 share/macosx/Info.plist.cmake          |   6 ++--
 share/macosx/embedded.provisionprofile | Bin 0 -> 7610 bytes
 share/macosx/keepassxc.entitlements    |  37 ++++++-------------------
 src/CMakeLists.txt                     |   1 +
 6 files changed, 27 insertions(+), 41 deletions(-)
 create mode 100644 share/macosx/embedded.provisionprofile

diff --git a/CMakeLists.txt b/CMakeLists.txt
index ac4c8a9ac6..8375dff7bb 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -334,12 +334,13 @@ if(MINGW)
     set(PLUGIN_INSTALL_DIR ".")
     set(DATA_INSTALL_DIR "share")
 elseif(APPLE AND WITH_APP_BUNDLE)
-    set(CMAKE_INSTALL_MANDIR "${PROGNAME}.app/Contents/Resources/man")
-    set(CLI_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
-    set(PROXY_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
-    set(BIN_INSTALL_DIR "${PROGNAME}.app/Contents/MacOS")
-    set(PLUGIN_INSTALL_DIR "${PROGNAME}.app/Contents/PlugIns")
-    set(DATA_INSTALL_DIR "${PROGNAME}.app/Contents/Resources")
+    set(BUNDLE_INSTALL_DIR "${PROGNAME}.app/Contents")
+    set(CMAKE_INSTALL_MANDIR "${BUNDLE_INSTALL_DIR}/Resources/man")
+    set(CLI_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
+    set(PROXY_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
+    set(BIN_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/MacOS")
+    set(PLUGIN_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/PlugIns")
+    set(DATA_INSTALL_DIR "${BUNDLE_INSTALL_DIR}/Resources")
 else()
     include(GNUInstallDirs)
 
diff --git a/release-tool b/release-tool
index 6d217ca9db..26fc7fae84 100755
--- a/release-tool
+++ b/release-tool
@@ -1200,9 +1200,14 @@ appsign() {
                     exitError "Unpacking failed!"
                 fi
 
-                logInfo "Signing app..."
-                xcrun codesign --sign "${key}" --verbose --deep --entitlements \
-                    "${real_src_dir}/share/macosx/keepassxc.entitlements" ./app/KeePassXC.app
+                logInfo "Signing app bundle..."
+                xcrun codesign --sign "${key}" --verbose --deep --options runtime ./app/KeePassXC.app
+
+                # Sign main binary and libraries independently so we can keep using the convenient --deep
+                # option while avoiding adding entitlements recursively
+                logInfo "Signing main binary..."
+                xcrun codesign --sign "${key}" --verbose --force --options runtime --entitlements \
+                    "${real_src_dir}/share/macosx/keepassxc.entitlements" ./app/KeePassXC.app/Contents/MacOS/KeePassXC
 
                 if [ 0 -ne $? ]; then
                     cd "${orig_dir}"
diff --git a/share/macosx/Info.plist.cmake b/share/macosx/Info.plist.cmake
index b38ca2844c..53e4897422 100644
--- a/share/macosx/Info.plist.cmake
