From a3d2314be2c293f16df1fa3fd67b9d01a82f9744 Mon Sep 17 00:00:00 2001 From: thewh1teagle <61390950+thewh1teagle@users.noreply.github.com> Date: Sun, 31 Mar 2024 23:42:26 +0300 Subject: [PATCH 1/3] feat(cli): add macos signing config option --- core/tauri-config-schema/schema.json | 7 +++++++ core/tauri-utils/src/config.rs | 4 ++++ tooling/bundler/src/bundle/macos/sign.rs | 5 ++++- tooling/bundler/src/bundle/settings.rs | 4 ++++ tooling/cli/schema.json | 7 +++++++ tooling/cli/src/interface/rust.rs | 1 + 6 files changed, 27 insertions(+), 1 deletion(-) diff --git a/core/tauri-config-schema/schema.json b/core/tauri-config-schema/schema.json index 8f6b61c8a170..ff007d53ea6d 100644 --- a/core/tauri-config-schema/schema.json +++ b/core/tauri-config-schema/schema.json @@ -2605,6 +2605,13 @@ "null" ] }, + "signingRuntimeFlag": { + "description": "Flag passed for code signing.", + "type": [ + "boolean", + "null" + ] + }, "providerShortName": { "description": "Provider short name for notarization.", "type": [ diff --git a/core/tauri-utils/src/config.rs b/core/tauri-utils/src/config.rs index 2c161e6b0d22..4bfc7898f533 100644 --- a/core/tauri-utils/src/config.rs +++ b/core/tauri-utils/src/config.rs @@ -556,6 +556,9 @@ pub struct MacConfig { /// Identity to use for code signing. #[serde(alias = "signing-identity")] pub signing_identity: Option, + /// Flag passed for code signing. + #[serde(alias = "signing-runtime-flag")] + pub signing_runtime_flag: Option, /// Provider short name for notarization. #[serde(alias = "provider-short-name")] pub provider_short_name: Option, @@ -574,6 +577,7 @@ impl Default for MacConfig { minimum_system_version: minimum_system_version(), exception_domain: None, signing_identity: None, + signing_runtime_flag: None, provider_short_name: None, entitlements: None, dmg: Default::default(), diff --git a/tooling/bundler/src/bundle/macos/sign.rs b/tooling/bundler/src/bundle/macos/sign.rs index 952c798bed12..d6016cb8f081 100644 --- a/tooling/bundler/src/bundle/macos/sign.rs +++ b/tooling/bundler/src/bundle/macos/sign.rs @@ -205,7 +205,10 @@ fn try_sign( args.push(entitlements_path); } - if is_an_executable { + // add runtime flag by default + let should_set = settings.macos().signing_runtime_flag + .unwrap_or(true); + if is_an_executable && should_set { args.push("--options"); args.push("runtime"); } diff --git a/tooling/bundler/src/bundle/settings.rs b/tooling/bundler/src/bundle/settings.rs index 694305c0bb09..6195f9ad3597 100644 --- a/tooling/bundler/src/bundle/settings.rs +++ b/tooling/bundler/src/bundle/settings.rs @@ -303,6 +303,10 @@ pub struct MacOsSettings { pub exception_domain: Option, /// Code signing identity. pub signing_identity: Option, + /// Preserve the hardened runtime version flag (see man codesign) + /// + /// This option is useful when using an ad-hoc signature, making it less strict. + pub signing_runtime_flag: Option, /// Provider short name for notarization. pub provider_short_name: Option, /// Path to the entitlements.plist file. diff --git a/tooling/cli/schema.json b/tooling/cli/schema.json index 8f6b61c8a170..ff007d53ea6d 100644 --- a/tooling/cli/schema.json +++ b/tooling/cli/schema.json @@ -2605,6 +2605,13 @@ "null" ] }, + "signingRuntimeFlag": { + "description": "Flag passed for code signing.", + "type": [ + "boolean", + "null" + ] + }, "providerShortName": { "description": "Provider short name for notarization.", "type": [ diff --git a/tooling/cli/src/interface/rust.rs b/tooling/cli/src/interface/rust.rs index 4eae3c14a99d..30398db400bf 100644 --- a/tooling/cli/src/interface/rust.rs +++ b/tooling/cli/src/interface/rust.rs @@ -1387,6 +1387,7 @@ fn tauri_config_to_bundle_settings( minimum_system_version: config.macos.minimum_system_version, exception_domain: config.macos.exception_domain, signing_identity, + signing_runtime_flag: config.macos.signing_runtime_flag, provider_short_name, entitlements: config.macos.entitlements, info_plist_path: { From 4de3544630040c4beccc84b2bea6bfd30069fb35 Mon Sep 17 00:00:00 2001 From: Lucas Nogueira Date: Tue, 2 Apr 2024 14:52:58 -0300 Subject: [PATCH 2/3] rename