From 50e66375a6f65cf45a7a9a5c7c29a7c84ebc4e39 Mon Sep 17 00:00:00 2001 From: Kenneth Chew <79120643+kthchew@users.noreply.github.com> Date: Wed, 11 Dec 2024 22:04:26 -0500 Subject: [PATCH 1/7] Add CMake install step for macOS code signing Signed-off-by: Kenneth Chew <79120643+kthchew@users.noreply.github.com> --- CMakeLists.txt | 2 ++ launcher/CMakeLists.txt | 15 +++++++++ launcher/MacOSCodesign.cmake.in | 8 +++++ program_info/AdhocSignedApp.entitlements | 1 + program_info/App.entitlements | 1 + program_info/CMakeLists.txt | 8 +++++ program_info/macos_signature.sh | 42 ++++++++++++++++++++++++ 7 files changed, 77 insertions(+) create mode 100644 launcher/MacOSCodesign.cmake.in create mode 100755 program_info/macos_signature.sh diff --git a/CMakeLists.txt b/CMakeLists.txt index 929e1b394..5c0d0db51 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -409,6 +409,8 @@ if(UNIX AND APPLE) set(MACOSX_SPARKLE_SHA256 "50612a06038abc931f16011d7903b8326a362c1074dabccb718404ce8e585f0b" CACHE STRING "SHA256 checksum for Sparkle release archive") set(MACOSX_SPARKLE_DIR "${CMAKE_BINARY_DIR}/frameworks/Sparkle") + set(MACOSX_CODESIGN_IDENTITY "-" CACHE STRING "The identity to use for codesigning (the name, not the secret)") + if(NOT MACOSX_SPARKLE_UPDATE_PUBLIC_KEY STREQUAL "" AND NOT MACOSX_SPARKLE_UPDATE_FEED_URL STREQUAL "") set(Launcher_ENABLE_UPDATER YES) endif() diff --git a/launcher/CMakeLists.txt b/launcher/CMakeLists.txt index ff6a9ab2a..733ac3a2a 100644 --- a/launcher/CMakeLists.txt +++ b/launcher/CMakeLists.txt @@ -1561,3 +1561,18 @@ if(WIN32 OR (UNIX AND APPLE)) COMPONENT bundle ) endif() + +if(UNIX AND APPLE) + # Need to fix code signing for the bundle + if(MACOSX_CODESIGN_IDENTITY STREQUAL "-") + set(MACOSX_ENTITLEMENTS "${CMAKE_CURRENT_BINARY_DIR}/../program_info/AdhocSignedApp.entitlements") + else() + set(MACOSX_ENTITLEMENTS "${CMAKE_CURRENT_BINARY_DIR}/../program_info/App.entitlements") + endif() + configure_file( + "${CMAKE_CURRENT_SOURCE_DIR}/MacOSCodesign.cmake.in" + "${CMAKE_CURRENT_BINARY_DIR}/MacOSCodesign.cmake" + @ONLY + ) + install(SCRIPT "${CMAKE_CURRENT_BINARY_DIR}/MacOSCodesign.cmake" COMPONENT Runtime) +endif() diff --git a/launcher/MacOSCodesign.cmake.in b/launcher/MacOSCodesign.cmake.in new file mode 100644 index 000000000..067ccf763 --- /dev/null +++ b/launcher/MacOSCodesign.cmake.in @@ -0,0 +1,8 @@ +execute_process( + COMMAND "@CMAKE_SOURCE_DIR@/program_info/macos_signature.sh" "@MACOSX_CODESIGN_IDENTITY@" "@MACOSX_ENTITLEMENTS@" + WORKING_DIRECTORY "@CMAKE_INSTALL_PREFIX@" + RESULT_VARIABLE CODESIGN_RESULT +) +if(NOT CODESIGN_RESULT EQUAL 0) + message(FATAL_ERROR "Failed to codesign the bundle") +endif() \ No newline at end of file diff --git a/program_info/AdhocSignedApp.entitlements b/program_info/AdhocSignedApp.entitlements index 032308a18..fe11fc206 100644 --- a/program_info/AdhocSignedApp.entitlements +++ b/program_info/AdhocSignedApp.entitlements @@ -2,6 +2,7 @@ + @Launcher_DebugEntitlements@ com.apple.security.cs.disable-library-validation com.apple.security.device.audio-input diff --git a/program_info/App.entitlements b/program_info/App.entitlements index 73bf832c7..49fc0d31a 100644 --- a/program_info/App.entitlements +++ b/program_info/App.entitlements @@ -2,6 +2,7 @@ + @Launcher_DebugEntitlements@ com.apple.security.device.audio-input com.apple.security.device.camera diff --git