summaryrefslogtreecommitdiffstats
path: root/tools/signing/macos
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:14:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:14:29 +0000
commitfbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8 (patch)
tree4c1ccaf5486d4f2009f9a338a98a83e886e29c97 /tools/signing/macos
parentReleasing progress-linux version 124.0.1-1~progress7.99u1. (diff)
downloadfirefox-fbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8.tar.xz
firefox-fbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8.zip
Merging upstream version 125.0.1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tools/signing/macos')
-rw-r--r--tools/signing/macos/mach_commands.py675
1 files changed, 675 insertions, 0 deletions
diff --git a/tools/signing/macos/mach_commands.py b/tools/signing/macos/mach_commands.py
new file mode 100644
index 0000000000..543faca2ea
--- /dev/null
+++ b/tools/signing/macos/mach_commands.py
@@ -0,0 +1,675 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, # You can obtain one at http://mozilla.org/MPL/2.0/.
+
+import glob
+import logging
+import os
+import os.path
+import plistlib
+import subprocess
+import sys
+import tempfile
+
+import yaml
+from mach.decorators import (
+ Command,
+ CommandArgument,
+ CommandArgumentGroup,
+)
+from mozbuild.base import MachCommandConditions as conditions
+
+
+@Command(
+ "macos-sign",
+ category="misc",
+ description="Sign a built and packaged (./mach build package) Firefox "
+ "bundle on macOS. Limitations: 1) macos-sign doesn't support building "
+ "the .app built in the object dir in-place (for now) because it contains "
+ 'symlinks. First use "./mach build package" to build a .dmg containing a '
+ "bundled .app. Then extract the .app from the dmg to a readable/writable "
+ "directory. The bundled app can be signed with macos-sign (using the -a "
+ "argument). 2) The signing configuration (which maps files in the .app "
+ "to entitlement files in the tree to be used when signing) is loaded from "
+ "the build configuration in the local repo. For example, when signing a "
+ "Release 120 build using mach from a revision of mozilla-central, "
+ "macos-sign will use the bundle ID to determine the signing should use the "
+ "Release channel entitlements, but the configuration used will be the "
+ "Release configuration as defined in the repo working directory, not the "
+ "configuration from the revision of the earlier 120 build.",
+ conditions=[conditions.is_firefox],
+)
+@CommandArgument(
+ "-v",
+ "--verbose",
+ default=False,
+ action="store_true",
+ dest="verbose_arg",
+ help="Verbose output including the commands executed.",
+)
+# The app path could be a required positional argument, but let's reserve that
+# for the future where the default will be to sign the locally built .app
+# in-place in the object dir.
+@CommandArgument(
+ "-a",
+ "--app-path",
+ required=True,
+ type=str,
+ dest="app_arg",
+ help="Path to the .app bundle to sign. This can not be the .app built "
+ "in the object dir because it contains symlinks and is unbundled. Use "
+ "an app generated with ./mach build package.",
+)
+@CommandArgument(
+ "-s",
+ "--signing-identity",
+ metavar="SIGNING_IDENTITY",
+ default=None,
+ type=str,
+ dest="signing_identity_arg",
+ help="The codesigning identity to be used when signing with the macOS "
+ "native codesign tool. By default ad-hoc self-signing will be used. ",
+)
+@CommandArgument(
+ "-e",
+ "--entitlements",
+ default="developer",
+ choices=["developer", "production", "production-without-restricted"],
+ type=str,
+ dest="entitlements_arg",
+ help="Whether to sign the build for development or production use. "
+ "By default, a developer signing is performed. This does not require "
+ "a certificate to be configured. Developer entitlements are limited "
+ "to be compatible with self-signing and to allow debugging. Production "
+ "entitlements require a valid Apple Developer ID certificate issued from "
+ "the organization's Apple Developer account (without one, signing will "
+ "succeed, but the build will not be usable) and a provisioning profile to "