+++ b/share/macosx/Info.plist.cmake
@@ -15,7 +15,7 @@
   <key>CFBundleIconFile</key>
   <string>keepassxc.icns</string>
   <key>CFBundleIdentifier</key>
-  <string>org.keepassx.keepassxc</string>
+  <string>org.keepassxc.keepassxc</string>
   <key>CFBundleInfoDictionaryVersion</key>
   <string>6.0</string>
   <key>CFBundleName</key>
@@ -25,11 +25,11 @@
   <key>CFBundleShortVersionString</key>
   <string>${KEEPASSXC_VERSION}</string>
   <key>CFBundleSignature</key>
-  <string>KEPX</string>
+  <string>KPXC</string>
   <key>CFBundleVersion</key>
   <string>${KEEPASSXC_VERSION_NUM}</string>
   <key>NSHumanReadableCopyright</key>
-    <string>Copyright 2016-2018 KeePassXC Development Team</string>
+    <string>Copyright 2016-2020 KeePassXC Development Team</string>
     <key>CFBundleDocumentTypes</key>
     <array>
       <dict>
diff --git a/share/macosx/embedded.provisionprofile b/share/macosx/embedded.provisionprofile
new file mode 100644
index 0000000000000000000000000000000000000000..6fb14fd57e8c95ebb3a88fb7e69fe06409223f6e
GIT binary patch
literal 7610
zcmdT}d3;k<_HVjSx<C<Vp+F^+MWwWP*_sqe<-M#g`@Vtb%S-yQCr#44B%shT7J({@
zz{qN$6kI`+osPgz72yZUIxG$f18#sKSOFE7o9-yi%wO}FUq7FIUhci;opbKF_k8d7
zybIM9Z0nUVwoY7ks}ChTxuLdT15{hkm`tJ2v!IM#X+?cgl82-vLABZMb&F9NYO~j+
z)@C=9KN<CUs1bWG<n;R{7Sc<gLaN<|`)y7iF|kmu6Bcs|pRC9%AHi4hbY_)+8t^zn
zVX8`x$WR`&u$V@J0|AenM&s-FRFw?X>Zm{mjV4eOQVSj7a9})*Mv`O+mXIpJ{oaIN
zh^7kq1NLAzCIiZf!3!m}u&of7Y1jUMJD}I*#KRSt8Rc$!tOA%r`3lTyFQ+A%pf?l_
z0%t3vcDo7-g-kqZ;z9a@HmV%+VT3(cPU{fqR^f5tSQyM0wb^}PXQk5~R0Zvo&S;lX
zEEvRkY8NrI92G}W%3<`>M(Yww_`(a?+m!OLaJP3h(5PTQ45%1l6+=uNojIP)9?vSX
zl+)UVI($-juyCb6=>44oUGr0FO@C|}4Vl22+1n><>rzsQc|vwtXXyC$h~1NjI}d~&
zOd5p19_o_qoJvMH@C&Puqo~mC;_(oXlz>STfe92v4OYZ#D)pFDT#~OgOQe1a>WJV9
zSS^qtYM8X^1YtQZB!cOB0Zfu^jmW^T7^4wfWQd^xj{p@YJh)F2uy{Q#vq=-MGFXJ#
zWPmVHSqw92*mA9zl)z@bL9LeY5juj4k&s1;@GT|@gc&UXGeZcTW!0!aNVkcAWv>SU
zHg$4D&}NfIkW#e?A*~`kp*6ByGM7Lmhuv*sh(pdZ804hbfh*)XJSuky;&L4km%GrY
zG0_K}pbzTmbMX*wT!6_DLc}AyT8ZDQ<2s{mFjqOxjmPwHn_2<+8HzX>RrBE@gisg|
zST0vU8jsCu2w9nk2X`V84G(FX2WC__Y$8v@>hcp>udv!;3=wK?B0g-ll_~LBoUmUL
zm*^C9n5lJ{nR2H)Du~0HcD<qB*%awuQ~Q`-E)WD9R<9w53M2{J)fNy>i`N|G#bHUi
zj9CYJ3_7r;2<n0r2;r`BxSgUh5<<XygfOh+!D=p?80QgE@LK>^VHS2Ipw&X9a%UAc
zXfVW#`qIj<f~?|@0gk}PLEJ@Zjf3fx+w20;O$Ozt-&h*K>~2pHlhnImBipOgFq~C<
zW6+JMz47WOn+OXzs+eD1E%rw+k3fZn4LogFSf%C^Nw`XOkwGOgF=GrH<gJ#)HAb*g
zoQU01Dk3T!I)_k7vzUb(p-B+&LXM~lwOG`UFoIWGU3d|y4igTY(8l19YPzdR993KG
zvNFsscd=<&O#n9Y=mK@fD09$wVFJ}jLqT=Ks^=&wz12#UoF->^oS0J24=OZOo`3^Z
z<FKzRgc0UYKw5>W5Whs|Hewh<AK=;)UK-|*F!8vhRF3+JL{_JREebikG=>4;n5wE`
zWo15*TkiHtkuoVaWJV1DgK#yQR0OKkC?8hCh@XWbEFF&r+aOX!m{BQdMi8}L4B{@3
zyI@kzV~Kc)JW}h0NE}8SPKn<p){sgkH(~`l4(G8Q?YY5rSs74AAKh&+SppV59F-$b
zV$a+7gxZK8S}|4@@$utau}CDr%a{hPBq)JNqmq#8V6eRv2C+ttz?ED9?1DiDx9we&
zRGZ}p1`CC_iG#^hOmWQY*YF9NtW+%1#$&9gO`q5=d;;XF1|ksf8%fMbEg*?X;J>y?