a/program_info/CMakeLists.txt b/program_info/CMakeLists.txt index db6920e20..3ce250162 100644 --- a/program_info/CMakeLists.txt +++ b/program_info/CMakeLists.txt @@ -38,6 +38,14 @@ set(Launcher_Branding_LogoQRC "program_info/prismlauncher.qrc" PARENT_SCOPE) set(Launcher_Portable_File "program_info/portable.txt" PARENT_SCOPE) +if(CMAKE_BUILD_TYPE STREQUAL "Debug") + set(Launcher_DebugEntitlements "com.apple.security.get-task-allow\n ") +else() + set(Launcher_DebugEntitlements "") +endif() + +configure_file(App.entitlements App.entitlements) +configure_file(AdhocSignedApp.entitlements AdhocSignedApp.entitlements) configure_file(${Launcher_AppID}.desktop.in ${Launcher_AppID}.desktop) configure_file(${Launcher_AppID}.metainfo.xml.in ${Launcher_AppID}.metainfo.xml) configure_file(prismlauncher.rc.in prismlauncher.rc @ONLY) diff --git a/program_info/macos_signature.sh b/program_info/macos_signature.sh new file mode 100755 index 000000000..7660321fa --- /dev/null +++ b/program_info/macos_signature.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env zsh + +# Run this script from the directory containing "PrismLauncher.app" + +CODE_SIGN_IDENTITY="${1:--}" +MAIN_ENTITLEMENTS_FILE="${2:-../program_info/App.entitlements}" + +if [[ "$CODE_SIGN_IDENTITY" == "Developer ID Application"* ]]; then + CODE_SIGN_IDENTITY=("$CODE_SIGN_IDENTITY" --timestamp) +fi + +################ FRAMEWORKS ################ +cd "PrismLauncher.app/Contents/Frameworks" || exit 1 +# See https://sparkle-project.org/documentation/sandboxing/ +codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime Sparkle.framework/Versions/B/XPCServices/Installer.xpc +# For Sparkle versions >= 2.6 +codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime --preserve-metadata=entitlements Sparkle.framework/Versions/B/XPCServices/Downloader.xpc +# For Sparkle versions < 2.6 +#codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime --entitlements Entitlements/Downloader.entitlements Sparkle.framework/Versions/B/XPCServices/Downloader.xpc +codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime Sparkle.framework/Versions/B/Autoupdate +codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime Sparkle.framework/Versions/B/Updater.app + +codesign -f -s "${CODE_SIGN_IDENTITY[@]}" ./*.framework +codesign -f -s "${CODE_SIGN_IDENTITY[@]}" ./*.dylib + +################ XPC SERVICES ################ +if cd "../XPCServices"; then + codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime ./*.xpc +fi + +################ PLUGINS ################ +cd "../MacOS" || exit 1 +codesign -f -s "${CODE_SIGN_IDENTITY[@]}" iconengines/*.dylib +codesign -f -s "${CODE_SIGN_IDENTITY[@]}" imageformats/*.dylib +codesign -f -s "${CODE_SIGN_IDENTITY[@]}" platforms/*.dylib +codesign -f -s "${CODE_SIGN_IDENTITY[@]}" jars/*.jar +codesign -f -s "${CODE_SIGN_IDENTITY[@]}" styles/*.dylib +codesign -f -s "${CODE_SIGN_IDENTITY[@]}" tls/*.dylib + +################ APP ################ +cd "../../.." || exit 1 +codesign -f -s "${CODE_SIGN_IDENTITY[@]}" --entitlements "$MAIN_ENTITLEMENTS_FILE" -o runtime ./PrismLauncher.app \ No newline at end of file From 2a1dc566bc9485c8d4e1276cbc922f9df9cc4b55 Mon Sep 17 00:00:00 2001 From: Kenneth Chew <79120643+kthchew@users.noreply.github.com> Date: Thu, 10 Apr 2025 16:14:19 -0400 Subject: [PATCH 2/7] Add option to force disable `get-task-allow` entitlement The `get-task-allow` entitlement is not compatible with notarization. Signed-off-by: Kenneth Chew <79120643+kthchew@users.noreply.github.com> --- .github/workflows/build.yml | 3 +++ CMakeLists.txt | 1 + cmake/macosPreset.json | 6 +++++- program_info/CMakeLists.txt | 2 +- 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b8ba57a45..967d8bf0e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -165,6 +165,9 @@ jobs: ARTIFACT_NAME: ${{ matrix.artifact-name }}-Qt6 BUILD_PLATFORM: official + + APPLE_CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_ID }} + APPLE_BUILD_FOR_NOTARIZATION: ${{ secrets.APPLE_NOTARIZE_PASSWORD && 'YES' || 'NO' }} run: | cmake --workflow --preset "$CMAKE_PRESET" diff --git a/CMakeLists.txt b/CMakeLists.txt index 5c0d0db51..154207766 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -410,6 +410,7 @@ if(UNIX AND APPLE) set(MACOSX_SPARKLE_DIR "${CMAKE_BINARY_DIR}/frameworks/Sparkle") set(MACOSX_CODESIGN_IDENTITY "-" CACHE STRING "The identity to use for codesigning (the name, not the secret)") + set(MACOSX_PREPARE_NOTARIZATION OFF CACHE BOOL "Whether to disable features incompatible with notarization (notably, do not request an entitlement that allows for attaching a debugger)") if(NOT MACOSX_SPARKLE_UPDATE_PUBLIC_KEY STREQUAL "" AND NOT MACOSX_SPARKLE_UPDATE_FEED_URL STREQUAL "") set(Launcher_ENABLE_UPDATER YES) diff --git a/cmake/macosPreset.json b/cmake/macosPreset.json index de503d7a2..43bb704c7 100644 --- a/cmake/macosPreset.json +++ b/cmake/macosPreset.json @@ -13,7 +13,11 @@ "lhs": "${hostSystemName}", "rhs": "Darwin" }, - "generator": "Ninja" + "generator": "Ninja", + "cacheVariables": { + "MACOSX_CODESIGN_IDENTITY": "$penv{APPLE_CODESIGN_IDENTITY}", + "MACOSX_PREPARE_NOTARIZATION": "$penv{APPLE_BUILD_FOR_NOTARIZATION}" + } }, { "name": "macos_universal_base", diff --git a/program_info/CMakeLists.txt b/program_info/CMakeLists.txt index 3ce250162..47babeae3 100644 --- a/program_info/CMakeLists.txt +++ b/program_info/CMakeLists.txt @@ -38,7 +38,7 @@ set(Launcher_Branding_LogoQRC "program_info/prismlauncher.qrc" PARENT_SCOPE) set(Launcher_Portable_File "program_info/portable.txt" PARENT_SCOPE) -if(CMAKE_BUILD_TYPE STREQUAL "Debug") +if(CMAKE_BUILD_TYPE STREQUAL "Debug" AND NOT MACOSX_PREPARE_NOTARIZATION) set(Launcher_DebugEntitlements "com.apple.security.get-task-allow\n ") else() set(Launcher_DebugEntitlements "") From 2d92dd9c0a8eba0d74f5dc72a2163d9fdc2c1f98 Mon Sep 17 00:00:00 2001 From: Kenneth Chew <79120643+kthchew@users.noreply.github.com> Date: Wed, 16 Apr 2025 14:18:07 -0400 Subject: [PATCH 3/7] Improve CMake configuration of entitlements file Signed-off-by: Kenneth Chew <79120643+kthchew@users.noreply.github.com> --- launcher/CMakeLists.txt | 6 +----- program_info/AdhocSignedApp.entitlements | 13 ------------- .../{App.entitlements => App.entitlements.in} | 3 ++- program_info/CMakeLists.txt | 14 +++++++++++--- 4 files changed, 14 insertions(+), 22 deletions(-) delete mode 100644 program_info/AdhocSignedApp.entitlements rename program_info/{App.entitlements => App.entitlements.in} (84%) diff --git a/launcher/CMakeLists.txt b/launcher/CMakeLists.txt index 733ac3a2a..3c1d63652 100644 --- a/launcher/CMakeLists.txt +++ b/launcher/CMakeLists.txt @@ -1564,11 +1564,7 @@ endif() if(UNIX AND APPLE) # Need to fix code signing for the bundle - if(MACOSX_CODESIGN_IDENTITY STREQUAL "-") - set(MACOSX_ENTITLEMENTS "${CMAKE_CURRENT_BINARY_DIR}/../program_info/AdhocSignedApp.entitlements") - else() - set(MACOSX_ENTITLEMENTS "${CMAKE_CURRENT_BINARY_DIR}/../program_info/App.entitlements") - endif() + set(MACOSX_ENTITLEMENTS "${CMAKE_CURRENT_BINARY_DIR}/../program_info/App.entitlements") configure_file( "${CMAKE_CURRENT_SOURCE_DIR}/MacOSCodesign.cmake.in" "${CMAKE_CURRENT_BINARY_DIR}/MacOSCodesign.cmake" diff --git a/program_info/AdhocSignedApp.entitlements b/program_info/AdhocSignedApp.entitlements deleted file mode 100644 index fe11fc206..000000000 --- a/program_info/AdhocSignedApp.entitlements +++ /dev/null @@ -1,13 +0,0 @@ - - - - - @Launcher_DebugEntitlements@ - com.apple.security.cs.disable-library-validation - - com.apple.security.device.audio-input - - com.apple.security.device.camera - - - diff --git a/program_info/App.entitlements b/program_info/App.entitlements.in similarity index 84% rename from program_info/App.entitlements rename to program_info/App.entitlements.in index 49fc0d31a..5a93d71af 100644 --- a/program_info/App.entitlements +++ b/program_info/App.entitlements.in @@ -2,7 +2,8 @@ - @Launcher_DebugEntitlements@ +@Launcher_AdhocEntitlements@ +@Launcher_DebugEntitlements@ com.apple.security.device.audio-input com.apple.security.device.camera diff --git a/program_info/CMakeLists.txt b/program_info/CMakeLists.txt index 47babeae3..f7af0e08b 100644 --- a/program_info/CMakeLists.txt +++ b/program_info/CMakeLists.txt @@ -38,14 +38,22 @@ set(Launcher_Branding_LogoQRC "program_info/prismlauncher.qrc" PARENT_SCOPE) set(Launcher_Portable_File "program_info/portable.txt" PARENT_SCOPE) +if(MACOSX_CODESIGN_IDENTITY STREQUAL "-") + string(CONCAT Launcher_AdhocEntitlements + " com.apple.security.cs.disable-library-validation\n" + " ") +else() + set(Launcher_AdhocEntitlements "") +endif() if(CMAKE_BUILD_TYPE STREQUAL "Debug" AND NOT MACOSX_PREPARE_NOTARIZATION) - set(Launcher_DebugEntitlements "com.apple.security.get-task-allow\n ") + string(CONCAT Launcher_DebugEntitlements + " com.apple.security.get-task-allow\n" + " ") else() set(Launcher_DebugEntitlements "") endif() -configure_file(App.entitlements App.entitlements) -configure_file(AdhocSignedApp.entitlements AdhocSignedApp.entitlements) +configure_file(App.entitlements.in App.entitlements) configure_file(${Launcher_AppID}.desktop.in ${Launcher_AppID}.desktop) configure_file(${Launcher_AppID}.metainfo.xml.in ${Launcher_AppID}.metainfo.xml) configure_file(prismlauncher.rc.in prismlauncher.rc @ONLY) From cf3598879863ab7f2ff3b14af916219fb32b3be9 Mon Sep 17 00:00:00 2001 From: Kenneth Chew <79120643+kthchew@users.noreply.github.com> Date: Sat, 12 Jul 2025 23:11:28 -0400 Subject: [PATCH 4/7] Adjust signing script for new plugin location Signed-off-by: Kenneth Chew <79120643+kthchew@users.noreply.github.com> --- launcher/CMakeLists.txt | 1 + program_info/macos_signature.sh | 7 ++----- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/launcher/CMakeLists.txt b/launcher/CMakeLists.txt index 3c1d63652..2b87693d7 100644 --- a/launcher/CMakeLists.txt +++ b/launcher/CMakeLists.txt @@ -1517,6 +1517,7 @@ if(WIN32 OR (UNIX AND APPLE)) LIBEXEC_DIR ${LIBRARY_DEST_DIR} LIB_DIR ${LIBRARY_DEST_DIR} PLUGINS_DIR ${PLUGIN_DEST_DIR} + NO_APP_STORE_COMPLIANCE NO_OVERWRITE NO_TRANSLATIONS NO_COMPILER_RUNTIME diff --git a/program_info/macos_signature.sh b/program_info/macos_signature.sh