+ "be added to the bundle or installed in macOS System Preferences. The "
+ "certificate may be a 'development' certificate issued by the account. The "
+ "Apple Developer account must have the necessary restricted entitlements "
+ "granted in order for the signed build to work correctly. Use "
+ "production-without-restricted if you have a Developer ID certificate "
+ "not associated with an account approved for the restricted entitlements.",
+)
+@CommandArgument(
+ "-c",
+ "--channel",
+ default="auto",
+ choices=["auto", "nightly", "devedition", "beta", "release"],
+ dest="channel_arg",
+ type=str,
+ help="Which channel build is being signed.",
+)
+@CommandArgumentGroup("rcodesign")
+@CommandArgument(
+ "-r",
+ "--use_rcodesign",
+ group="rcodesign",
+ default=False,
+ dest="use_rcodesign_arg",
+ action="store_true",
+ help="Enables signing with rcodesign instead of codesign. With rcodesign, "
+ "only ad-hoc and pkcs12 signing is supported. To use a signing identity, "
+ "specify a pkcs12 file and password file. See rcodesign documentation for "
+ "more information.",
+)
+@CommandArgument(
+ "-f",
+ "--rcodesign-p12-file",
+ group="rcodesign",
+ metavar="RCODESIGN_P12_FILE_PATH",
+ default=None,
+ type=str,
+ dest="p12_file_arg",
+ help="The rcodesign pkcs12 file, passed to rcodesign without validation.",
+)
+@CommandArgument(
+ "-p",
+ "--rcodesign-p12-password-file",
+ group="rcodesign",
+ metavar="RCODESIGN_P12_PASSWORD_FILE_PATH",
+ default=None,
+ type=str,
+ dest="p12_password_file_arg",
+ help="The rcodesign pkcs12 password file, passed to rcodesign without "
+ "validation.",
+)
+def macos_sign(
+ command_context,
+ app_arg,
+ signing_identity_arg,
+ entitlements_arg,
+ channel_arg,
+ use_rcodesign_arg,
+ p12_file_arg,
+ p12_password_file_arg,
+ verbose_arg,
+):
+ """Signs a .app build with entitlements from the repo
+
+ Validates all the command line options, reads the signing config from
+ the repo to determine which entitlement files to use, signs the build
+ using either the native macOS codesign or rcodesign, and finally validates
+ the .app using codesign.
+ """
+ command_context._set_log_level(verbose_arg)
+
+ # Check appdir and remove trailing slasshes
+ if not os.path.isdir(app_arg):
+ command_context.log(
+ logging.ERROR,
+ "macos-sign",
+ {"app": app_arg},
+ "ERROR: {app} is not a directory",
+ )
+ sys.exit(1)
+ app = os.path.realpath(app_arg)
+
+ # With rcodesign, either both a p12 file and p12 password file should be
+ # provided or neither. If neither, the signing identity must be either '-'
+ # for ad-hoc or None.
+ rcodesign_p12_provided = False
+ if use_rcodesign_arg:
+ if p12_file_arg is None and p12_password_file_arg is not None:
+ command_context.log(
+ logging.ERROR,
+ "macos-sign",
+ {},
+ "ERROR: p12 password file with no p12 file, " "use both or neither",
+ )
+ sys.exit(1)
+ if p12_file_arg is not None and p12_password_file_arg is None:
+ command_context.log(
+ logging.ERROR,
+ "macos-sign",
+ {},
+ "ERROR: p12 file with no p12 password file, " "use both or neither",
+ )
+ sys.exit(1)
+ if p12_file_arg is not None and p12_password_file_arg is not None:
+ rcodesign_p12_provided = True
+
+ # Only rcodesign supports pkcs12 args
+ if not use_rcodesign_arg and (
+ p12_password_file_arg is not None or p12_file_arg is not None
+ ):
+ command_context.log(
+ logging.ERROR,
+ "macos-sign",
+ {},
+ "ERROR: pkcs12 signing not supported with "
+ "native codesign, only rcodesign",
+ )
+ sys.exit(1)
+
+ # Check the user didn't ask for a codesigning identity with rcodesign.
+ # Check the user didn't ask for ad-hoc signing AND rcodesign pkcs12 signing.
+ # Check the user didn't ask for ad-hoc signing with production entitlements.
+ # Self-signing and ad-hoc signing are both incompatible with production
+ # entitlements. (Library loading entitlements depend on the codesigning
+ # team ID which is not set on self-signed/ad-hoc signatures and requires an
+ # Apple-issued cert. Signing succeeds, but the bundle will not be
+ # launchable.)
+ if use_rcodesign_arg:
+ # With rcodesign, only accept "-s -" or no -s argument.