zq(!YvGea$ebv%U2hy4ga1Q9|YMASGB)|hcjtbuU8KO$q=n6}u1b27K(vB6~q?~-JX
z7!fE*Sj}?6s?Y*#37A2i1B{4Roe01YPaG9JfH59aBw?c>VYOY0kY<1*;OW4b3cA&3
z0J1`tnPDJpVBE~m6IO<q0J!2o#TviG$RgT(09a*|BycF6kh6${F$)iY049a;7y|N6
zO_&*Fpx@JmO`tDgaUyh_p%4Ae7cuZt<Z&f@Xn)TT1DN3L!UiWo;$EQ(^d;t$um@R;
zbdS}iiOXEDvTd!@+_tp>Si?hDFez-0zXw)}X$SyaUeEnR%1HrfmbT-x&1Hej2wyEg
zXr!8#!0U%#IG-Q{2rQJsMzh9(BQkr01sPC-*5pyEVG|UHS7Pp{G$3+AsKex?bEHI2
z%O>Nn*A-+NrFaO5$xAUuQ4vEdhIqD8EsYLYxDuU#24aN!Sgv@f2j*zZ+E`SC8xf+~
z=M{L!YK|NdGm4m1MQVXcpr{sC!hEl|)QtHY(ID5w*GXMsXN2Wsi1}s@12Hi~2$K~S
z(&!3(DakPzkWjQ*?6yUta*0+LVM*LL*UF9td}NHNbh=@QAXe%t5^Ff3>Npz;GJRD-
zuSO@qSyCa!)(iDMD+)ORsLEjra6J(>ZgZHUzCb1EEEAXcxn4!sz$dvjrJIOXdUR@M
zl?08jB}G;m#<TmP0l&zkv{?iaOci9f2(b!dFr=8kZ&7*tN`x-vLn1e+^_hy?`iX5v
zK9)F+JBdSPM%!Np2@n7-686}=fRl8e%N^tg$h8T#ks!dMIv7=gS9NfiVrLhb={(fC
z$U`@MDe(u161UwR03<1jcmL|aEgmohhz;(*oW5cV$L*m|F%k4v2fDn=DDR>T84oiy
zwx`;zStsWFu*uju2}()Wj(PvH`E(mdgtaGA6hs5g;2#n)CKs@=VkY!QgzR5Z%x<IY
zq!iHEh%>>UL$JpKXqFR%s&fs>!@=rq4yFSW>n5FDGF?&ZWV781*3(w!wrRJT(Dg7k
zC793drXnDiKAS&SS=m!Vf~V@7Uc1gOb4I#Zs?!&?1EyS2%H}}jw9Zz?w$$rUewU{m
zRJxMR#OO90FXrGJb}@^~<rZU1MrpB?!zyF5uu6I<{Q;(&uxn_qGP+cCnxXfw*tvw|
zw6;>9qM^3$Sg1C&5UNedY)DC_Bq#T#oNsO^^EUK@`gGMZlr&J_SljBI6n$#10m*tT
zeE{@GFVM&wkl9wDP*ERVLLUQ-N_1uoC}{8OX2M|csBm@I;SV~)F?t>}Fd>&RpijG;
z#_tbPc`)?opgwdaAoCmsoyBEwEQ9(mdN!e&r4M%^yQdT5ps{UEWRGlDZuAE|HWFkn
zwTq!sHFi)CBsLVC4<T)?WKZ}Hq^W-}A*hy8*fU;~w4{_;N)D(BDVfQ&6iU)Tu5SGy
z!y5-im5INp|L*G3J7$bo*v!(#k4(pBVx(<qQ~JnlW%pFYxdv09__-F}KFRYHwCm^p
zG-QqO<4w~B-*^3-+aJyCo&VMw=f*OwEyW$0+==ybukLXVUh+lCTa;)2oJJh!`}`7)
z>srRPjl^NK?bQ#b9BnrG2=>fK>AKl9KJNU}MY)P;qfcA*C}!<@@z~2Jhg5BSX5}iT
zLVu^fDZ6e*UY~uJNx_RM@vfrcON*bs@O8_o4;@YKH2z9F7uc0-mXgTAvYoAmFUY>%
zJ3(B({_=>Y?z&vNH{`LOIrin-H-%4p{Pq5M-^BL1Fe3Ne>vu0ZnypX!K3Vqn?}y^|
