From f16421225db239243c35c5ab6bf094afca519049 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Fri, 2 Oct 2020 18:36:24 -0400 Subject: [PATCH] Enable hardened executable mode on Mac, should be fine... --- macui/ZeroTier One.xcodeproj/project.pbxproj | 9 +++++++++ macui/ZeroTier One/ZeroTier One.entitlements | 5 +++++ make-mac.mk | 8 +++----- 3 files changed, 17 insertions(+), 5 deletions(-) create mode 100644 macui/ZeroTier One/ZeroTier One.entitlements diff --git a/macui/ZeroTier One.xcodeproj/project.pbxproj b/macui/ZeroTier One.xcodeproj/project.pbxproj index fc5cfc1fb..28d8c5d1e 100644 --- a/macui/ZeroTier One.xcodeproj/project.pbxproj +++ b/macui/ZeroTier One.xcodeproj/project.pbxproj @@ -65,6 +65,7 @@ 93DAFB261D3F0BEE004D5417 /* about.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = about.html; sourceTree = ""; }; 93DAFE4A1CFE53CA00547CC4 /* AuthtokenCopy.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = AuthtokenCopy.m; sourceTree = ""; }; 93DAFE4C1CFE53DA00547CC4 /* AuthtokenCopy.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AuthtokenCopy.h; sourceTree = ""; }; + C13C72B12527E1B20094F8B4 /* ZeroTier One.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "ZeroTier One.entitlements"; sourceTree = ""; }; /* End PBXFileReference section */ /* Begin PBXFrameworksBuildPhase section */ @@ -99,6 +100,7 @@ 93326BDA1CE7C816005CA2AC /* ZeroTier One */ = { isa = PBXGroup; children = ( + C13C72B12527E1B20094F8B4 /* ZeroTier One.entitlements */, 932D472E1D1CD499004BCFE2 /* ZeroTierIcon.icns */, 93326BDD1CE7C816005CA2AC /* Assets.xcassets */, 93326BDF1CE7C816005CA2AC /* MainMenu.xib */, @@ -175,6 +177,7 @@ developmentRegion = English; hasScannedForEncodings = 0; knownRegions = ( + English, en, Base, ); @@ -330,7 +333,10 @@ isa = XCBuildConfiguration; buildSettings = { CLANG_ENABLE_MODULES = YES; + CODE_SIGN_ENTITLEMENTS = "ZeroTier One/ZeroTier One.entitlements"; + CODE_SIGN_IDENTITY = "-"; COMBINE_HIDPI_IMAGES = YES; + ENABLE_HARDENED_RUNTIME = YES; INFOPLIST_FILE = "ZeroTier One/Info.plist"; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks"; MACOSX_DEPLOYMENT_TARGET = 10.10; @@ -345,7 +351,10 @@ isa = XCBuildConfiguration; buildSettings = { CLANG_ENABLE_MODULES = YES; + CODE_SIGN_ENTITLEMENTS = "ZeroTier One/ZeroTier One.entitlements"; + CODE_SIGN_IDENTITY = "-"; COMBINE_HIDPI_IMAGES = YES; + ENABLE_HARDENED_RUNTIME = YES; INFOPLIST_FILE = "ZeroTier One/Info.plist"; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks"; MACOSX_DEPLOYMENT_TARGET = 10.10; diff --git a/macui/ZeroTier One/ZeroTier One.entitlements b/macui/ZeroTier One/ZeroTier One.entitlements new file mode 100644 index 000000000..0c67376eb --- /dev/null +++ b/macui/ZeroTier One/ZeroTier One.entitlements @@ -0,0 +1,5 @@ + + + + + diff --git a/make-mac.mk b/make-mac.mk index e92604f6c..42deaed86 100644 --- a/make-mac.mk +++ b/make-mac.mk @@ -95,13 +95,12 @@ ext/x64-salsa2012-asm/salsa2012.o: mac-agent: FORCE $(CC) -Ofast -o MacEthernetTapAgent osdep/MacEthernetTapAgent.c - $(CODESIGN) -f -s $(CODESIGN_APP_CERT) MacEthernetTapAgent + $(CODESIGN) -f --options=runtime -s $(CODESIGN_APP_CERT) MacEthernetTapAgent osdep/MacDNSHelper.o: osdep/MacDNSHelper.mm $(CXX) $(CXXFLAGS) -c osdep/MacDNSHelper.mm -o osdep/MacDNSHelper.o one: $(CORE_OBJS) $(ONE_OBJS) one.o mac-agent - $(CXX) $(CXXFLAGS) -o zerotier-one $(CORE_OBJS) $(ONE_OBJS) one.o $(LIBS) # $(STRIP) zerotier-one ln -sf zerotier-one zerotier-idtool @@ -125,7 +124,7 @@ core: libzerotiercore.a macui: FORCE cd macui && xcodebuild -target "ZeroTier One" -configuration Release - $(CODESIGN) -f -s $(CODESIGN_APP_CERT) "macui/build/Release/ZeroTier One.app" + $(CODESIGN) -f --options=runtime -s $(CODESIGN_APP_CERT) "macui/build/Release/ZeroTier One.app" #cli: FORCE # $(CXX) $(CXXFLAGS) -o zerotier cli/zerotier.cpp osdep/OSUtils.cpp node/InetAddress.cpp node/Utils.cpp node/Salsa20.cpp node/Identity.cpp node/SHA512.cpp node/C25519.cpp -lcurl @@ -145,7 +144,7 @@ mac-dist-pkg: FORCE if [ -f "ZeroTier One Signed.pkg" ]; then mv -f "ZeroTier One Signed.pkg" "ZeroTier One.pkg"; fi rm -f zt1_update_$(ZT_BUILD_PLATFORM)_$(ZT_BUILD_ARCHITECTURE)_* cat ext/installfiles/mac-update/updater.tmpl.sh "ZeroTier One.pkg" >zt1_update_$(ZT_BUILD_PLATFORM)_$(ZT_BUILD_ARCHITECTURE)_$(ZT_VERSION_MAJOR).$(ZT_VERSION_MINOR).$(ZT_VERSION_REV)_$(ZT_VERSION_BUILD).exe - $(NOTARIZE) -t osx -f "ZeroTier One.pkg" --primary-bundle-id --output-format xml --notarize-app -u $(NOTARIZE_USER_ID) + $(NOTARIZE) -t osx -f "ZeroTier One.pkg" --primary-bundle-id com.zerotier.pkg.ZeroTierOne --output-format xml --notarize-app -u $(NOTARIZE_USER_ID) echo '*** When Apple notifies that the app is notarized, run: xcrun stapler staple "ZeroTier One.pkg"' # For ZeroTier, Inc. to build official signed packages @@ -157,7 +156,6 @@ official: FORCE central-controller-docker: FORCE docker build --no-cache -t registry.zerotier.com/zerotier-central/ztcentral-controller:${TIMESTAMP} -f ext/central-controller-docker/Dockerfile --build-arg git_branch=$(shell git name-rev --name-only HEAD) . - clean: rm -rf MacEthernetTapAgent *.dSYM build-* *.a *.pkg *.dmg *.o node/*.o controller/*.o service/*.o osdep/*.o ext/http-parser/*.o $(CORE_OBJS) $(ONE_OBJS) zerotier-one zerotier-idtool zerotier-selftest zerotier-cli zerotier doc/node_modules macui/build zt1_update_$(ZT_BUILD_PLATFORM)_$(ZT_BUILD_ARCHITECTURE)_*