option to hardened_runtime --- .changes/hardened-runtime-option.md | 8 ++++++++ core/tauri-config-schema/schema.json | 12 ++++++------ core/tauri-utils/src/config.rs | 14 ++++++++++---- .../permissions/window/autogenerated/reference.md | 2 ++ tooling/bundler/src/bundle/macos/sign.rs | 5 ++--- tooling/bundler/src/bundle/settings.rs | 8 ++++---- tooling/cli/schema.json | 12 ++++++------ tooling/cli/src/interface/rust.rs | 2 +- 8 files changed, 39 insertions(+), 24 deletions(-) create mode 100644 .changes/hardened-runtime-option.md diff --git a/.changes/hardened-runtime-option.md b/.changes/hardened-runtime-option.md new file mode 100644 index 000000000000..fbae7bd2a09a --- /dev/null +++ b/.changes/hardened-runtime-option.md @@ -0,0 +1,8 @@ +--- +"tauri-bundler": patch:feat +"@tauri-apps/cli": patch:feat +"tauri-cli": patch:feat +"tauri-utils": patch:feat +--- + +Added a configuration option to disable hardened runtime on macOS codesign. diff --git a/core/tauri-config-schema/schema.json b/core/tauri-config-schema/schema.json index ff007d53ea6d..7b8d59c533cb 100644 --- a/core/tauri-config-schema/schema.json +++ b/core/tauri-config-schema/schema.json @@ -104,6 +104,7 @@ } }, "files": {}, + "hardenedRuntime": true, "minimumSystemVersion": "10.13" }, "targets": "all", @@ -1669,6 +1670,7 @@ } }, "files": {}, + "hardenedRuntime": true, "minimumSystemVersion": "10.13" }, "allOf": [ @@ -2605,12 +2607,10 @@ "null" ] }, - "signingRuntimeFlag": { - "description": "Flag passed for code signing.", - "type": [ - "boolean", - "null" - ] + "hardenedRuntime": { + "description": "Whether the codesign should enable [hardened runtime] (for executables) or not.\n\n[hardened runtime]: ", + "default": true, + "type": "boolean" }, "providerShortName": { "description": "Provider short name for notarization.", diff --git a/core/tauri-utils/src/config.rs b/core/tauri-utils/src/config.rs index 4bfc7898f533..3d196d095e4f 100644 --- a/core/tauri-utils/src/config.rs +++ b/core/tauri-utils/src/config.rs @@ -556,9 +556,11 @@ pub struct MacConfig { /// Identity to use for code signing. #[serde(alias = "signing-identity")] pub signing_identity: Option, - /// Flag passed for code signing. - #[serde(alias = "signing-runtime-flag")] - pub signing_runtime_flag: Option, + /// Whether the codesign should enable [hardened runtime] (for executables) or not. + /// + /// [hardened runtime]: + #[serde(alias = "hardened-runtime", default = "hardened_runtime")] + pub hardened_runtime: bool, /// Provider short name for notarization. #[serde(alias = "provider-short-name")] pub provider_short_name: Option, @@ -569,6 +571,10 @@ pub struct MacConfig { pub dmg: DmgConfig, } +fn hardened_runtime() -> bool { + true +} + impl Default for MacConfig { fn default() -> Self { Self { @@ -577,7 +583,7 @@ impl Default for MacConfig { minimum_system_version: minimum_system_version(), exception_domain: None, signing_identity: None, - signing_runtime_flag: None, + hardened_runtime: hardened_runtime(), provider_short_name: None, entitlements: None, dmg: Default::default(), diff --git a/core/tauri/permissions/window/autogenerated/reference.md b/core/tauri/permissions/window/autogenerated/reference.md index 868a10c91251..3188178d5558 100644 --- a/core/tauri/permissions/window/autogenerated/reference.md +++ b/core/tauri/permissions/window/autogenerated/reference.md @@ -10,6 +10,8 @@ |`deny-create`|Denies the create command without any pre-configured scope.| |`allow-current-monitor`|Enables the current_monitor command without any pre-configured scope.| |`deny-current-monitor`|Denies the current_monitor command without any pre-configured scope.| +|`allow-cursor-position`|Enables the cursor_position command without any pre-configured scope.| +|`deny-cursor-position`|Denies the cursor_position command without any pre-configured scope.| |`allow-destroy`|Enables the destroy command without any pre-configured scope.| |`deny-destroy`|Denies the destroy command without any pre-configured scope.| |`allow-hide`|Enables the hide command without any pre-configured scope.