Update entitlements.mac.plist

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

.github/workflows/build_and_test.yaml

@@ -43,6 +43,9 @@ jobs:
         needs: fetch
         name: macOS
         uses: ./.github/workflows/build_macos.yaml
+        secrets: inherit
+        with:
+            sign: true
 
     test:
         needs:

.github/workflows/build_macos.yaml

@@ -86,6 +86,8 @@ jobs:
                   APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
                   CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }}
                   CSC_LINK: ${{ secrets.APPLE_CSC_LINK }}
+                  # TODO REMOVE
+                  CSC_FOR_PULL_REQUEST: true
 
             - name: Check app was signed & notarised successfully
               if: inputs.sign != ''

build/entitlements-sandbox.mac.plist

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <!-- https://github.com/electron/electron-notarize#prerequisites -->
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+
+    <!-- https://github.com/electron-userland/electron-builder/issues/3940 -->
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+
+    <!-- Enable the app sandbox -->
+    <key>com.apple.security.app-sandbox</key>
+    <true/>
+    <key>com.apple.security.inherit</key>
+    <true/>
+
+    <!-- Allow opening outgoing network connections -->
+    <key>com.apple.security.network.client</key>
+    <true/>
+
+    <!-- Allow opening & saving files for upload & download -->
+    <key>com.apple.security.files.user-selected.read-write</key>
+    <true/>
+
+    <!-- Access to camera & microphone for calls -->
+    <key>com.apple.security.device.camera</key>
+    <true/>
+    <key>com.apple.security.device.audio-input</key>
+    <true/>
+</dict>
+</plist>

build/entitlements.mac.plist

@@ -2,14 +2,6 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-    <!-- Entitlements from electron-builder's defaults
-         (https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/templates/entitlements.mac.plist)
-         nb. This does *not* include the app sandbox: at the time of adding this file,
-         we were using electron-builder 21.2.0 which does not have the sandbox entitlement.
-         Latest electron-builder does, but it appears to be causing issues:
-         (https://github.com/electron-userland/electron-builder/issues/4390)
-    -->
-
     <!-- https://github.com/electron/electron-notarize#prerequisites -->
     <key>com.apple.security.cs.allow-jit</key>
     <true/>
@@ -18,8 +10,15 @@
     <key>com.apple.security.cs.disable-library-validation</key>
     <true/>
 
-    <!-- Our own additional entitlements (we need to access the camera and
-        mic for VoIP calls -->
+    <!-- Allow opening outgoing network connections -->
+    <key>com.apple.security.network.client</key>
+    <true/>
+
+    <!-- Allow opening & saving files for upload & download -->
+    <key>com.apple.security.files.user-selected.read-write</key>
+    <true/>
+
+    <!-- Access to camera & microphone for calls -->
     <key>com.apple.security.device.camera</key>
     <true/>
     <key>com.apple.security.device.audio-input</key>

electron-builder.ts

@@ -18,6 +18,9 @@ import { readFile, writeFile } from "node:fs/promises";
  *  Replaces spaces in the product name with dashes as spaces in paths can cause issues
  *  Removes libsqlcipher0 recommended dependency if env SQLCIPHER_BUNDLED is asserted.
  *  Passes $ED_DEBIAN_CHANGELOG to build.deb.fpm if specified
+ *
+ * On macOS:
+ *  Passes $APPLE_TEAM_ID to build.mac.extendInfo["ElectronTeamID"] if specified.
  */
 
 const NIGHTLY_APP_ID = "im.riot.nightly";
@@ -186,6 +189,18 @@ if (process.env.ED_SIGNTOOL_SUBJECT_NAME && process.env.ED_SIGNTOOL_THUMBPRINT)
     config.win.signtoolOptions!.certificateSha1 = process.env.ED_SIGNTOOL_THUMBPRINT;
 }
 
+/**
+ * Allow specifying ElectronTeamID via env vars
+ * @param {string} process.env.APPLE_TEAM_ID
+ * Workaround for https://github.com/electron-userland/electron-builder/issues/7995
+ */
+if (process.env.APPLE_TEAM_ID) {
+    config.mac.extendInfo = {
+        ElectronTeamID: process.env.APPLE_TEAM_ID,
+    };
+    config.mac.entitlements = "./build/entitlements-sandbox.mac.plist";
+}
+
 /**
  * Allow specifying nightly version via env var
  * @param {string} process.env.ED_NIGHTLY