+ if not rcodesign_p12_provided:
+ if signing_identity_arg is not None and signing_identity_arg != "-s":
+ command_context.log(
+ logging.ERROR,
+ "macos-sign",
+ {},
+ "ERROR: rcodesign requires pkcs12 or " "ad-hoc signing",
+ )
+ sys.exit(1)
+
+ # Did the user request a signing identity string and pkcs12 signing?
+ if rcodesign_p12_provided and signing_identity_arg is not None:
+ command_context.log(
+ logging.ERROR,
+ "macos-sign",
+ {},
+ "ERROR: both ad-hoc and pkcs12 signing " "requested",
+ )
+ sys.exit(1)
+
+ # Is ad-hoc signing with production entitlements requested?
+ if (
+ (not rcodesign_p12_provided)
+ and (signing_identity_arg is None or signing_identity_arg == "-")
+ and (entitlements_arg != "developer")
+ ):
+ command_context.log(
+ logging.ERROR,
+ "macos-sign",
+ {},
+ "ERROR: " "Production entitlements and self-signing are " "not compatible",
+ )
+ sys.exit(1)
+
+ # By default, use ad-hoc
+ signing_identity = None
+ signing_identity_label = None
+ if use_rcodesign_arg and rcodesign_p12_provided:
+ # signing_identity will not be used
+ signing_identity_label = "pkcs12"
+ elif signing_identity_arg is None or signing_identity_arg == "-":
+ signing_identity = "-"
+ signing_identity_label = "ad-hoc"
+ else:
+ signing_identity = signing_identity_arg
+ signing_identity_label = signing_identity_arg
+
+ command_context.log(
+ logging.INFO,
+ "macos-sign",
+ {"id": signing_identity_label},
+ "Using {id} signing identity",
+ )
+
+ # Which channel are we signing? Set 'channel' based on 'channel_arg'.
+ channel = None
+ if channel_arg == "auto":
+ channel = auto_detect_channel(command_context, app)
+ else:
+ channel = channel_arg
+ command_context.log(
+ logging.INFO,
+ "macos-sign",
+ {"channel": channel},
+ "Using {channel} channel signing configuration",
+ )
+
+ # Do we want production or developer entitlements? Set 'entitlements_key'
+ # based on 'entitlements_arg'. In the buildconfig, developer entitlements
+ # are labeled as "default".
+ entitlements_key = None
+ if entitlements_arg == "production":
+ entitlements_key = "production"
+ elif entitlements_arg == "developer":
+ entitlements_key = "default"
+ elif entitlements_arg == "production-without-restricted":
+ # We'll strip out restricted entitlements below.
+ entitlements_key = "production"
+
+ command_context.log(
+ logging.INFO,
+ "macos-sign",
+ {"ent": entitlements_arg},
+ "Using {ent} entitlements",
+ )
+
+ # Get a path to the config file which maps files in the .app
+ # bundle to their entitlement files in the tree (if any) to use
+ # when signing. There is a set of mappings for each combination
+ # of ({developer, production}, {nightly, devedition, release}).
+ # i.e., depending on the entitlements argument (production or dev)
+ # and the channel argument (nightly, devedition, or release) we'll
+ # use different entitlements.
+ sourcedir = command_context.topsrcdir
+ buildconfigpath = sourcedir + "/taskcluster/ci/config.yml"
+
+ command_context.log(
+ logging.INFO,
+ "macos-sign",
+ {"yaml": buildconfigpath},
+ "Reading build config file {yaml}",
+ )
+
+ with open(buildconfigpath, "r") as buildconfigfile:
+ parsedconfig = yaml.safe_load(buildconfigfile)
+
+ # Store all the mappings
+ signing_groups = parsedconfig["mac-signing"]["hardened-sign-config"][
+ "by-hardened-signing-type"
+ ][entitlements_key]
+
+ command_context.log(
+ logging.INFO, "macos-sign", {}, "Stripping existing xattrs and signatures"
+ )
+
+ # Remove extended attributes. Per Apple "Technical Note TN2206",
+ # code signing uses extended attributes to store signatures for
+ # non-Mach-O executables such as script files. We want to avoid
+ # any complications that might be caused by existing extended
+ # attributes.