z7TMoSPN5`G8f(@=HH}aKh<8EX)V$PzFFZCV<MnNWpP6^{%C4V8<_|Qw#_do}Vt4?B
zaz8Z<N&ydOc%oxu>R>2u=D?y)oub8&jC()2Uo4rl{+38SqxV#(Bq1<7^)YBPG_qkt
z!|=L-j>;GhdU{mGL9oe6Ko`_EA)k}5kP5bZ9n`N^W?Oxa+j=EaQj@`6e{k!ArKBV&
zKl$GL{<zk6J+%4X4VcaNI*t9BZ{D*XJF|D58PrUUJ3(B$yWBh8JmvFQl)t>YaV!?x
zyy@_M0W`mHR-YpUqAfqXJhw5tV%`2%g0m-7Y!YNG((PpIUNBhe&Q$c<cBVk(88I_+
zj>1^)o?Je0{oV7o`iv~dl8l-C<gSH_Wb5+#=X;H<antN+j=7iW>Lph$q66P(`nx{q
z^^Low(8dc5o134Q`DF%q`F++}%E1|*UCjJ)!j9cncUhO*OvB;Y!#NWQWJ}had-Kl6
zOTJNFl7BU3S<N@iceXrnj1sTBP*VTXh`Ar!j$WwQxaatSRj<E&bJJb!kfj7POx-l)
zYSrA@EuNh0+~EKvb_0}XY)1)7@^51F-+~9I6k;*h03IM_DS!ti8=ys5NAthp!@tY)
zOABAm7{2h_qaxLnv};pie=5FGy4EPuU!9jf=lmV1r#1b}LMZv`!4<bv8OLY9uf1~T
z=)uaBquh^t+PM4D(6Rf6FIgSWUMHG2`9vOvd8j2veq^BY=*RiN)~EWOobmLE8>3Tp
z>F3Lz>hpt*Ju+9CYc6<i@vWa$uKq-|YoAF)%<sL0dh5_z<EZ|?wkIi2{dV3bIjbh#
zEJ7b2a^T*PtvmaknL6y$p^00^zx`uQ-=sxZn@8l8gin_DIcLp#v$1NCNUPtsi3Y!S
z`<H(N4u9Dw6FfIu=2k6*=d^^aS^Z|gvzc>iHbbVXmQ+T)<GuL>=k1~U#8i7TdOGqd
zbD(_<x%lJa_Drv(!~yn2ev@jwexKakVDQk?{<pbbOGz9<1=Q49N^f8>75pc4oLjgp
zjRMu&0H;CkqF&$#OHZccJ(@s<(C<E)VTsRYI7WkN_IC*<Lp9rm)Vv2y3Mb~n?No4p
zg&oci74QDKL$$`Jm@h^RVBlLD6)?VPuRTOfFu6du{hdnijy>`3qb6(sDrxoDsUa|G
z!@w7`us!GnFZgU!-0!nF+fF2^zmi%VvX6VfP{0q~O&9}`UG@`aY9NT=VZetHI>YVM
zw&XXd*#=)zN|(usqua05ulVdHx#C9T7zru&4S#;t^Fx<S6mf36zGBi#<4$Z|(Es%N
zKZaI(cg&V^D5hkcUR!Y|df$B@{pz!2v*u~3$GI(=_bgXty6+eLYTl5RF@4Y^!y}J|
zk8htha)PMwq<_@KD@V5nKF<+cc<kU0-srWjwhkKf+Go!dvJZ|vc_!zS`^4H&BOkf7
z=B@dmnrA*7Iyr;3=-u0V@%3l8t8-f?jv=UXnXX%XYCk!DrIB_=>zZuai!;ev<I~3(
zuAI#o(f91GP`+~OnbH~iX6w&vShkaa{Brta)#~TgXtodi%ge~9{$oGNDcB}oITb%3
zojFML#@v%<Fa7#yMmp!6>go|tZ5j+9?1>JNQ$1z!&+*2S@AM2+76AVLS%Q&ZMx_v)
z!G$0?i^cpMGtz*syyHM7q^4w#mSZ?osim5zUA!55z)dtNonZ56orDjxy9nF^+$r%%
z8z^a`cp#PjHL3X`x7;}QVy13n-p;b%md_`T;tYRs_A6g!Wqr8m=I5rBNpH{k+5g(C
