Reland "fix: use electron-osx-sign instead of manual code signing (microsoft#97582)" (microsoft#98145)

deepak1556 · web-flow · commit d5372eb15929 · 2020-05-20T10:06:15.000+02:00
This reverts commit f291767.
diff --git a/build/azure-pipelines/darwin/app-entitlements.plist b/build/azure-pipelines/darwin/app-entitlements.plist
@@ -6,8 +6,6 @@
     <true/>
     <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
     <true/>
-    <key>com.apple.security.cs.disable-library-validation</key>
-    <true/>
     <key>com.apple.security.cs.allow-dyld-environment-variables</key>
     <true/>
 </dict>
diff --git a/build/azure-pipelines/darwin/helper-entitlements.plist b/build/azure-pipelines/darwin/helper-entitlements.plist
diff --git a/build/azure-pipelines/darwin/helper-gpu-entitlements.plist b/build/azure-pipelines/darwin/helper-gpu-entitlements.plist
@@ -4,7 +4,5 @@
 <dict>
     <key>com.apple.security.cs.allow-jit</key>
     <true/>
-    <key>com.apple.security.cs.disable-library-validation</key>
-    <true/>
 </dict>
 </plist>
diff --git a/build/azure-pipelines/darwin/product-build-darwin.yml b/build/azure-pipelines/darwin/product-build-darwin.yml
@@ -162,21 +162,13 @@ steps:
 
 - script: |
     set -e
-    APP_ROOT=$(agent.builddirectory)/VSCode-darwin
-    APP_NAME="`ls $APP_ROOT | head -n 1`"
-    HELPER_APP_NAME="`echo $APP_NAME | sed -e 's/^Visual Studio //;s/\.app$//'`"
-    APP_FRAMEWORK_PATH="$APP_ROOT/$APP_NAME/Contents/Frameworks"
     security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
     security default-keychain -s $(agent.tempdirectory)/buildagent.keychain
     security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
     echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12
     security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign
     security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain
-    codesign -s 99FM488X57 --deep --force --options runtime --entitlements build/azure-pipelines/darwin/entitlements.plist "$APP_ROOT"/*.app
-    codesign -s 99FM488X57 --force --options runtime --entitlements build/azure-pipelines/darwin/helper-entitlements.plist "$APP_FRAMEWORK_PATH/$HELPER_APP_NAME Helper.app"
-    codesign -s 99FM488X57 --force --options runtime --entitlements build/azure-pipelines/darwin/helper-gpu-entitlements.plist "$APP_FRAMEWORK_PATH/$HELPER_APP_NAME Helper (GPU).app"
-    codesign -s 99FM488X57 --force --options runtime --entitlements build/azure-pipelines/darwin/helper-plugin-entitlements.plist "$APP_FRAMEWORK_PATH/$HELPER_APP_NAME Helper (Plugin).app"
-    codesign -s 99FM488X57 --force --options runtime --entitlements build/azure-pipelines/darwin/helper-renderer-entitlements.plist "$APP_FRAMEWORK_PATH/$HELPER_APP_NAME Helper (Renderer).app"
+    DEBUG=electron-osx-sign* node build/darwin/sign.js
   displayName: Set Hardened Entitlements
 