+ xattr_cmd = ["xattr", "-cr", app]
+ run(command_context, xattr_cmd, capture_output=not verbose_arg)
+
+ # Remove existing signatures. The codesign command only replaces
+ # signatures if the --force option used. Remove all signatures so
+ # subsequent signing commands with different options will result
+ # in re-signing without requiring --force.
+ cs_reset_cmd = ["find", app, "-exec", "codesign", "--remove-signature", "{}", ";"]
+ run(command_context, cs_reset_cmd, capture_output=not verbose_arg)
+
+ if use_rcodesign_arg is True:
+ sign_with_rcodesign(
+ command_context,
+ verbose_arg,
+ signing_groups,
+ entitlements_arg,
+ channel,
+ app,
+ p12_file_arg,
+ p12_password_file_arg,
+ )
+ else:
+ sign_with_codesign(
+ command_context,
+ verbose_arg,
+ signing_groups,
+ signing_identity,
+ entitlements_arg,
+ channel,
+ app,
+ )
+
+ verify_result(command_context, app, verbose_arg)
+
+
+def auto_detect_channel(ctx, app):
+ """Detects the channel of the provided app (nightly, release, etc.)
+
+ Reads the CFBundleIdentifier from the provided apps Info.plist and
+ returns the appropriate channel string. Release and Beta builds use
+ org.mozilla.firefox for the CFBundleIdentifier. Nightly channel builds use
+ org.mozilla.nightly.
+ """
+ # The bundle IDs for different channels. We use these strings to
+ # auto-detect the channel being signed. Different channels use
+ # different entitlement files.
+ NIGHTLY_BUNDLEID = "org.mozilla.nightly"
+ DEVEDITION_BUNDLEID = "org.mozilla.firefoxdeveloperedition"
+ # BETA uses the same bundle ID as Release
+ RELEASE_BUNDLEID = "org.mozilla.firefox"
+
+ info_plist = os.path.join(app, "Contents/Info.plist")
+
+ ctx.log(
+ logging.DEBUG, "macos-sign", {"plist": info_plist}, "Reading {plist} bundle ID"
+ )
+
+ process = subprocess.Popen(
+ ["defaults", "read", info_plist, "CFBundleIdentifier"],
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE,
+ )
+ out, err = process.communicate()
+ bundleid = out.decode("utf-8").strip()
+
+ ctx.log(
+ logging.DEBUG,
+ "macos-sign",
+ {"bundleid": bundleid},
+ "Found bundle ID {bundleid}",
+ )
+
+ if bundleid == NIGHTLY_BUNDLEID:
+ return "nightly"
+ elif bundleid == DEVEDITION_BUNDLEID:
+ return "devedition"
+ elif bundleid == RELEASE_BUNDLEID:
+ return "release"
+ else:
+ # Couldn't determine the channel from <info_plist>.
+ # Unrecognized bundle ID <bundleID>.
+ # Use the channel argument.
+ ctx.log(
+ logging.ERROR,
+ "macos-sign",
+ {"plist": info_plist},
+ "Couldn't read bundle ID from {plist}",
+ )
+ sys.exit(1)
+
+
+def sign_with_codesign(
+ ctx, verbose_arg, signing_groups, signing_identity, entitlements_arg, channel, app
+):
+ # Signing with codesign:
+ #
+ # For each signing_group in signing_groups, invoke codesign with the
+ # options and paths specified in the signging_group.
+ ctx.log(logging.INFO, "macos-sign", {}, "Signing with codesign")
+
+ for signing_group in signing_groups:
+ cs_cmd = ["codesign"]
+ cs_cmd.append("--sign")
+ cs_cmd.append(signing_identity)
+
+ if "deep" in signing_group and signing_group["deep"]:
+ cs_cmd.append("--deep")
+ if "force" in signing_group and signing_group["force"]:
+ cs_cmd.append("--force")
+ if "runtime" in signing_group and signing_group["runtime"]:
+ cs_cmd.append("--options")
+ cs_cmd.append("runtime")
+
+ entitlement_file = None
+ temp_files_to_cleanup = []
+
+ if "entitlements" in signing_group:
+ # This signing group has an entitlement file
+ cs_cmd.append("--entitlements")
+
+ # Given the type of build (dev, prod, or prod without restricted
+ # entitlements) and the channel we're going to sign, get the path
+ # to the entitlement file from the config.