| diff --git a/tooling/bundler/src/bundle/macos/sign.rs b/tooling/bundler/src/bundle/macos/sign.rs index d6016cb8f081..d1657c12fd67 100644 --- a/tooling/bundler/src/bundle/macos/sign.rs +++ b/tooling/bundler/src/bundle/macos/sign.rs @@ -206,9 +206,8 @@ fn try_sign( } // add runtime flag by default - let should_set = settings.macos().signing_runtime_flag - .unwrap_or(true); - if is_an_executable && should_set { + + if is_an_executable && settings.macos().hardened_runtime { args.push("--options"); args.push("runtime"); } diff --git a/tooling/bundler/src/bundle/settings.rs b/tooling/bundler/src/bundle/settings.rs index 6195f9ad3597..d4329c304f3f 100644 --- a/tooling/bundler/src/bundle/settings.rs +++ b/tooling/bundler/src/bundle/settings.rs @@ -303,10 +303,10 @@ pub struct MacOsSettings { pub exception_domain: Option, /// Code signing identity. pub signing_identity: Option, - /// Preserve the hardened runtime version flag (see man codesign) - /// - /// This option is useful when using an ad-hoc signature, making it less strict. - pub signing_runtime_flag: Option, + /// Preserve the hardened runtime version flag, see + /// + /// Settings this to `false` is useful when using an ad-hoc signature, making it less strict. + pub hardened_runtime: bool, /// Provider short name for notarization. pub provider_short_name: Option, /// Path to the entitlements.plist file. diff --git a/tooling/cli/schema.json b/tooling/cli/schema.json index ff007d53ea6d..7b8d59c533cb 100644 --- a/tooling/cli/schema.json +++ b/tooling/cli/schema.json @@ -104,6 +104,7 @@ } }, "files": {}, + "hardenedRuntime": true, "minimumSystemVersion": "10.13" }, "targets": "all", @@ -1669,6 +1670,7 @@ } }, "files": {}, + "hardenedRuntime": true, "minimumSystemVersion": "10.13" }, "allOf": [ @@ -2605,12 +2607,10 @@ "null" ] }, - "signingRuntimeFlag": { - "description": "Flag passed for code signing.", - "type": [ - "boolean", - "null" - ] + "hardenedRuntime": { + "description": "Whether the codesign should enable [hardened runtime] (for executables) or not.\n\n[hardened runtime]: ", + "default": true, + "type": "boolean" }, "providerShortName": { "description": "Provider short name for notarization.", diff --git a/tooling/cli/src/interface/rust.rs b/tooling/cli/src/interface/rust.rs index 30398db400bf..33cf0653cef1 100644 --- a/tooling/cli/src/interface/rust.rs +++ b/tooling/cli/src/interface/rust.rs @@ -1387,7 +1387,7 @@ fn tauri_config_to_bundle_settings( minimum_system_version: config.macos.minimum_system_version, exception_domain: config.macos.exception_domain, signing_identity, - signing_runtime_flag: config.macos.signing_runtime_flag, + hardened_runtime: config.macos.hardened_runtime, provider_short_name, entitlements: config.macos.entitlements, info_plist_path: { From 49619830bb2c21f01a1f1a4c464171f29db953ea Mon Sep 17 00:00:00 2001 From: thewh1teagle <61390950+thewh1teagle@users.noreply.github.com> Date: Wed, 5 Jun 2024 18:51:09 +0300 Subject: [PATCH 3/3] chore(cli): use default true in hardened runtime config --- core/tauri-utils/src/config.rs | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/core/tauri-utils/src/config.rs b/core/tauri-utils/src/config.rs index a13d0210ecd5..7b3b1d189644 100644 --- a/core/tauri-utils/src/config.rs +++ b/core/tauri-utils/src/config.rs @@ -568,7 +568,7 @@ pub struct MacConfig { /// Whether the codesign should enable [hardened runtime] (for executables) or not. /// /// [hardened runtime]: - #[serde(alias = "hardened-runtime", default = "hardened_runtime")] + #[serde(alias = "hardened-runtime", default = "default_true")] pub hardened_runtime: bool, /// Provider short name for notarization. #[serde(alias = "provider-short-name")] @@ -580,10 +580,6 @@ pub struct MacConfig { pub dmg: DmgConfig, } -fn hardened_runtime() -> bool { - true -} - impl Default for MacConfig { fn default() -> Self { Self { @@ -592,7 +588,7 @@ impl Default for MacConfig { minimum_system_version: minimum_system_version(), exception_domain: None, signing_identity: None, - hardened_runtime: hardened_runtime(), + hardened_runtime: true, provider_short_name: None, entitlements: None, dmg: Default::default(),