 - script: |
diff --git a/build/darwin/sign.js b/build/darwin/sign.js
@@ -0,0 +1,61 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+'use strict';
+Object.defineProperty(exports, "__esModule", { value: true });
+const codesign = require("electron-osx-sign");
+const path = require("path");
+const util = require("../lib/util");
+const product = require("../../product.json");
+async function main() {
+    const buildDir = process.env['AGENT_BUILDDIRECTORY'];
+    const tempDir = process.env['AGENT_TEMPDIRECTORY'];
+    if (!buildDir) {
+        throw new Error('$AGENT_BUILDDIRECTORY not set');
+    }
+    if (!tempDir) {
+        throw new Error('$AGENT_TEMPDIRECTORY not set');
+    }
+    const baseDir = path.dirname(__dirname);
+    const appRoot = path.join(buildDir, 'VSCode-darwin');
+    const appName = product.nameLong + '.app';
+    const appFrameworkPath = path.join(appRoot, appName, 'Contents', 'Frameworks');
+    const helperAppBaseName = product.nameShort;
+    const gpuHelperAppName = helperAppBaseName + ' Helper (GPU).app';
+    const pluginHelperAppName = helperAppBaseName + ' Helper (Plugin).app';
+    const rendererHelperAppName = helperAppBaseName + ' Helper (Renderer).app';
+    const defaultOpts = {
+        app: path.join(appRoot, appName),
+        platform: 'darwin',
+        entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'app-entitlements.plist'),
+        'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'app-entitlements.plist'),
+        hardenedRuntime: true,
+        'pre-auto-entitlements': false,
+        'pre-embed-provisioning-profile': false,
+        keychain: path.join(tempDir, 'buildagent.keychain'),
+        version: util.getElectronVersion(),
+        identity: '99FM488X57',
+        'gatekeeper-assess': false
+    };
+    const appOpts = Object.assign(Object.assign({}, defaultOpts), { 
+        // TODO(deepak1556): Incorrectly declared type in electron-osx-sign
+        ignore: (filePath) => {
+            return filePath.includes(gpuHelperAppName) ||
+                filePath.includes(pluginHelperAppName) ||
+                filePath.includes(rendererHelperAppName);
+        } });
+    const gpuHelperOpts = Object.assign(Object.assign({}, defaultOpts), { app: path.join(appFrameworkPath, gpuHelperAppName), entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-gpu-entitlements.plist'), 'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-gpu-entitlements.plist') });
+    const pluginHelperOpts = Object.assign(Object.assign({}, defaultOpts), { app: path.join(appFrameworkPath, pluginHelperAppName), entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist'), 'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist') });
+    const rendererHelperOpts = Object.assign(Object.assign({}, defaultOpts), { app: path.join(appFrameworkPath, rendererHelperAppName), entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-renderer-entitlements.plist'), 'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-renderer-entitlements.plist') });
+    await codesign.signAsync(gpuHelperOpts);
+    await codesign.signAsync(pluginHelperOpts);
+    await codesign.signAsync(rendererHelperOpts);
+    await codesign.signAsync(appOpts);
+}
+if (require.main === module) {
+    main().catch(err => {
+        console.error(err);
+        process.exit(1);
+    });
+}
diff --git a/build/darwin/sign.ts b/build/darwin/sign.ts
@@ -0,0 +1,90 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+'use strict';
+
+import * as codesign from 'electron-osx-sign';
+import * as path from 'path';
+import * as util from '../lib/util';
+import * as product from '../../product.json';
+
+async function main(): Promise<void> {
+	const buildDir = process.env['AGENT_BUILDDIRECTORY'];
+	const tempDir = process.env['AGENT_TEMPDIRECTORY'];
+
+	if (!buildDir) {
+		throw new Error('$AGENT_BUILDDIRECTORY not set');
+	}
+
+	if (!tempDir) {
+		throw new Error('$AGENT_TEMPDIRECTORY not set');
+	}
+
+	const baseDir = path.dirname(__dirname);
+	const appRoot = path.join(buildDir, 'VSCode-darwin');
+	const appName = product.nameLong + '.app';
+	const appFrameworkPath = path.join(appRoot, appName, 'Contents', 'Frameworks');
+	const helperAppBaseName = product.nameShort;
+	const gpuHelperAppName = helperAppBaseName + ' Helper (GPU).app';
+	const pluginHelperAppName = helperAppBaseName + ' Helper (Plugin).app';
+	const rendererHelperAppName = helperAppBaseName + ' Helper (Renderer).app';
+
+	const defaultOpts: codesign.SignOptions = {
