solenv/bin/macosx-codesign-app-bundle | 6 +++++-
sysui/desktop/macosx/sandbox_inherit.entitlements | 10 ++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
New commits:
commit ef26985c45aa1ce9d205fbe5afba6717450b3961
Author: Christian Lohmaier <lohmaier+libreoff...@googlemail.com>
AuthorDate: Thu Nov 2 10:30:34 2023 +0100
Commit: Michael Weghorn <m.wegh...@posteo.de>
CommitDate: Thu Nov 2 16:31:30 2023 +0100
tdf#158038 fix opening pdf files in appstore ver (sandbox issue w/ helper
tool)
https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app
"Adding other entitlements to the tool can cause problems. If the tool
immediately crashes with a code signing error when your app runs the
tool, check that the tool is signed with just these two entitlements:
com.apple.security.app-sandbox and com.apple.security.inherit."
This is indeed what happened..
Change-Id: Id03948c03b7d453aae4ca58719f582576e30a16f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158790
Tested-by: Christian Lohmaier <lohmaier+libreoff...@googlemail.com>
Reviewed-by: Christian Lohmaier <lohmaier+libreoff...@googlemail.com>
(cherry picked from commit 2c3fe12e0ffc59be7c28d9b9908db881adb0f1ea)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158708
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
Tested-by: Jenkins
diff --git a/solenv/bin/macosx-codesign-app-bundle
b/solenv/bin/macosx-codesign-app-bundle
index cdbf7ce964ae..695b3ae97922 100755
--- a/solenv/bin/macosx-codesign-app-bundle
+++ b/solenv/bin/macosx-codesign-app-bundle
@@ -24,10 +24,13 @@ done
APP_BUNDLE="$1"
entitlements=
+entitlements_helper=
application_identifier=
if test -n "$ENABLE_MACOSX_SANDBOX"; then
# In a sandboxed build executables need the entitlements
entitlements="--entitlements $BUILDDIR/lo.xcent"
+ # helper utilities must be signed with only the sandbox and inherit
entitlements
+ entitlements_helper="--entitlements
$SRCDIR/sysui/desktop/macosx/sandbox_inherit.entitlements"
application_identifier=`/usr/libexec/PlistBuddy -c "print
com.apple.application-identifier" $BUILDDIR/lo.xcent`
# remove the key from the entitlement - only use it when signing the whole
bundle in the final step
/usr/libexec/PlistBuddy -c "delete com.apple.application-identifier"
$BUILDDIR/lo.xcent
@@ -39,6 +42,7 @@ if test -n "$ENABLE_MACOSX_SANDBOX"; then
else
# We then want to sign data files, too, hmm.
entitlements="--entitlements $BUILDDIR/hardened_runtime.xcent"
+ entitlements_helper=$entitlements
other_files="\
-or -name '*.fodt' -or -name 'schema.strings' -or -name 'schema.xml' \
-or -name '*.jar' -or -name 'LICENSE' -or -name 'LICENSE.html' \
@@ -127,7 +131,7 @@ while read file; do
;;
*)
id=`echo ${file#${APP_BUNDLE}/Contents/} | sed -e 's,/,.,g'`
- codesign --force --timestamp --options=runtime
--identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign
"$MACOSX_CODESIGNING_IDENTITY" $entitlements "$file" || exit 1
+ codesign --force --timestamp --options=runtime
--identifier=$MACOSX_BUNDLE_IDENTIFIER.$id --sign
"$MACOSX_CODESIGNING_IDENTITY" $entitlements_helper "$file" || exit 1
;;
esac
done
diff --git a/sysui/desktop/macosx/sandbox_inherit.entitlements
b/sysui/desktop/macosx/sandbox_inherit.entitlements
new file mode 100644
index 000000000000..794eada1cad3
--- /dev/null
+++ b/sysui/desktop/macosx/sandbox_inherit.entitlements
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
+<plist version="1.0">
+<dict>
+ <key>com.apple.security.app-sandbox</key>
+ <true/>
+ <key>com.apple.security.inherit</key>
+ <true/>
+</dict>
+</plist>
