client icon indicating copy to clipboard operation
client copied to clipboard

Published 20 hours ago verified publisher icon owncloud

Add application group entitlement to the GUI client

Open erikjv opened this issue 2 years ago • 6 comments

The GUI client should have an app-group set as part of its entitlements. This is currently not the case. When this entitlement is set, macOS will take care of creating the shared folder for the app group, where both the UI (not sandboxed) and the extensions (which are sandboxed) can read/write files and sockets.

The file should look like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>4AP2STM4H5.com.owncloud.desktopclient</string>
	</array>
</dict>
</plist>

CMake should write this file, and use ${SOCKETAPI_TEAM_IDENTIFIER_PREF}.${APPLICATION_REV_DOMAIN} to create the string in the array.

Verification can be done like this:

codesign -d --entitlements :- owncloud.app/Contents/MacOS/owncloud

That should show the plist from above (which is currently not the case).

When the entitlement is there, macOS will create the shared folder as ~/Library/Group Containers/4AP2STM4H5.com.owncloud.desktopclient when the app is first started.

erikjv avatar Nov 11 '21 14:11 erikjv

When developing the FinderSyncExt, Xcode does code-signing with these steps:

    builtin-productPackagingUtility -entitlements -format xml -o /Users/erik/Library/Developer/Xcode/DerivedData/OwnCloud-gwuerlmjmbkwpidpmgnlqbfefblf/Build/Intermediates.noindex/OwnCloudFinderSync.build/Debug/desktopclient.build/desktopclient.app.xcent
    export CODESIGN_ALLOCATE\=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
    /usr/bin/codesign --force --sign - --entitlements /Users/erik/Library/Developer/Xcode/DerivedData/OwnCloud-gwuerlmjmbkwpidpmgnlqbfefblf/Build/Intermediates.noindex/OwnCloudFinderSync.build/Debug/desktopclient.build/desktopclient.app.xcent --timestamp\=none --generate-entitlement-der /Users/erik/Library/Developer/Xcode/DerivedData/OwnCloud-gwuerlmjmbkwpidpmgnlqbfefblf/Build/Products/Debug/desktopclient.app

One of the messages is:

Signing Identity:     "-"

So the - after the --sign is probably the signing identity.

Also, there is a productbuild command-line utility (with manpage) that seems to do the same as the builtin-productPackagingUtility step.

And verfication:

    cd /Users/erik/ownCloud/ownbuild/master/downloads/git/owncloud/owncloud-client/shell_integration/MacOSX/OwnCloudFinderSync
    builtin-validationUtility /Users/erik/Library/Developer/Xcode/DerivedData/OwnCloud-gwuerlmjmbkwpidpmgnlqbfefblf/Build/Products/Debug/desktopclient.app -no-validate-extension

Note: the application that is verified here is the dummy "wrapper" application for the FinderSyncExt.

erikjv avatar Nov 11 '21 14:11 erikjv

What is desktopclient.app.xcent?

dschmidt avatar Nov 11 '21 14:11 dschmidt

What is desktopclient.app.xcent?

I added that step to my comment above.

erikjv avatar Nov 11 '21 14:11 erikjv

https://stackoverflow.com/questions/9280130/how-to-call-builtin-productpackagingutility-in-command-line

Might be possible to just point to the .entitlements file

dschmidt avatar Nov 11 '21 14:11 dschmidt

This issue was marked stale because it has been open for 30 days with no activity. Remove the stale label or comment or this will be closed in 7 days.

github-actions[bot] avatar Dec 12 '21 00:12 github-actions[bot]

We also have to add the app group to the bundle on apple's side, so that the signing matches the entitlement.

erikjv avatar Oct 10 '23 14:10 erikjv