RepoMirrors
/
tdesktop
mirror of https://github.com/telegramdesktop/tdesktop
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Enable hardened runtime on macOS build.

This commit is contained in:
John Preston 2019-04-18 12:27:58 +04:00
parent edc8c23772
commit 72690ee106
4 changed files with 51 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
Telegram/Patches/gyp.diff
View File

@ -1,8 +1,8 @@
diff --git a/pylib/gyp/generator/cmake.py b/pylib/gyp/generator/cmake.py
index a2b9629..ac59461 100644
index 4a2041cf..e5333926 100644
--- a/pylib/gyp/generator/cmake.py
+++ b/pylib/gyp/generator/cmake.py
@@ -1070,6 +1070,23 @@ def WriteTarget(namer, qualified_target, target_dicts, build_dir, config_to_use,
@@ -1078,6 +1078,23 @@ def WriteTarget(namer, qualified_target, target_dicts, build_dir, config_to_use,
output.write(')\n')
@ -26,7 +26,7 @@ index a2b9629..ac59461 100644
UnsetVariable(output, 'TOOLSET')
UnsetVariable(output, 'TARGET')
@@ -1112,6 +1129,8 @@ def GenerateOutputForConfig(target_list, target_dicts, data,
@@ -1120,6 +1137,8 @@ def GenerateOutputForConfig(target_list, target_dicts, data,
SetVariable(output, 'configuration', config_to_use)
ar = None
@ -35,7 +35,7 @@ index a2b9629..ac59461 100644
cc = None
cxx = None
@@ -1121,17 +1140,27 @@ def GenerateOutputForConfig(target_list, target_dicts, data,
@@ -1129,17 +1148,27 @@ def GenerateOutputForConfig(target_list, target_dicts, data,
for key, value in make_global_settings:
if key == 'AR':
ar = os.path.join(build_to_top, value)
@ -64,48 +64,63 @@ index a2b9629..ac59461 100644
SetVariable(output, 'CMAKE_C_COMPILER', cc)
if cxx:
diff --git a/pylib/gyp/generator/xcode.py b/pylib/gyp/generator/xcode.py
index db99d6a..8d56baf 100644
index 8bc22bed..24bee427 100644
--- a/pylib/gyp/generator/xcode.py
+++ b/pylib/gyp/generator/xcode.py
@@ -72,6 +72,10 @@ generator_additional_non_configuration_keys = [
@@ -74,6 +74,12 @@ generator_additional_non_configuration_keys = [
'ios_app_extension',
'ios_watch_app',
'ios_watchkit_extension',
+
+ 'mac_sandbox', # sandbox support
+ 'mac_sandbox_development_team',
+
+ 'mac_hardened_runtime', # hardened runtime support
+
'mac_bundle',
'mac_bundle_resources',
'mac_framework_headers',
@@ -772,6 +776,26 @@ def GenerateOutput(target_list, target_dicts, data, params):
@@ -774,6 +780,39 @@ def GenerateOutput(target_list, target_dicts, data, params):
xcode_targets[qualified_target] = xct
xcode_target_to_target_dict[xct] = spec
+ # sandbox support
+ # sandbox and hardened runtime support
+ is_sandbox = int(spec.get('mac_sandbox', 0))
+ is_hardened_runtime = int(spec.get('mac_hardened_runtime', 0))
+ if is_sandbox or is_hardened_runtime:
+ try:
+ tmp = pbxp._properties['attributes']['TargetAttributes']
+ except KeyError:
+ pbxp._properties['attributes']['TargetAttributes'] = {}
+ try:
+ tmp = pbxp._properties['attributes']['TargetAttributes'][xct]
+ except KeyError:
+ pbxp._properties['attributes']['TargetAttributes'][xct] = {}
+ try:
+ tmp = pbxp._properties['attributes']['TargetAttributes'][xct]['SystemCapabilities']
+ except KeyError:
+ pbxp._properties['attributes']['TargetAttributes'][xct]['SystemCapabilities'] = {}
+
+ if is_sandbox:
+ dev_team = spec.get('mac_sandbox_development_team', '%%ERROR%%')
+ assert dev_team != '%%ERROR%%', (
+ 'mac_sandbox must be accompanied by mac_sandbox_development_team (target "%s")' %
+ target_name)
+ try:
+ tmp = pbxp._properties['attributes']['TargetAttributes']
+ except KeyError:
+ pbxp._properties['attributes']['TargetAttributes'] = {}
+ pbxp._properties['attributes']['TargetAttributes'][xct] = {
+ 'DevelopmentTeam': dev_team,
+ 'SystemCapabilities': {
+ 'com.apple.Sandbox': {
+ 'enabled': 1,
+ },
+ },
+ pbxp._properties['attributes']['TargetAttributes'][xct]['DevelopmentTeam'] = dev_team
+ pbxp._properties['attributes']['TargetAttributes'][xct]['SystemCapabilities']['com.apple.Sandbox'] = {
+ 'enabled': 1,
+ }
+
+ # hardened runtime support
+ if is_hardened_runtime:
+ pbxp._properties['attributes']['TargetAttributes'][xct]['SystemCapabilities']['com.apple.HardenedRuntime'] = {
+ 'enabled': 1,
+ }
+
spec_actions = spec.get('actions', [])
spec_rules = spec.get('rules', [])
@@ -1141,7 +1165,8 @@ exit 1
@@ -1132,7 +1171,8 @@ exit 1
groups = [x for x in groups if not x.endswith('_excluded')]
for group in groups:
for item in rule.get(group, []):

8
Telegram/Telegram/Telegram.entitlements Normal file
View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.device.audio-input</key>
<true/>
</dict>
</plist>

2
Telegram/build/build.sh
View File

@ -291,7 +291,7 @@ if [ "$BuildTarget" == "mac" ] || [ "$BuildTarget" == "mac32" ] || [ "$BuildTarg
echo "Signing the application.."
if [ "$BuildTarget" == "mac" ] || [ "$BuildTarget" == "mac32" ]; then
codesign --force --deep --sign "Developer ID Application: John Preston" "$ReleasePath/$BinaryName.app"
codesign --force --deep --timestamp --options runtime --sign "Developer ID Application: John Preston" "$ReleasePath/$BinaryName.app" --entitlements "$HomePath/Telegram/Telegram.entitlements"
elif [ "$BuildTarget" == "macstore" ]; then
codesign --force --deep --sign "3rd Party Mac Developer Application: TELEGRAM MESSENGER LLP (6N38VWS5BX)" "$ReleasePath/$BinaryName.app" --entitlements "$HomePath/Telegram/Telegram Desktop.entitlements"
echo "Making an installer.."

7
Telegram/gyp/Telegram.gyp
View File

@ -134,11 +134,18 @@
'utils.gyp:Packer',
],
}], [ 'build_mac', {
'mac_hardened_runtime': 1,
'mac_bundle': '1',
'mac_bundle_resources': [
'<!@(python -c "for s in \'<@(langpacks)\'.split(\' \'): print(\'<(res_loc)/langs/\' + s + \'.lproj/Localizable.strings\')")',
'../Telegram/Images.xcassets',
],
'xcode_settings': {
'ENABLE_HARDENED_RUNTIME': 'YES',
},
'sources': [
'../Telegram/Telegram.entitlements',
],
}], [ 'build_macstore', {
'mac_sandbox': 1,
'mac_sandbox_development_team': '6N38VWS5BX',