hiro/tdesktop
1
0
Fork 0
mirror of https://github.com/vale981/tdesktop synced 2025-03-05 09:41:41 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Enable hardened runtime on macOS build.

Browse source
This commit is contained in:
John Preston 2019-04-18 12:27:58 +04:00
parent edc8c23772
commit 72690ee106
4 changed files with 51 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
Telegram/Patches/gyp.diff
View file

@ -1,8 +1,8 @@
diff --git a/pylib/gyp/generator/cmake.py b/pylib/gyp/generator/cmake.py diff --git a/pylib/gyp/generator/cmake.py b/pylib/gyp/generator/cmake.py
index a2b9629..ac59461 100644 index 4a2041cf..e5333926 100644
--- a/pylib/gyp/generator/cmake.py --- a/pylib/gyp/generator/cmake.py
+++ b/pylib/gyp/generator/cmake.py +++ b/pylib/gyp/generator/cmake.py
@@ -1070,6 +1070,23 @@ def WriteTarget(namer, qualified_target, target_dicts, build_dir, config_to_use, @@ -1078,6 +1078,23 @@ def WriteTarget(namer, qualified_target, target_dicts, build_dir, config_to_use,
output.write(')\n') output.write(')\n')
@ -26,7 +26,7 @@ index a2b9629..ac59461 100644
UnsetVariable(output, 'TOOLSET') UnsetVariable(output, 'TOOLSET')
UnsetVariable(output, 'TARGET') UnsetVariable(output, 'TARGET')
@@ -1112,6 +1129,8 @@ def GenerateOutputForConfig(target_list, target_dicts, data, @@ -1120,6 +1137,8 @@ def GenerateOutputForConfig(target_list, target_dicts, data,
SetVariable(output, 'configuration', config_to_use) SetVariable(output, 'configuration', config_to_use)
ar = None ar = None
@ -35,7 +35,7 @@ index a2b9629..ac59461 100644
cc = None cc = None
cxx = None cxx = None
@@ -1121,17 +1140,27 @@ def GenerateOutputForConfig(target_list, target_dicts, data, @@ -1129,17 +1148,27 @@ def GenerateOutputForConfig(target_list, target_dicts, data,
for key, value in make_global_settings: for key, value in make_global_settings:
if key == 'AR': if key == 'AR':
ar = os.path.join(build_to_top, value) ar = os.path.join(build_to_top, value)
@ -64,48 +64,63 @@ index a2b9629..ac59461 100644
SetVariable(output, 'CMAKE_C_COMPILER', cc) SetVariable(output, 'CMAKE_C_COMPILER', cc)
if cxx: if cxx:
diff --git a/pylib/gyp/generator/xcode.py b/pylib/gyp/generator/xcode.py diff --git a/pylib/gyp/generator/xcode.py b/pylib/gyp/generator/xcode.py
index db99d6a..8d56baf 100644 index 8bc22bed..24bee427 100644
--- a/pylib/gyp/generator/xcode.py --- a/pylib/gyp/generator/xcode.py
+++ b/pylib/gyp/generator/xcode.py +++ b/pylib/gyp/generator/xcode.py
@@ -72,6 +72,10 @@ generator_additional_non_configuration_keys = [ @@ -74,6 +74,12 @@ generator_additional_non_configuration_keys = [
'ios_app_extension', 'ios_app_extension',
'ios_watch_app', 'ios_watch_app',
'ios_watchkit_extension', 'ios_watchkit_extension',
+ +
+ 'mac_sandbox', # sandbox support + 'mac_sandbox', # sandbox support
+ 'mac_sandbox_development_team', + 'mac_sandbox_development_team',
+
+ 'mac_hardened_runtime', # hardened runtime support
+ +
'mac_bundle', 'mac_bundle',
'mac_bundle_resources', 'mac_bundle_resources',
'mac_framework_headers', 'mac_framework_headers',
@@ -772,6 +776,26 @@ def GenerateOutput(target_list, target_dicts, data, params): @@ -774,6 +780,39 @@ def GenerateOutput(target_list, target_dicts, data, params):
xcode_targets[qualified_target] = xct xcode_targets[qualified_target] = xct
xcode_target_to_target_dict[xct] = spec xcode_target_to_target_dict[xct] = spec
+ # sandbox support + # sandbox and hardened runtime support
+ is_sandbox = int(spec.get('mac_sandbox', 0)) + is_sandbox = int(spec.get('mac_sandbox', 0))
+ is_hardened_runtime = int(spec.get('mac_hardened_runtime', 0))
+ if is_sandbox or is_hardened_runtime:
+ try:
+ tmp = pbxp._properties['attributes']['TargetAttributes']
+ except KeyError:
+ pbxp._properties['attributes']['TargetAttributes'] = {}
+ try:
+ tmp = pbxp._properties['attributes']['TargetAttributes'][xct]
+ except KeyError:
+ pbxp._properties['attributes']['TargetAttributes'][xct] = {}
+ try:
+ tmp = pbxp._properties['attributes']['TargetAttributes'][xct]['SystemCapabilities']
+ except KeyError:
+ pbxp._properties['attributes']['TargetAttributes'][xct]['SystemCapabilities'] = {}
+
+ if is_sandbox: + if is_sandbox:
+ dev_team = spec.get('mac_sandbox_development_team', '%%ERROR%%') + dev_team = spec.get('mac_sandbox_development_team', '%%ERROR%%')
+ assert dev_team != '%%ERROR%%', ( + assert dev_team != '%%ERROR%%', (
+ 'mac_sandbox must be accompanied by mac_sandbox_development_team (target "%s")' % + 'mac_sandbox must be accompanied by mac_sandbox_development_team (target "%s")' %
+ target_name) + target_name)
+ try: + pbxp._properties['attributes']['TargetAttributes'][xct]['DevelopmentTeam'] = dev_team
+ tmp = pbxp._properties['attributes']['TargetAttributes'] + pbxp._properties['attributes']['TargetAttributes'][xct]['SystemCapabilities']['com.apple.Sandbox'] = {
+ except KeyError: + 'enabled': 1,
+ pbxp._properties['attributes']['TargetAttributes'] = {} + }
+ pbxp._properties['attributes']['TargetAttributes'][xct] = { +
+ 'DevelopmentTeam': dev_team, + # hardened runtime support
+ 'SystemCapabilities': { + if is_hardened_runtime:
+ 'com.apple.Sandbox': { + pbxp._properties['attributes']['TargetAttributes'][xct]['SystemCapabilities']['com.apple.HardenedRuntime'] = {
+ 'enabled': 1, + 'enabled': 1,
+ },
+ },
+ } + }
+ +
spec_actions = spec.get('actions', []) spec_actions = spec.get('actions', [])
spec_rules = spec.get('rules', []) spec_rules = spec.get('rules', [])
@@ -1141,7 +1165,8 @@ exit 1 @@ -1132,7 +1171,8 @@ exit 1
groups = [x for x in groups if not x.endswith('_excluded')] groups = [x for x in groups if not x.endswith('_excluded')]
for group in groups: for group in groups:
for item in rule.get(group, []): for item in rule.get(group, []):

