liuyu/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-06-06 05:51:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(mac): remove unused codesign entitlements

Browse Source
This commit is contained in:
Vincent Koc
2026-05-26 12:19:36 +02:00
parent dcf0941cd6
commit e8cb2b5ab3
2 changed files with 16 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
scripts/codesign-mac-app.sh
View File

@@ -135,9 +135,7 @@ fi
ENT_TMP_DIR=$(mktemp -d -t openclaw-entitlements.XXXXXX)
trap cleanup EXIT
ENT_TMP_BASE="$ENT_TMP_DIR/base.plist"
ENT_TMP_APP_BASE="$ENT_TMP_DIR/app-base.plist"
ENT_TMP_RUNTIME="$ENT_TMP_DIR/runtime.plist"
ENT_TMP_APP="$ENT_TMP_DIR/app.plist"
options_args=()
if [[ "$IDENTITY" != "-" ]]; then
@@ -145,22 +143,7 @@ if [[ "$IDENTITY" != "-" ]]; then
fi
timestamp_args=("$timestamp_arg")
cat > "$ENT_TMP_BASE" <<'PLIST'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
</dict>
</plist>
PLIST
cat > "$ENT_TMP_APP_BASE" <<'PLIST'
cat > "$ENT_TMP_APP" <<'PLIST'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
@@ -177,26 +160,13 @@ cat > "$ENT_TMP_APP_BASE" <<'PLIST'
</plist>
PLIST
cat > "$ENT_TMP_RUNTIME" <<'PLIST'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
</dict>
</plist>
PLIST
if [[ "$DISABLE_LIBRARY_VALIDATION" == "1" ]]; then
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.disable-library-validation bool true" "$ENT_TMP_APP_BASE" >/dev/null 2>&1 || \
/usr/libexec/PlistBuddy -c "Set :com.apple.security.cs.disable-library-validation true" "$ENT_TMP_APP_BASE"
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.disable-library-validation bool true" "$ENT_TMP_APP" >/dev/null 2>&1 || \
/usr/libexec/PlistBuddy -c "Set :com.apple.security.cs.disable-library-validation true" "$ENT_TMP_APP"
echo "Note: disable-library-validation entitlement enabled (DISABLE_LIBRARY_VALIDATION=1)."
fi
APP_ENTITLEMENTS="$ENT_TMP_APP_BASE"
APP_ENTITLEMENTS="$ENT_TMP_APP"
# clear extended attributes to avoid stale signatures
xattr -cr "$APP_BUNDLE" 2>/dev/null || true

12
test/scripts/codesign-mac-app.test.ts
View File

@@ -1,5 +1,5 @@
import { spawnSync } from "node:child_process";
import { mkdirSync, mkdtempSync, readdirSync, rmSync } from "node:fs";
import { mkdirSync, mkdtempSync, readFileSync, readdirSync, rmSync } from "node:fs";
import { tmpdir } from "node:os";
import path from "node:path";
import { afterEach, describe, expect, it } from "vitest";
@@ -35,6 +35,16 @@ afterEach(() => {
});
describe("codesign-mac-app temp file hygiene", () => {
it("does not generate unused entitlement plist files", () => {
const script = readFileSync(scriptPath, "utf8");
expect(script).toContain('ENT_TMP_APP="$ENT_TMP_DIR/app.plist"');
expect(script).not.toContain("ENT_TMP_BASE");
expect(script).not.toContain("ENT_TMP_RUNTIME");
expect(script).not.toContain("base.plist");
expect(script).not.toContain("runtime.plist");
});
it("does not allocate entitlement temp files for help output", () => {
const tempRoot = makeTempDir("openclaw-codesign-help-");
const result = runCodesign(["--help"], tempRoot);