feat: Apple codesign support for development builds

2025-10-28 13:12:28 +00:00
parent a140b3bcca
commit 0bf6e1e9f8
4 changed files with 54 additions and 0 deletions
--- a/REUSE.toml
+++ b/REUSE.toml
@ -26,6 +26,7 @@ path = [
 , "src/apps/deskflow-server/deskflow-server.exe.manifest"
 , "src/apps/res/manpage.txt"
 , "src/apps/res/deskflow.plist.in"
+ , "src/apps/res/entitlements-dev.plist"
 , "translations/*.ts"
 ]
 SPDX-FileCopyrightText = "Deskflow Developers"
--- a/doc/dev/build.md
+++ b/doc/dev/build.md
@ -31,6 +31,7 @@ CMake options:
 | SKIP_BUILD_TESTS         | Skip running of tests at build time     | OFF                | |
 | VCPKG_QT                 | Build Qt w/ vcpkg (windows only)        | OFF                | |
 | CLEAN_TRS                | Remove obsolete strings from tr files   | OFF                | |
+| APPLE_CODESIGN_DEV       | Apple codesign cert ID for development  | Not set            | | 

 Example cmake configuration.
 `cmake -S. -Bbuild -DCMAKE_INSTALL_PREFIX=<INSTALLPREFIX>`
@ -54,6 +55,24 @@ Example cmake configuration.
 2. Once the configuration starts, you should see a lot more packages vcpkg will build. Building Qt takes a long time (potentially hours), so go find something else to do for a while.
 3. If you want to use the system Qt again, you must delete the `vcpkg.json` generated in the project root and the `build` folder and reconfigure the project from scratch.

+
+### macOS codesign
+
+The code signing option `APPLE_CODESIGN_DEV` is only for local development and not intended for distributed bundles. 
+
+Signing for local development and signing for the distribution bundle must be different because of development entitlements which are unlikely to be safe for use in production. It is impractical (i.e. very slow and cumbersome) to use the distribution bundle for local development. When developing locally, the app bundle is partial and does not contain dependencies and uses external libs, e.g. installed with Homebrew; the entitlements allow those external libs to be loaded which is not allowed by default.
+
+For development codesign:
+
+1. Install Xcode
+2. Go to Settings -> Accounts
+3. Add your account (requires a free Apple Developer ID)
+4. Manage certificates -> Add -> Apple Development
+5. To get your ID, run: `security find-identity -v -p codesigning login.keychain-db`
+6. Pass the ID to CMake, e.g. `-DAPPLE_CODESIGN_DEV=Apple Development: bob@exmaple.com (KLGSJHLFXY)`
+7. Configure and build
+8. To verify, run: `codesign -d -r- build/bin/Deskflow.app`
+
 ## Build
 After configuring you should be able to run make to build all targets.

--- a/src/apps/deskflow-gui/CMakeLists.txt
+++ b/src/apps/deskflow-gui/CMakeLists.txt
@ -101,6 +101,33 @@ elseif(APPLE)
    MACOSX_BUNDLE_INFO_PLIST "${CMAKE_CURRENT_BINARY_DIR}/deskflow.plist"
  )
  install(TARGETS ${target} BUNDLE DESTINATION .)
+
+  # Warning: Do not use for CI/production, as the `entitlements-dev.plist` file adds special 
+  # entitlements that are only appropriate for local development.
+  #
+  # macOS made TCC stricter so that if you don't sign your local dev builds properly, macOS will
+  # nag you to remove and re-approve the app every time you make a change to the binary which is
+  # extremely annoying during development.
+  #
+  # If you were to use ad-hoc signing (i.e. not specify a certificate), TCC would still nag you
+  # because the binary identity is anchored not on the app ID, but on the CD hash (which changes
+  # based on the binary contents).
+  #
+  # To use, simply generate a personal certificate for free with Xcode and pass the ID to CMake.
+  # Full instructions are in the docs.
+  if (NOT "${APPLE_CODESIGN_DEV}" STREQUAL "")
+    message(STATUS "Apple codesign ID for development only: ${APPLE_CODESIGN_DEV}")
+    add_custom_command(
+      TARGET ${target} POST_BUILD
+      COMMAND /usr/bin/codesign
+              --force
+              --options runtime
+              --entitlements "$<SHELL_PATH:${CMAKE_SOURCE_DIR}/src/apps/res/entitlements-dev.plist>"
+              --sign "${APPLE_CODESIGN_DEV}"
+              "$<TARGET_BUNDLE_DIR:${target}>"
+      VERBATIM
+    )
+  endif()
 else()
  install(TARGETS ${target} DESTINATION bin)
  generate_app_man(${target} "${CMAKE_PROJECT_DESCRIPTION} \\(GUI\\)")
--- a/src/apps/res/entitlements-dev.plist
+++ b/src/apps/res/entitlements-dev.plist
@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0"><dict>
+  <key>com.apple.security.cs.disable-library-validation</key><true/>
+  <key>com.apple.security.get-task-allow</key><true/>
+  <key>com.apple.security.cs.allow-jit</key><true/>
+</dict></plist>