zs+m<ww}fQZWz^H_d(D5P|G}3woZT@d<J%qmbkq^86CYb=-O(6Z2)#J{m%5h^-;*y~
zGwYc86XQ$Y?v&HYRb$3o{&UOX;z<`)RbIRmI{dBr=ox2Ozq?1sZ?}&9Xm*T&Hy!<2
ztI5A~WWlA=&im|?B-=YF*Zsy}U%bkjxouj8ZQR-q>fWDBKV5L=X>`l}bB)I+_va43
zuyjhrQvM}qVElux&QmXY9SfSK?``DX`1Y%UQ{^0nF!K!l{ag7rG}J|-c3mDn^{-Pe
zuIF3c=qso|&+$JWv|A~Q`v0EvC1*`1)SUp4`V@My6FDf9R3=1+Xq|0{Qa7@LkofUX
zpa&yKG(nX_lC~gJ)`J(lw0uBrPE8I`7Q0PZb#3hcWQQ~WWhZd1jTa?DNe_^shtjB8
z%CJsg902^w0smPK0OQ@?f?f9iPq1Tm#u>o-6A!%-=|)UD)>(o)crvBW1SeDbB@b>(
z&H60|1jx_^qSG3eEGbCyFL37_TO=8uGp`Arlrs9K=D!|%Pia_RuVB8w&pJg}3}?>U
zbmFCRZ`RJg`O)8Kr9YvAcdhxpwJ`WRWsg{S<@kzMZs$-AH1;2`I{SnE^%I+#UzoXg
z{%GktriB^lHCxH7arZB#{JP1p`obfOqFNpO?2xfPk98c+YEo>f*>~uLQRydlEiyUy
zt{e3^WK+uQi%ai0Z!P=3&A<G}`(+Oj(l_mNKf2}eaqR`>BLf%CUyv3nCO6#BV&93H
zR~}a0KEwP%?O5{|vuN7%;`NSasz-gk_$is9#nJm8PLp!yjmEO2%}351*m&&hi~R-|
zPyI0c%QNYDdvE1W!apErYx9rOYm?uAYLnN4%dZ5H|6c{m<lbHI-hDyWQ1clyxT~Vg
zNTGLT1Gv?rK*PF6(&#y$?1Uh|FzHM>8(bwpBfCda>7Z_r4WEA^V-Mrk$Hh%Qi(iFx
zf%<V7&=cK4Ec!5LNRP|GH9hJHP#Qv-ZqXdN0OCQJy?VFbFs7t~joJA-IXO9LCODzG
z+muOAdi#}Q`h)$C_dLje2|$OET568(Stm36x@!62U+T`JzFPI;!9LQD^3jPuRF*8y
zzloyLW-R*C&GS_){VG}xw6?Zft(z2U-Pg2{BWO(?e2l=g<fKJ)dS>-@dcRZaUT=7M
zwfXYJ=f0W4T>nkphx@X27k{+)1!2X^hQH;aIpuqF*Izrfp<?B*Lz+r>SY33*>PYKd
ze46^ho6^5dIJ&p`t0jlOq9r{R`Nys`E&H>t4IQc()n|lsillYr#RbgIepoVHT0Ezr
z-%}S(j97j)bN~IcXXmIKi^lAIynN@W_jg=BaxdwAEWg=xq3YtAgHrT}a?at$y_c6O
j5wdrkzJ^@(J*VjOw|tH)z4rw5)6>$`>F4_P;;#HBoXtvq

literal 0
HcmV?d00001

diff --git a/share/macosx/keepassxc.entitlements b/share/macosx/keepassxc.entitlements
index 2645a2031c..7126b7ac5b 100644
--- a/share/macosx/keepassxc.entitlements
+++ b/share/macosx/keepassxc.entitlements
@@ -1,33 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
-	<dict>