+		app: path.join(appRoot, appName),
+		platform: 'darwin',
+		entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'app-entitlements.plist'),
+		'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'app-entitlements.plist'),
+		hardenedRuntime: true,
+		'pre-auto-entitlements': false,
+		'pre-embed-provisioning-profile': false,
+		keychain: path.join(tempDir, 'buildagent.keychain'),
+		version: util.getElectronVersion(),
+		identity: '99FM488X57',
+		'gatekeeper-assess': false
+	};
+
+	const appOpts = {
+		...defaultOpts,
+		// TODO(deepak1556): Incorrectly declared type in electron-osx-sign
+		ignore: (filePath: string) => {
+			return filePath.includes(gpuHelperAppName) ||
+				filePath.includes(pluginHelperAppName) ||
+				filePath.includes(rendererHelperAppName);
+		}
+	};
+
+	const gpuHelperOpts: codesign.SignOptions = {
+		...defaultOpts,
+		app: path.join(appFrameworkPath, gpuHelperAppName),
+		entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-gpu-entitlements.plist'),
+		'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-gpu-entitlements.plist'),
+	};
+
+	const pluginHelperOpts: codesign.SignOptions = {
+		...defaultOpts,
+		app: path.join(appFrameworkPath, pluginHelperAppName),
+		entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist'),
+		'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist'),
+	};
+
+	const rendererHelperOpts: codesign.SignOptions = {
+		...defaultOpts,
+		app: path.join(appFrameworkPath, rendererHelperAppName),
+		entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-renderer-entitlements.plist'),
+		'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-renderer-entitlements.plist'),
+	};
+
+	await codesign.signAsync(gpuHelperOpts);
+	await codesign.signAsync(pluginHelperOpts);
+	await codesign.signAsync(rendererHelperOpts);
+	await codesign.signAsync(appOpts as any);
+}
+
+if (require.main === module) {
+	main().catch(err => {
+		console.error(err);
+		process.exit(1);
+	});
+}
diff --git a/build/gulpfile.hygiene.js b/build/gulpfile.hygiene.js
@@ -85,7 +85,7 @@ const indentationFilter = [
 	'!src/typings/**/*.d.ts',
 	'!extensions/**/*.d.ts',
 	'!**/*.{svg,exe,png,bmp,scpt,bat,cmd,cur,ttf,woff,eot,md,ps1,template,yaml,yml,d.ts.recipe,ico,icns,plist}',
-	'!build/{lib,download}/**/*.js',
+	'!build/{lib,download,darwin}/**/*.js',
 	'!build/**/*.sh',
 	'!build/azure-pipelines/**/*.js',
 	'!build/azure-pipelines/**/*.config',
diff --git a/build/lib/electron.js b/build/lib/electron.js
@@ -4,7 +4,7 @@
  *--------------------------------------------------------------------------------------------*/
 'use strict';
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.config = exports.getElectronVersion = void 0;
+exports.config = void 0;
 const fs = require("fs");
 const path = require("path");
 const vfs = require("vinyl-fs");
@@ -16,12 +16,6 @@ const electron = require('gulp-atom-electron');
 const root = path.dirname(path.dirname(__dirname));
 const product = JSON.parse(fs.readFileSync(path.join(root, 'product.json'), 'utf8'));
 const commit = util.getVersion(root);
-function getElectronVersion() {
-    const yarnrc = fs.readFileSync(path.join(root, '.yarnrc'), 'utf8');
-    const target = /^target "(.*)"$/m.exec(yarnrc)[1];
-    return target;
-}
-exports.getElectronVersion = getElectronVersion;
 const darwinCreditsTemplate = product.darwinCredits && _.template(fs.readFileSync(path.join(root, product.darwinCredits), 'utf8'));
 function darwinBundleDocumentType(extensions, icon) {
     return {
@@ -33,7 +27,7 @@ function darwinBundleDocumentType(extensions, icon) {
     };
 }
 exports.config = {
-    version: getElectronVersion(),
+    version: util.getElectronVersion(),
     productAppName: product.nameLong,
     companyName: 'Microsoft Corporation',
     copyright: 'Copyright (C) 2019 Microsoft. All rights reserved',
@@ -100,7 +94,7 @@ function getElectron(arch) {
     };
 }
 async function main(arch = process.arch) {
-    const version = getElectronVersion();
+    const version = util.getElectronVersion();
     const electronPath = path.join(root, '.build', 'electron');
     const versionFile = path.join(electronPath, 'version');
     const isUpToDate = fs.existsSync(versionFile) && fs.readFileSync(versionFile, 'utf8') === `${version}`;
diff --git a/build/lib/electron.ts b/build/lib/electron.ts
@@ -19,12 +19,6 @@ const root = path.dirname(path.dirname(__dirname));
 const product = JSON.parse(fs.readFileSync(path.join(root, 'product.json'), 'utf8'));
 const commit = util.getVersion(root);
 