index 7660321fa..a4341afbe 100755 --- a/program_info/macos_signature.sh +++ b/program_info/macos_signature.sh @@ -29,13 +29,10 @@ if cd "../XPCServices"; then fi ################ PLUGINS ################ +cd "../PlugIns" || exit 1 +codesign -f -s "${CODE_SIGN_IDENTITY[@]}" */*.dylib cd "../MacOS" || exit 1 -codesign -f -s "${CODE_SIGN_IDENTITY[@]}" iconengines/*.dylib -codesign -f -s "${CODE_SIGN_IDENTITY[@]}" imageformats/*.dylib -codesign -f -s "${CODE_SIGN_IDENTITY[@]}" platforms/*.dylib codesign -f -s "${CODE_SIGN_IDENTITY[@]}" jars/*.jar -codesign -f -s "${CODE_SIGN_IDENTITY[@]}" styles/*.dylib -codesign -f -s "${CODE_SIGN_IDENTITY[@]}" tls/*.dylib ################ APP ################ cd "../../.." || exit 1 From 7ebd61d0d829234f7d42ce2e8d216edf3a9c1e6b Mon Sep 17 00:00:00 2001 From: Kenneth Chew <79120643+kthchew@users.noreply.github.com> Date: Sat, 12 Jul 2025 23:16:41 -0400 Subject: [PATCH 5/7] Remove codesigning command in CI action in favor of CMake Signed-off-by: Kenneth Chew <79120643+kthchew@users.noreply.github.com> --- .github/actions/package/macos/action.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/actions/package/macos/action.yml b/.github/actions/package/macos/action.yml index 42181953c..d9a68abbe 100644 --- a/.github/actions/package/macos/action.yml +++ b/.github/actions/package/macos/action.yml @@ -64,15 +64,6 @@ runs: cd ${{ env.INSTALL_DIR }} chmod +x "PrismLauncher.app/Contents/MacOS/prismlauncher" - if [ -n '${{ inputs.apple-codesign-id }}' ]; then - APPLE_CODESIGN_ID='${{ inputs.apple-codesign-id }}' - ENTITLEMENTS_FILE='../program_info/App.entitlements' - else - APPLE_CODESIGN_ID='-' - ENTITLEMENTS_FILE='../program_info/AdhocSignedApp.entitlements' - fi - - sudo codesign --sign "$APPLE_CODESIGN_ID" --deep --force --entitlements "$ENTITLEMENTS_FILE" --options runtime "PrismLauncher.app/Contents/MacOS/prismlauncher" mv "PrismLauncher.app" "Prism Launcher.app" - name: Notarize From 905fa34e001ee91971bb02f05b0c447a874ce25b Mon Sep 17 00:00:00 2001 From: Kenneth Chew <79120643+kthchew@users.noreply.github.com> Date: Sun, 13 Jul 2025 00:38:20 -0400 Subject: [PATCH 6/7] Remove codesigning script's reliance on zsh Signed-off-by: Kenneth Chew <79120643+kthchew@users.noreply.github.com> --- program_info/macos_signature.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/program_info/macos_signature.sh b/program_info/macos_signature.sh index a4341afbe..a16ce7cd1 100755 --- a/program_info/macos_signature.sh +++ b/program_info/macos_signature.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env zsh +#!/usr/bin/env sh # Run this script from the directory containing "PrismLauncher.app" From f0e1ee342c985bc9fa42ef248d0c5543a6a87986 Mon Sep 17 00:00:00 2001 From: Kenneth Chew <79120643+kthchew@users.noreply.github.com> Date: Sun, 13 Jul 2025 01:41:02 -0400 Subject: [PATCH 7/7] Add codesign to Nix build input Signed-off-by: Kenneth Chew <79120643+kthchew@users.noreply.github.com> --- nix/unwrapped.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nix/unwrapped.nix b/nix/unwrapped.nix index d9144410f..bb6b47e7d 100644 --- a/nix/unwrapped.nix +++ b/nix/unwrapped.nix @@ -3,6 +3,7 @@ stdenv, cmake, cmark, + darwin, apple-sdk_11, extra-cmake-modules, gamemode, @@ -74,6 +75,7 @@ stdenv.mkDerivation { extra-cmake-modules jdk17 stripJavaArchivesHook + darwin.sigtool ]; buildInputs =