+ if isinstance(signing_group["entitlements"], str):
+ # If the 'entitlements' key in the signing group maps to
+ # a string, it's a simple lookup.
+ entitlement_file = signing_group["entitlements"]
+ elif isinstance(signing_group["entitlements"], dict):
+ # If the 'entitlements' key in the signing group maps to
+ # a dict, the mapping from key to entitlement file is
+ # different for each channel:
+ if channel == "nightly":
+ entitlement_file = signing_group["entitlements"][
+ "by-build-platform"
+ ]["default"]["by-project"]["mozilla-central"]
+ elif channel == "devedition":
+ entitlement_file = signing_group["entitlements"][
+ "by-build-platform"
+ ][".*devedition.*"]
+ elif channel == "release" or channel == "beta":
+ entitlement_file = signing_group["entitlements"][
+ "by-build-platform"
+ ]["default"]["by-project"]["default"]
+ else:
+ raise ("Unexpected channel")
+
+ # We now have an entitlement file for this signing group.
+ # If we are signing using production-without-restricted, strip out
+ # restricted entitlements and save the result in a temporary file.
+ if entitlements_arg == "production-without-restricted":
+ temp_ent_file = strip_restricted_entitlements(entitlement_file)
+ temp_files_to_cleanup.append(temp_ent_file)
+ cs_cmd.append(temp_ent_file)
+ else:
+ cs_cmd.append(entitlement_file)
+
+ for pathglob in signing_group["globs"]:
+ binary_paths = glob.glob(
+ os.path.join(app, pathglob.strip("/")), recursive=True
+ )
+ for binary_path in binary_paths:
+ cs_cmd.append(binary_path)
+
+ run(ctx, cs_cmd, capture_output=not verbose_arg, check=True)
+
+ for temp_file in temp_files_to_cleanup:
+ os.remove(temp_file)
+
+
+def run(ctx, cmd, **kwargs):
+ cmd_as_str = " ".join(cmd)
+ ctx.log(logging.DEBUG, "macos-sign", {"cmd": cmd_as_str}, "[{cmd}]")
+ try:
+ subprocess.run(cmd, **kwargs)
+ except subprocess.CalledProcessError as e:
+ ctx.log(
+ logging.ERROR,
+ "macos-sign",
+ {"rc": e.returncode, "cmd": cmd_as_str, "prog": cmd[0]},
+ "{prog} subprocess failed with exit code {rc}. "
+ "See (-v) verbose output for command output. "
+ "Failing command: [{cmd}]",
+ )
+ sys.exit(e.returncode)
+
+
+def verify_result(ctx, app, verbose_arg):
+ # Verbosely verify validity of signed app
+ cs_verify_cmd = ["codesign", "-vv", app]
+ try:
+ run(ctx, cs_verify_cmd, capture_output=not verbose_arg, check=True)
+ ctx.log(
+ logging.INFO,
+ "macos-sign",
+ {"app": app},
+ "Verification of signed app {app} OK",
+ )
+ except subprocess.CalledProcessError as e:
+ ctx.log(
+ logging.ERROR,
+ "macos-sign",
+ {"rc": e.returncode, "app": app},
+ "Verification of {app} failed with exit code {rc}",
+ )
+ sys.exit(e.returncode)
+
+
+def sign_with_rcodesign(
+ ctx,
+ verbose_arg,
+ signing_groups,
+ entitlements_arg,
+ channel,
+ app,
+ p12_file_arg,
+ p12_password_file_arg,
+):
+ # Signing with rcodesign:
+ #
+ # The rcodesign sign is a single rcodesign invocation with all necessary
+ # arguments included. rcodesign accepts signing options to be applied to
+ # an input path (the .app in this case). For inner bundle resources that
+ # have different codesigning settings, signing options are passed as
+ # scoped arguments in the form --option <relative-path>:<value>. For
+ # example, a different entitlement file is specified for the nested
+ # plugin-container.app with the following:
+ #
+ # --entitlements-xml-path \
+ # Contents/MacOS/plugin-container.app:/path/to/plugin-container.xml
+ #
+ # We iterate through the signing group and generate scoped arguments
+ # for each path to be signed. If the path is '/', it is the main signing
+ # input path and its options are specified as standard arguments.