-export function getElectronVersion(): string {
-	const yarnrc = fs.readFileSync(path.join(root, '.yarnrc'), 'utf8');
-	const target = /^target "(.*)"$/m.exec(yarnrc)![1];
-	return target;
-}
-
 const darwinCreditsTemplate = product.darwinCredits && _.template(fs.readFileSync(path.join(root, product.darwinCredits), 'utf8'));
 
 function darwinBundleDocumentType(extensions: string[], icon: string) {
@@ -38,7 +32,7 @@ function darwinBundleDocumentType(extensions: string[], icon: string) {
 }
 
 export const config = {
-	version: getElectronVersion(),
+	version: util.getElectronVersion(),
 	productAppName: product.nameLong,
 	companyName: 'Microsoft Corporation',
 	copyright: 'Copyright (C) 2019 Microsoft. All rights reserved',
@@ -108,7 +102,7 @@ function getElectron(arch: string): () => NodeJS.ReadWriteStream {
 }
 
 async function main(arch = process.arch): Promise<void> {
-	const version = getElectronVersion();
+	const version = util.getElectronVersion();
 	const electronPath = path.join(root, '.build', 'electron');
 	const versionFile = path.join(electronPath, 'version');
 	const isUpToDate = fs.existsSync(versionFile) && fs.readFileSync(versionFile, 'utf8') === `${version}`;
diff --git a/build/lib/util.js b/build/lib/util.js
@@ -4,7 +4,7 @@
  *--------------------------------------------------------------------------------------------*/
 'use strict';
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.streamToPromise = exports.versionStringToNumber = exports.filter = exports.rebase = exports.getVersion = exports.ensureDir = exports.rreddir = exports.rimraf = exports.stripSourceMappingURL = exports.loadSourcemaps = exports.cleanNodeModules = exports.skipDirectories = exports.toFileUri = exports.setExecutableBit = exports.fixWin32DirectoryPermissions = exports.incremental = void 0;
+exports.getElectronVersion = exports.streamToPromise = exports.versionStringToNumber = exports.filter = exports.rebase = exports.getVersion = exports.ensureDir = exports.rreddir = exports.rimraf = exports.stripSourceMappingURL = exports.loadSourcemaps = exports.cleanNodeModules = exports.skipDirectories = exports.toFileUri = exports.setExecutableBit = exports.fixWin32DirectoryPermissions = exports.incremental = void 0;
 const es = require("event-stream");
 const debounce = require("debounce");
 const _filter = require("gulp-filter");
@@ -14,6 +14,7 @@ const fs = require("fs");
 const _rimraf = require("rimraf");
 const git = require("./git");
 const VinylFile = require("vinyl");
+const root = path.dirname(path.dirname(__dirname));
 const NoCancellationToken = { isCancellationRequested: () => false };
 function incremental(streamProvider, initial, supportsCancellation) {
     const input = es.through();
@@ -255,3 +256,9 @@ function streamToPromise(stream) {
     });
 }
 exports.streamToPromise = streamToPromise;
+function getElectronVersion() {
+    const yarnrc = fs.readFileSync(path.join(root, '.yarnrc'), 'utf8');
+    const target = /^target "(.*)"$/m.exec(yarnrc)[1];
+    return target;
+}
+exports.getElectronVersion = getElectronVersion;
diff --git a/build/lib/util.ts b/build/lib/util.ts
@@ -18,6 +18,8 @@ import * as VinylFile from 'vinyl';
 import { ThroughStream } from 'through';
 import * as sm from 'source-map';
 
+const root = path.dirname(path.dirname(__dirname));
+
 export interface ICancellationToken {
 	isCancellationRequested(): boolean;
 }
@@ -318,3 +320,9 @@ export function streamToPromise(stream: NodeJS.ReadWriteStream): Promise<void> {
 		stream.on('end', () => c());
 	});
 }
+
+export function getElectronVersion(): string {
+	const yarnrc = fs.readFileSync(path.join(root, '.yarnrc'), 'utf8');
+	const target = /^target "(.*)"$/m.exec(yarnrc)![1];
+	return target;
+}
diff --git a/build/package.json b/build/package.json
@@ -33,6 +33,7 @@
     "@typescript-eslint/parser": "^2.12.0",
     "applicationinsights": "1.0.8",
     "azure-storage": "^2.1.0",
+    "electron-osx-sign": "^0.4.16",
     "github-releases": "^0.4.1",
     "gulp-bom": "^1.0.0",
     "gulp-sourcemaps": "^1.11.0",
diff --git a/build/yarn.lock b/build/yarn.lock
