Provide some entitlements on macOS by default (#2974)

Also, this change configures entitlements for local ad hoc signs on Apple Silicon Fixes #2867 Partial fix of #2887
1 year ago · 32ace9173e
4 changed files with 35 additions and 8 deletions
--- a/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/application/internal/MacSigner.kt
+++ b/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/application/internal/MacSigner.kt
@ -38,7 +38,13 @@ internal class NoCertificateSigner(runTool: ExternalToolRunner) : MacSigner(runT
            // Apple Silicon requires binaries to be signed
            // For local builds, ad hoc signatures are OK
            // https://wiki.lazarus.freepascal.org/Code_Signing_for_macOS
-            runTool.codesign("--sign", "-", "-vvvv", file.absolutePath)
+            val args = arrayListOf("-vvvv", "--sign", "-", "--options", "runtime", "--force")
+            entitlements?.let {
+                args.add("--entitlements")
+                args.add(entitlements.absolutePath)
+            }
+            args.add(file.absolutePath)
+            runTool.codesign(*args.toTypedArray())
        }
    }

--- a/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/application/internal/configureJvmApplication.kt
+++ b/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/application/internal/configureJvmApplication.kt
@ -349,11 +349,16 @@ internal fun JvmApplicationContext.configureCommonNotarizationSettings(
    notarizationTask.nonValidatedNotarizationSettings = app.nativeDistributions.macOS.notarization
 }

+private fun <T> TaskProvider<AbstractUnpackDefaultComposeApplicationResourcesTask>.get(
+    fn: AbstractUnpackDefaultComposeApplicationResourcesTask.DefaultResourcesProvider.() -> Provider<T>
+) = flatMap { fn(it.resources) }
+
 internal fun JvmApplicationContext.configurePlatformSettings(
    packageTask: AbstractJPackageTask,
-    unpackDefaultResources: TaskProvider<AbstractUnpackDefaultComposeApplicationResourcesTask>
+    defaultResources: TaskProvider<AbstractUnpackDefaultComposeApplicationResourcesTask>
 ) {
-    packageTask.dependsOn(unpackDefaultResources)
+    packageTask.dependsOn(defaultResources)
+
    when (currentOS) {
        OS.Linux -> {
            app.nativeDistributions.linux.also { linux ->
@ -364,7 +369,7 @@ internal fun JvmApplicationContext.configurePlatformSettings(
                packageTask.linuxMenuGroup.set(provider { linux.menuGroup })
                packageTask.linuxPackageName.set(provider { linux.packageName })
                packageTask.linuxRpmLicenseType.set(provider { linux.rpmLicenseType })
-                packageTask.iconFile.set(linux.iconFile.orElse(unpackDefaultResources.flatMap { it.resources.linuxIcon }))
+                packageTask.iconFile.set(linux.iconFile.orElse(defaultResources.get { linuxIcon }))
                packageTask.installationPath.set(linux.installationPath)
            }
        }
@ -377,7 +382,7 @@ internal fun JvmApplicationContext.configurePlatformSettings(
                packageTask.winMenu.set(provider { win.menu })
                packageTask.winMenuGroup.set(provider { win.menuGroup })
                packageTask.winUpgradeUuid.set(provider { win.upgradeUuid })
-                packageTask.iconFile.set(win.iconFile.orElse(unpackDefaultResources.flatMap { it.resources.windowsIcon }))
+                packageTask.iconFile.set(win.iconFile.orElse(defaultResources.get { windowsIcon }))
                packageTask.installationPath.set(win.installationPath)
            }
        }
@ -393,15 +398,16 @@ internal fun JvmApplicationContext.configurePlatformSettings(
                )
                packageTask.macAppStore.set(mac.appStore)
                packageTask.macAppCategory.set(mac.appCategory)
-                packageTask.macEntitlementsFile.set(mac.entitlementsFile)
-                packageTask.macRuntimeEntitlementsFile.set(mac.runtimeEntitlementsFile)
+                val defaultEntitlements = defaultResources.get { defaultEntitlements }
+                packageTask.macEntitlementsFile.set(mac.entitlementsFile.orElse(defaultEntitlements))
+                packageTask.macRuntimeEntitlementsFile.set(mac.runtimeEntitlementsFile.orElse(defaultEntitlements))
                packageTask.packageBuildVersion.set(packageBuildVersionFor(packageTask.targetFormat))
                packageTask.nonValidatedMacBundleID.set(provider { mac.bundleID })
                packageTask.macProvisioningProfile.set(mac.provisioningProfile)
                packageTask.macRuntimeProvisioningProfile.set(mac.runtimeProvisioningProfile)
                packageTask.macExtraPlistKeysRawXml.set(provider { mac.infoPlistSettings.extraKeysRawXml })
                packageTask.nonValidatedMacSigningSettings = app.nativeDistributions.macOS.signing
-                packageTask.iconFile.set(mac.iconFile.orElse(unpackDefaultResources.flatMap { it.resources.macIcon }))
+                packageTask.iconFile.set(mac.iconFile.orElse(defaultResources.get { macIcon }))
                packageTask.installationPath.set(mac.installationPath)
            }
        }
--- a/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/tasks/AbstractUnpackDefaultComposeApplicationResourcesTask.kt
+++ b/gradle-plugins/compose/src/main/kotlin/org/jetbrains/compose/desktop/tasks/AbstractUnpackDefaultComposeApplicationResourcesTask.kt
@ -17,6 +17,7 @@ import org.jetbrains.compose.internal.utils.clearDirs
 import org.jetbrains.compose.internal.utils.ioFile

 private const val DEFAULT_COMPOSE_PROGUARD_RULES_FILE_NAME = "default-compose-desktop-rules.pro"
+private const val DEFAULT_ENTITLEMENTS_FILE_NAME = "default-entitlements.plist"

 abstract class AbstractUnpackDefaultComposeApplicationResourcesTask : AbstractComposeDesktopTask() {
    internal class DefaultResourcesProvider(resourcesRootDir: Provider<Directory>) {
@ -24,6 +25,7 @@ abstract class AbstractUnpackDefaultComposeApplicationResourcesTask : AbstractCo
        val windowsIcon: Provider<RegularFile> = resourcesRootDir.map { it.file("default-icon-windows.ico") }
        val linuxIcon: Provider<RegularFile> = resourcesRootDir.map { it.file("default-icon-linux.png") }
        val defaultComposeProguardRules: Provider<RegularFile> = resourcesRootDir.map { it.file(DEFAULT_COMPOSE_PROGUARD_RULES_FILE_NAME) }
+        val defaultEntitlements: Provider<RegularFile> = resourcesRootDir.map { it.file(DEFAULT_ENTITLEMENTS_FILE_NAME) }
    }

    @OutputDirectory
@ -42,6 +44,7 @@ abstract class AbstractUnpackDefaultComposeApplicationResourcesTask : AbstractCo
        unpack(iconSourcePath("windows", "ico"), resources.windowsIcon)
        unpack(iconSourcePath("linux", "png"), resources.linuxIcon)
        unpack(DEFAULT_COMPOSE_PROGUARD_RULES_FILE_NAME, resources.defaultComposeProguardRules)
+        unpack(DEFAULT_ENTITLEMENTS_FILE_NAME, resources.defaultEntitlements)
    }

    private fun iconSourcePath(platformName: String, iconExt: String): String =
--- a/gradle-plugins/compose/src/main/resources/default-entitlements.plist
+++ b/gradle-plugins/compose/src/main/resources/default-entitlements.plist
@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+    </dict>
+</plist>