From 656a64974468bc207bf39537e02ae179bdee9b83 Mon Sep 17 00:00:00 2001 From: thewh1teagle <61390950+thewh1teagle@users.noreply.github.com> Date: Wed, 5 Jun 2024 19:04:08 +0300 Subject: [PATCH] feat(cli): add macos hardened runtime signing config option (#9318) * feat(cli): add macos signing config option * rename option to hardened_runtime * chore(cli): use default true in hardened runtime config --------- Co-authored-by: Lucas Nogueira --- .changes/hardened-runtime-option.md | 8 ++++++++ core/tauri-config-schema/schema.json | 7 +++++++ core/tauri-utils/src/config.rs | 6 ++++++ tooling/bundler/src/bundle/macos/sign.rs | 4 +++- tooling/bundler/src/bundle/settings.rs | 4 ++++ tooling/cli/schema.json | 7 +++++++ tooling/cli/src/interface/rust.rs | 1 + 7 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 .changes/hardened-runtime-option.md diff --git a/.changes/hardened-runtime-option.md b/.changes/hardened-runtime-option.md new file mode 100644 index 000000000000..fbae7bd2a09a --- /dev/null +++ b/.changes/hardened-runtime-option.md @@ -0,0 +1,8 @@ +--- +"tauri-bundler": patch:feat +"@tauri-apps/cli": patch:feat +"tauri-cli": patch:feat +"tauri-utils": patch:feat +--- + +Added a configuration option to disable hardened runtime on macOS codesign. diff --git a/core/tauri-config-schema/schema.json b/core/tauri-config-schema/schema.json index 649b051a6ed1..822d2f20e655 100644 --- a/core/tauri-config-schema/schema.json +++ b/core/tauri-config-schema/schema.json @@ -104,6 +104,7 @@ } }, "files": {}, + "hardenedRuntime": true, "minimumSystemVersion": "10.13" }, "targets": "all", @@ -1683,6 +1684,7 @@ } }, "files": {}, + "hardenedRuntime": true, "minimumSystemVersion": "10.13" }, "allOf": [ @@ -2688,6 +2690,11 @@ "null" ] }, + "hardenedRuntime": { + "description": "Whether the codesign should enable [hardened runtime] (for executables) or not.\n\n[hardened runtime]: ", + "default": true, + "type": "boolean" + }, "providerShortName": { "description": "Provider short name for notarization.", "type": [ diff --git a/core/tauri-utils/src/config.rs b/core/tauri-utils/src/config.rs index 4b2d7be99354..d8ee880c8143 100644 --- a/core/tauri-utils/src/config.rs +++ b/core/tauri-utils/src/config.rs @@ -565,6 +565,11 @@ pub struct MacConfig { /// Identity to use for code signing. #[serde(alias = "signing-identity")] pub signing_identity: Option, + /// Whether the codesign should enable [hardened runtime] (for executables) or not. + /// + /// [hardened runtime]: + #[serde(alias = "hardened-runtime", default = "default_true")] + pub hardened_runtime: bool, /// Provider short name for notarization. #[serde(alias = "provider-short-name")] pub provider_short_name: Option, @@ -583,6 +588,7 @@ impl Default for MacConfig { minimum_system_version: minimum_system_version(), exception_domain: None, signing_identity: None, + hardened_runtime: true, provider_short_name: None, entitlements: None, dmg: Default::default(), diff --git a/tooling/bundler/src/bundle/macos/sign.rs b/tooling/bundler/src/bundle/macos/sign.rs index 15b03aeb7aa8..5f6b97f7bd4c 100644 --- a/tooling/bundler/src/bundle/macos/sign.rs +++ b/tooling/bundler/src/bundle/macos/sign.rs @@ -205,7 +205,9 @@ fn try_sign( args.push(entitlements_path); } - if is_an_executable { + // add runtime flag by default + + if is_an_executable && settings.macos().hardened_runtime { args.push("--options"); args.push("runtime"); } diff --git a/tooling/bundler/src/bundle/settings.rs b/tooling/bundler/src/bundle/settings.rs index 2369037faaee..c54949940a99 100644 --- a/tooling/bundler/src/bundle/settings.rs +++ b/tooling/bundler/src/bundle/settings.rs @@ -317,6 +317,10 @@ pub struct MacOsSettings { pub exception_domain: Option, /// Code signing identity. pub signing_identity: Option, + /// Preserve the hardened runtime version flag, see + /// + /// Settings this to `false` is useful when using an ad-hoc signature, making it less strict. + pub hardened_runtime: bool, /// Provider short name for notarization. pub provider_short_name: Option, /// Path to the entitlements.plist file. diff --git a/tooling/cli/schema.json b/tooling/cli/schema.json index 649b051a6ed1..822d2f20e655 100644 --- a/tooling/cli/schema.json +++ b/tooling/cli/schema.json @@ -104,6 +104,7 @@ } }, "files": {}, + "hardenedRuntime": true, "minimumSystemVersion": "10.13" }, "targets": "all", @@ -1683,6 +1684,7 @@ } }, "files": {}, + "hardenedRuntime": true, "minimumSystemVersion": "10.13" }, "allOf": [ @@ -2688,6 +2690,11 @@ "null" ] }, + "hardenedRuntime": { + "description": "Whether the codesign should enable [hardened runtime] (for executables) or not.\n\n[hardened runtime]: ", + "default": true, + "type": "boolean" + }, "providerShortName": { "description": "Provider short name for notarization.", "type": [ diff --git a/tooling/cli/src/interface/rust.rs b/tooling/cli/src/interface/rust.rs index 4d634e892859..5708785cde12 100644 --- a/tooling/cli/src/interface/rust.rs +++ b/tooling/cli/src/interface/rust.rs @@ -1362,6 +1362,7 @@ fn tauri_config_to_bundle_settings( minimum_system_version: config.macos.minimum_system_version, exception_domain: config.macos.exception_domain, signing_identity, + hardened_runtime: config.macos.hardened_runtime, provider_short_name, entitlements: config.macos.entitlements, info_plist_path: {