+ ctx.log(logging.INFO, "macos-sign", {}, "Signing with rcodesign")
+
+ cs_cmd = ["rcodesign", "sign"]
+ if p12_file_arg is not None:
+ cs_cmd.append("--p12-file")
+ cs_cmd.append(p12_file_arg)
+ if p12_password_file_arg is not None:
+ cs_cmd.append("--p12-password-file")
+ cs_cmd.append(p12_password_file_arg)
+
+ temp_files_to_cleanup = []
+
+ for signing_group in signing_groups:
+ # Ignore the 'deep' and 'force' setting for rcodesign
+ group_runtime = "runtime" in signing_group and signing_group["runtime"]
+
+ entitlement_file = None
+
+ if "entitlements" in signing_group:
+ # Given the type of build (dev, prod, or prod without restricted
+ # entitlements) and the channel we're going to sign, get the path
+ # to the entitlement file from the config.
+ if isinstance(signing_group["entitlements"], str):
+ # If the 'entitlements' key in the signing group maps to
+ # a string, it's a simple lookup.
+ entitlement_file = signing_group["entitlements"]
+ elif isinstance(signing_group["entitlements"], dict):
+ # If the 'entitlements' key in the signing group maps to
+ # a dict, the mapping from key to entitlement file is
+ # different for each channel:
+ if channel == "nightly":
+ entitlement_file = signing_group["entitlements"][
+ "by-build-platform"
+ ]["default"]["by-project"]["mozilla-central"]
+ elif channel == "devedition":
+ entitlement_file = signing_group["entitlements"][
+ "by-build-platform"
+ ][".*devedition.*"]
+ elif channel == "release" or channel == "beta":
+ entitlement_file = signing_group["entitlements"][
+ "by-build-platform"
+ ]["default"]["by-project"]["default"]
+ else:
+ raise ("Unexpected channel")
+
+ # We now have an entitlement file for this signing group.
+ # If we are signing using production-without-restricted, strip out
+ # restricted entitlements and save the result in a temporary file.
+ if entitlements_arg == "production-without-restricted":
+ entitlement_file = strip_restricted_entitlements(entitlement_file)
+ temp_files_to_cleanup.append(entitlement_file)
+
+ for pathglob in signing_group["globs"]:
+ binary_paths = glob.glob(
+ os.path.join(app, pathglob.strip("/")), recursive=True
+ )
+ for binary_path in binary_paths:
+ if pathglob == "/":
+ # This is the root of the app. Use these signing options
+ # without argument scoping.
+ if group_runtime:
+ cs_cmd.append("--code-signature-flags")
+ cs_cmd.append("runtime")
+ if entitlement_file is not None:
+ cs_cmd.append("--entitlements-xml-path")
+ cs_cmd.append(entitlement_file)
+ cs_cmd.append(binary_path)
+ continue
+
+ # This is not the root of the app. Paths are convered to
+ # relative paths and signing options are specified as scoped
+ # arguments.
+ binary_path_relative = os.path.relpath(binary_path, app)
+ if group_runtime:
+ cs_cmd.append("--code-signature-flags")
+ scoped_arg = binary_path_relative + ":runtime"
+ cs_cmd.append(scoped_arg)
+ if entitlement_file is not None:
+ cs_cmd.append("--entitlements-xml-path")
+ scoped_arg = binary_path_relative + ":" + entitlement_file
+ cs_cmd.append(scoped_arg)
+
+ run(ctx, cs_cmd, capture_output=not verbose_arg, check=True)
+
+ for temp_file in temp_files_to_cleanup:
+ os.remove(temp_file)
+
+
+def strip_restricted_entitlements(plist_file):
+ # Not a complete set. Update as needed. This is
+ # the set of restricted entitlements we use to date.
+ restricted_entitlements = [
+ "com.apple.developer.web-browser.public-key-credential",
+ "com.apple.application-identifier",
+ ]
+
+ plist_file_obj = open(plist_file, "rb")
+ plist_data = plistlib.load(plist_file_obj, fmt=plistlib.FMT_XML)
+ for entitlement in restricted_entitlements:
+ if entitlement in plist_data:
+ del plist_data[entitlement]
+
+ _, temp_file_path = tempfile.mkstemp(prefix="mach-macos-sign.")
+ with open(temp_file_path, "wb") as temp_file_obj:
+ plistlib.dump(plist_data, temp_file_obj)
+ temp_file_obj.close()
+
+ return temp_file_path