From 0aa0378c8d632ce186ddd5df8b4bddd8853ceeaf Mon Sep 17 00:00:00 2001 From: Fabian-Lars Date: Mon, 8 Jul 2024 14:51:20 +0200 Subject: [PATCH] feat(cli): add macos hardened runtime signing config option (#9318) (#10199) * feat(cli): add macos signing config option * rename option to hardened_runtime * chore(cli): use default true in hardened runtime config --------- Co-authored-by: Lucas Nogueira --- .changes/hardened-runtime-option.md | 8 ++++++++ core/tauri-config-schema/schema.json | 8 ++++++++ core/tauri-utils/src/config.rs | 6 ++++++ tooling/bundler/src/bundle/macos/sign.rs | 4 +++- tooling/bundler/src/bundle/settings.rs | 4 ++++ tooling/cli/schema.json | 8 ++++++++ tooling/cli/src/interface/rust.rs | 1 + 7 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 .changes/hardened-runtime-option.md diff --git a/.changes/hardened-runtime-option.md b/.changes/hardened-runtime-option.md new file mode 100644 index 000000000000..fbae7bd2a09a --- /dev/null +++ b/.changes/hardened-runtime-option.md @@ -0,0 +1,8 @@ +--- +"tauri-bundler": patch:feat +"@tauri-apps/cli": patch:feat +"tauri-cli": patch:feat +"tauri-utils": patch:feat +--- + +Added a configuration option to disable hardened runtime on macOS codesign. diff --git a/core/tauri-config-schema/schema.json b/core/tauri-config-schema/schema.json index 2626e0432cbf..d607b032d816 100644 --- a/core/tauri-config-schema/schema.json +++ b/core/tauri-config-schema/schema.json @@ -156,6 +156,7 @@ "icon": [], "identifier": "", "macOS": { + "hardenedRuntime": true, "minimumSystemVersion": "10.13" }, "rpm": { @@ -316,6 +317,7 @@ "icon": [], "identifier": "", "macOS": { + "hardenedRuntime": true, "minimumSystemVersion": "10.13" }, "rpm": { @@ -1219,6 +1221,7 @@ "macOS": { "description": "Configuration for the macOS bundles.", "default": { + "hardenedRuntime": true, "minimumSystemVersion": "10.13" }, "allOf": [ @@ -1695,6 +1698,11 @@ "null" ] }, + "hardenedRuntime": { + "description": "Whether the codesign should enable [hardened runtime] (for executables) or not.\n\n[hardened runtime]: ", + "default": true, + "type": "boolean" + }, "providerShortName": { "description": "Provider short name for notarization.", "type": [ diff --git a/core/tauri-utils/src/config.rs b/core/tauri-utils/src/config.rs index dc3366d7ed17..586d55770ac7 100644 --- a/core/tauri-utils/src/config.rs +++ b/core/tauri-utils/src/config.rs @@ -467,6 +467,11 @@ pub struct MacConfig { /// Identity to use for code signing. #[serde(alias = "signing-identity")] pub signing_identity: Option, + /// Whether the codesign should enable [hardened runtime] (for executables) or not. + /// + /// [hardened runtime]: + #[serde(alias = "hardened-runtime", default = "default_true")] + pub hardened_runtime: bool, /// Provider short name for notarization. #[serde(alias = "provider-short-name")] pub provider_short_name: Option, @@ -482,6 +487,7 @@ impl Default for MacConfig { exception_domain: None, license: None, signing_identity: None, + hardened_runtime: true, provider_short_name: None, entitlements: None, } diff --git a/tooling/bundler/src/bundle/macos/sign.rs b/tooling/bundler/src/bundle/macos/sign.rs index 48f7bfcddcbd..8892fcffc869 100644 --- a/tooling/bundler/src/bundle/macos/sign.rs +++ b/tooling/bundler/src/bundle/macos/sign.rs @@ -206,7 +206,9 @@ fn try_sign( args.push(entitlements_path); } - if is_an_executable { + // add runtime flag by default + + if is_an_executable && settings.macos().hardened_runtime { args.push("--options"); args.push("runtime"); } diff --git a/tooling/bundler/src/bundle/settings.rs b/tooling/bundler/src/bundle/settings.rs index 449f94c2313e..2b01b780c744 100644 --- a/tooling/bundler/src/bundle/settings.rs +++ b/tooling/bundler/src/bundle/settings.rs @@ -296,6 +296,10 @@ pub struct MacOsSettings { pub exception_domain: Option, /// Code signing identity. pub signing_identity: Option, + /// Preserve the hardened runtime version flag, see + /// + /// Settings this to `false` is useful when using an ad-hoc signature, making it less strict. + pub hardened_runtime: bool, /// Provider short name for notarization. pub provider_short_name: Option, /// Path to the entitlements.plist file. diff --git a/tooling/cli/schema.json b/tooling/cli/schema.json index 2626e0432cbf..d607b032d816 100644 --- a/tooling/cli/schema.json +++ b/tooling/cli/schema.json @@ -156,6 +156,7 @@ "icon": [], "identifier": "", "macOS": { + "hardenedRuntime": true, "minimumSystemVersion": "10.13" }, "rpm": { @@ -316,6 +317,7 @@ "icon": [], "identifier": "", "macOS": { + "hardenedRuntime": true, "minimumSystemVersion": "10.13" }, "rpm": { @@ -1219,6 +1221,7 @@ "macOS": { "description": "Configuration for the macOS bundles.", "default": { + "hardenedRuntime": true, "minimumSystemVersion": "10.13" }, "allOf": [ @@ -1695,6 +1698,11 @@ "null" ] }, + "hardenedRuntime": { + "description": "Whether the codesign should enable [hardened runtime] (for executables) or not.\n\n[hardened runtime]: ", + "default": true, + "type": "boolean" + }, "providerShortName": { "description": "Provider short name for notarization.", "type": [ diff --git a/tooling/cli/src/interface/rust.rs b/tooling/cli/src/interface/rust.rs index a1a50f52c52c..330d5ac9f53a 100644 --- a/tooling/cli/src/interface/rust.rs +++ b/tooling/cli/src/interface/rust.rs @@ -1210,6 +1210,7 @@ fn tauri_config_to_bundle_settings( license: config.macos.license, exception_domain: config.macos.exception_domain, signing_identity, + hardened_runtime: config.macos.hardened_runtime, provider_short_name, entitlements: config.macos.entitlements, info_plist_path: {