8
Telegram/Telegram/Telegram.entitlements Normal file
View file

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.device.audio-input</key>
<true/>
</dict>
</plist>

2
Telegram/build/build.sh
View file

@ -291,7 +291,7 @@ if [ "$BuildTarget" == "mac" ] || [ "$BuildTarget" == "mac32" ] || [ "$BuildTarg
echo "Signing the application.." echo "Signing the application.."
if [ "$BuildTarget" == "mac" ] || [ "$BuildTarget" == "mac32" ]; then if [ "$BuildTarget" == "mac" ] || [ "$BuildTarget" == "mac32" ]; then
codesign --force --deep --sign "Developer ID Application: John Preston" "$ReleasePath/$BinaryName.app" codesign --force --deep --timestamp --options runtime --sign "Developer ID Application: John Preston" "$ReleasePath/$BinaryName.app" --entitlements "$HomePath/Telegram/Telegram.entitlements"
elif [ "$BuildTarget" == "macstore" ]; then elif [ "$BuildTarget" == "macstore" ]; then
codesign --force --deep --sign "3rd Party Mac Developer Application: TELEGRAM MESSENGER LLP (6N38VWS5BX)" "$ReleasePath/$BinaryName.app" --entitlements "$HomePath/Telegram/Telegram Desktop.entitlements" codesign --force --deep --sign "3rd Party Mac Developer Application: TELEGRAM MESSENGER LLP (6N38VWS5BX)" "$ReleasePath/$BinaryName.app" --entitlements "$HomePath/Telegram/Telegram Desktop.entitlements"
echo "Making an installer.." echo "Making an installer.."

7
Telegram/gyp/Telegram.gyp
View file

@ -134,11 +134,18 @@
'utils.gyp:Packer', 'utils.gyp:Packer',
], ],
}], [ 'build_mac', { }], [ 'build_mac', {
'mac_hardened_runtime': 1,
'mac_bundle': '1', 'mac_bundle': '1',
'mac_bundle_resources': [ 'mac_bundle_resources': [
'<!@(python -c "for s in \'<@(langpacks)\'.split(\' \'): print(\'<(res_loc)/langs/\' + s + \'.lproj/Localizable.strings\')")', '<!@(python -c "for s in \'<@(langpacks)\'.split(\' \'): print(\'<(res_loc)/langs/\' + s + \'.lproj/Localizable.strings\')")',
'../Telegram/Images.xcassets', '../Telegram/Images.xcassets',
], ],
'xcode_settings': {
'ENABLE_HARDENED_RUNTIME': 'YES',
},
'sources': [
'../Telegram/Telegram.entitlements',
],
}], [ 'build_macstore', { }], [ 'build_macstore', {
'mac_sandbox': 1, 'mac_sandbox': 1,
'mac_sandbox_development_team': '6N38VWS5BX', 'mac_sandbox_development_team': '6N38VWS5BX',