-		<key>com.apple.application-identifier</key>
-			<string>org.keepassx.keepassxc</string>
-		<key>com.apple.developer.aps-environment</key>
-			<string>production</string>
-
-		<key>keychain-access-groups</key>
-			<array>
-				<string>org.keepassx.keepassxc</string>
-			</array>
-
-		<!-- Sandbox entitlements stub for future reference.
-		     For whatever reason, we have to set this twice.
-		     Otherwise a signed application crashes on startup -->
-		<key>com.apple.security.app-sandbox</key>
-			<false/>
-		<key>com.apple.security.app-sandbox</key>
-			<false/>
-		<!--key>com.apple.security.network.client</key>
-			<true/>
-		<key>com.apple.security.files.user-selected.read-write</key>
-			<true/>
-		<key>com.apple.security.device.usb</key>
-			<true/>
-		<key>com.apple.security.print</key>
-			<true/>
-		<key>com.apple.security.files.user-selected.read-only</key>
-			<false/-->
-	</dict>
+<dict>
+	<key>com.apple.application-identifier</key>
+	<string>G2S7P7J672.org.keepassxc.keepassxc</string>
+	<key>keychain-access-groups</key>
+	<array>
+		<string>G2S7P7J672.org.keepassxc.keepassxc</string>
+	</array>
+</dict>
 </plist>
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index af9b9bb586..1982a3c4c4 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -354,6 +354,7 @@ target_link_libraries(${PROGNAME} keepassx_core)
 set_target_properties(${PROGNAME} PROPERTIES ENABLE_EXPORTS ON)
 
 if(APPLE AND WITH_APP_BUNDLE)
+    install(FILES ${CMAKE_SOURCE_DIR}/share/macosx/embedded.provisionprofile DESTINATION ${BUNDLE_INSTALL_DIR})
     configure_file(${CMAKE_SOURCE_DIR}/share/macosx/Info.plist.cmake ${CMAKE_CURRENT_BINARY_DIR}/Info.plist)
     set_target_properties(${PROGNAME} PROPERTIES
             MACOSX_BUNDLE ON